Exchange

Manually Remove Auto-Mapped Exchange Mailboxes

Beginning with Exchange 2010 then on to Exchange  2013. User who used the client Outlook 2007/2010/and 2013  had a new feature called automapping.

Automapping takes advantage of Exchange auto-discovery services to map mailboxes which  a user has “Full Access” permissions granted.

This is very helpful to the end user as he or she is no longer required to know or learn how to add additional mailboxes to Outlook.

The not so helpful side is when a users access is removed and a ghosted mailbox folder exists in Outlook that the user is unable to remove.  Attempts to close the mailbox result in a message that reads:

This group of folders is associated with an e-mail account. To remove the account, click the File Tab, and on the info tab, click Account Settings, Select the e-mail account, and then click Remove.

Thank’s but this doesn’t work.  In fact even on a a clean install of Outlook the user still has the ghost folders associated to their Outlook Client.

 

So to tackle this issue, I used ADSIedit.

  1. Open ADSIEdit (WinKey R to open Run and type adsiedit.msc)
  2. Connect to the Default Naming Context. (Click OK)
  3. Locate the mailbox that you once were granted Full Access Permissions and …
  4. Right-click on the object, view properties.
  5. Scroll down to MsExchDelegateListLinked attribute.
  6. Click Edit, select the User Object and click Remove your information.

 

Now give it a little time for the change to replicate out in our Active Directory, you will later find these folders to be gone.

To prevent this from occurring when adding mailboxes you could always run the following command to disable automapping:

Add-MailboxPermission -Identity user@jermsmit.com
-User admin@jermsmit.com -AccessRights FullAccess
-AutoMapping:$false

 

Update from the comments 6/5/2017:
To find the mailbox, you actually find the AD user account, under the OU=Domain Name, within ADSIEdit.  – Thanks ‘ splunch ‘ for the info.

Installing Cumulative Updates for Exchange Server 2013

Tonight’s “home work” Assignment:
Update  Companies Exchange 2013 to Cumulative Update 3

Purpose

  • Address many of the issues that existed in Cumulative Update 2.
  • Bring additional value to the company

Oh and some of the newly introduced features / enhancements should help also:

  • Usability improvements when adding members to distribution groups in the Exchange Administration Console (EAC)
  • Windows Azure AD Rights Management available for use for IRM protection in on-premises Exchange deployments
  • Improved administrator audit logging experience
  • Windows 8.1/IE 11 no longer require the use of OWA Light

To get the Exchange 2013 Cumulative Update 3 just click here

Here are some steps to keep in mind when / if you are preforming this update yourself.

Preparation Tasks

Like that of installing any updates get ready. Read about what your installing and know why you are installing it.

  • Download the Cumulative Update 3 Install – here is a link hope it still works, if not just go to the download center and download it to each exchange server.
  • Backup Active Directory – Exchange CU3  will modify your schema
  • Backup you existing Exchange  2013 server(s)
  • Backup your existing Exchange databases (data/log volumes)
  • Have documented info on anything that you may have customized; such as configurations.
  • If you use 3rd party add-on to exchange (GOD HELP YOU)
  • And if you have no idea of what your doing and not 100% confident then you should not proceed further – my advice

Preforming the update

Locate your downloaded package containing the Cumulative Update 3 and extract it.  Once completed run the Setup.exe

If your server is connected to the internet you will be asked if you can check for updates. It’s a good idea to do this.

 

When the update had completed its check click Next to continue. The setup will being to cop files. This will take some time. Once completed the setup will detect that you are installing an update to Exchange 2013

You will presented with the normal license agreement, and as always you will accept them so you can proceed with the install. Once you have done so the installer will check for existing and new prerequisites it needs to continue the installation

After the readiness checks have completed the setup process continues and this my friend will take a very long time. In my case it was about 1 hour and 30 minutes to complete.

 

The setup process saves the exchange configuration and removes all the previous exchange installation

It then copies the new installation files to the server, in addition to other files such a languages etc..

Closer to the end of the update it configures your services again

And when the setup has completed you are prompted to restart the server if required.  *please* restart your server as you would want to test to ensure all services start up as expected.

Congratulations you have just updated to Exchange 2013 Cumulative Update 3

Post Install Tasks

  • Review windows event logs on your Exchange server(s)
  • Review services
  • Review connectivity to Exchange – Outlook Web Access, Outlook Clients, Mobile Device Connectivity
  • Write up a summery of what you did to share with team members are supervising management types – I included my actual report at the end of this post.

 

My Summery:

I have completed the work on Exchange.
Completion time was 12:30 AM Saturday, January 18, 2014

Tasks Preformed before Update Process
• Exchange Server was shutdown to adjust memory resources
• Exchange Data & Log Volumes moved  to Volume Collection
• Volume Collection of Exchanges Data & Log Volumes were made into a full snapshot as part of a backup / rollback plan
• Exchange Server was also made into a snapshot for backup / rollback plan

Update Process
• After exchange was restarted, began the verification of  files
•  Started update process,  monitored resources during the upgrade
• Update ran for 2 hours from start to finish.
• Once update was completed, restarted exchange
• Upon resuming, verified services were started automatically and storage volumes were attached
• Inspected event logs for any errors.
• Tested connectivity with OWA, Mobile and Outlook access

 

Error FileAccessDenied (JET_errFileAccessDenied …)

I ran into the following message when running an operation on one of my Exchange databases: Operation terminated with error -1032 (JET_errFileAccessDenied, Cannot access file, the file is locked or in use) after 10.79 seconds.

The operation’s I was attempting was an integrity check on a database (ESEUTIL /G database_filename.edb). When this failed with the error above. I verified that the database was dismounted and that my antivirus scanner was not locking the file.

It took me a little bit of time but I soon released that the temp file for the database would be on my system volume which did not have the space required to run this operation.

That said I ran the command again; this time specifying a location for the temp file. That command looks something like this:

ESEUTIL /G database_filename.edb /TE:\Mailbox\Temp\thisismytempfile.edb

Please note that there is no space used after the command switch /T

For more info on the ESEUTIL: http://support.microsoft.com/kb/192185

Freeware Active Directory, Exchange, Lync provisioning tool

I can’t wait to play with this free software called Z-Hire. Z-Hire is a employee provisioning that handles account creations in Active Directory, Exchange, Lync. With just a few simple clicks (one click) accounts for Active Directory, Exchange, and Lync will be created.

Z-Hire doesn’t just assist those account administrators with creating new accounts; It simplifies account closures. Z-Hire can even create accounts in Office 365 and SalesForce. So take a look at it. I am sure you will find it very useful. Best of all, its free.

Link to help info:

http://www.zohno.com/docs/Z-Hire_V4_Administration_Guide.pdf

http://www.zohno.com/docs/Z-Term_V4_Administration_Guide.pdf

Download Z-Hire from TechNet

 

System Requirements
– Windows 7 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)
– Windows Server 2008 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)
– Windows Server 2008 R2 X64 w/ .NET 3.5 and .NET 4.0 (Domain Joined)

Permission Requirements
– Ability to create Active Directory user
– Ability to create Exchange Mailbox
– Ability to create / enable Lync user

Supported Environments
– Active Directory (all versions)
– Exchange 2007 (all versions)
– Exchange 2010 / 2013 (all versions)
– Lync 2010 / 2013 (both Standard and Enterprise versions)
– Office 365 Cloud
– SalesForce CRM Cloud

Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.”

In my previous post I was banging my head over an Exchange 2013 issue. I was able to finally resolve it. And it took some steps to do so…

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.”

After an Exchange 2013 Install I found myself having issues with sending emails between two Exchange Servers; 2010 and 2013. The messages on both server seem to be stuck in the mail Queue.

Full message reads: 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

This issue existed because the Exchange servers could not authenticate with one another. This type of authentication is required for Exchange to route email internally. The respective servers use the X-EXPS command to authenticate. This error will happen when servers don’t have this method of authentication enabled.

In my case this wasn’t true, however there was another issue preventing the X-EXPS command from being passed and that was our Cisco security appliance/router. In fact the Extended SMTP verbs X-ANONYMOUSTLS, X-EXPS, and GSSAPI must be able to pass. I will get to this a bit later…

In my adventure to troubleshoot this issue the following was done (thank you Microsoft for providing details. While useful did not directly solve the overall issue. These steps are below

 

Step 1 – Enable Exchange Authentication on Receive Connectors

For Microsoft Exchange Server 2013 remote servers:

  1. Go to the following website to access the Exchange Administration Center (EAC):

https://<CAS>/ECP

  1. Sign in to the ECA by using the administrator account.
  2. Click mail flow.
  3. Click receive connectors.
  4. In the Select server box, select the remote Exchange server that the email message should be sent to.Note To determine the correct Exchange server, review the send protocol logs from the server that the email message is stuck in.
  5. Select the receive connector and then click Edit.Note Typically, the receive connector is the Default server_name receive connector for the remote Exchange server
  6. Click security, under Authentication, make sure that Exchange Server Authentication check box is selected.

For Microsoft Exchange Server 2007 or 2010 remote servers:

  1. Start Exchange Management Console.
  2. Expand Server Configuration and then click Hub Transport.
  3. Click the Receive Connectors tab.
  4. Locate the remote Exchange server receive connector that the e-mail message is trying to be sent to.
  5. Right-click the receive connector and then click Properties.
  6. On the Authentication tab, make sure that the Exchange Server authentication check box is selected.

For Microsoft Exchange Server 2003 remotes servers:

  1. Start Exchange System Management.
  2. Expand the Servers container.
  3. Under the problematic remote Exchange server, locate to the Protocols container.
  4. Expand the Protocols container, right-click SMTP.
  5. Right-click Default SMTP Virtual Server and then click Properties.
  6. Click the Access tab and then click Authentication.
  7. Make sure that the Integrated Windows Authentication check box is selected.

As I mentioned above this did not resolve my issue as this was already enabled, so I went onto the next step in troubleshooting the problem.

 

Step 2 – Event ID 12014 (MSExchangeTransport)

I had (for some time) many errors in my Application Event Log referencing the ID of 12014, where the TLS Certificate for SMTP was no longer valid. Event message below.

Log Name:      Application
Source:        MSExchangeTransport
Date:          7/3/2013 4:30:06 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      exchange.jermsmit.com

Description:

Microsoft Exchange could not find a certificate that contains the domain name mail.jermsmit.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector To Internet with a FQDN parameter of mail.jermsmit.com. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

To correct this issue I needed to log open the Exchange Power Shell on my Exchange 2010 server and enter the following: New-ExchangeCertificate -DomainName mail.jermsmit.com -services SMTP” followed by a restart of the Transport Services (I did this on both).

I tested out my change and now the event error message is gone however I am still unable to send email between the Exchange Servers.

 

Step 3 – Back to the basics

I later logged into each Exchange Host (2010/2013) and used telnet to connect to the respective hosts SMTP address. I got a response: 220**************************************************** but this was not the proper response for an Exchange SMTP.

Then it was apparent that a firewall was blocking the communication between one Exchange host and the other. In my case it was a Cisco ASA which has a mailguard feature turned by.  The Auth and Auth login commands (Extended Simple Mail Transfer Protocol [ESMTP] commands) are stripped by the firewall

So the logical thing was to turn it off. This was done by entering the following command:
no fixup protocol smtp 25

Once this command was issued I restarted the transport services on each host and to use an old coined phrase “You Got Mail” I was back in business.

 

Info Resources:

http://support.microsoft.com/kb/979175

http://technet.microsoft.com/en-us/library/bb123786(v=exchg.65).aspx

http://support.microsoft.com/kb/320027

 

not so foreign Exchange 2013

I have been banging my head over issues with the new Exchange 2013. Install seems to go well but doesn’t seems to want to coexist with Exchange 2010. Moments aware from calling in a product support case I find Cumulative update 1 for Exchange Server 2013 (KB2816900): http://www.microsoft.com/en-us/download/details.aspx?id=38176

It seems I now need to wait about an hour for this update to complete before I know if this fixes the issue*

* issue I am having is email routing between Exchange 2010 and Exchange 2013

More on this here

 

Internet Explorer 10, Crashing Exchange 2013 Exchange Admin Console

If you are running Exchange 2012 on Windows Server 2012 you will soon noticed that Internet Explorer 10 randomly crashes during operations in the new Exchange Admin Console (EAC).

I have found this to be very annoying. However there are options which you could take.

1. You can use Internet Explorer 10 from Windows 8 to access the EAC which works without issues or

2. You can install the following patch to stop the IE10 crashes on Server 2012 when working with Exchange 2013’s EAC: http://download.microsoft.com/download/F/B/2/FB217F16-026B-499F-8F44-7D7ECFAA3B53/Windows8-RT-KB2761465-x64.msu

Here is a direct link to the KB for this patch: http://www.microsoft.com/en-us/download/details.aspx?id=35870

 

Removing an auto-mapped mailbox

In Exchange Server 2010 SP1, shared mailbox with full access rights will be auto mapped to the users given such rights. This is fine for that user who doesn’t seem to know how to add an additional mailbox to their Outlook 2007, 2010, 2013 client. But what about those support and systems admins who grant themselves access for troubleshooting and find out later they are stuck with this new folder under their Outlook folder that can’t be removed.

Well we never say “can’t”. So what you need to do to remote the auto-mapping attribute is to reach out to the administrator if you are not one or if you are just find your way to the Exchange Management Power Shell and issue the following command:

Add-MailboxPermission -Identity <shared mailbox alias> -User <your mailbox alias> -AccessRights FullAccess -InheritanceType All -Automapping $false

Once this command is run the additional mailbox will automatically be removed.

Reference: Disable Outlook Auto-Mapping with Full Access

Issue: Outlook Address Book Not Updating

Symptoms:

New users added to Exchange 2010 do not show up in global address book

Tests Performed:

1. Searched for new users from Outlook – This failed
2. Searched for new users from OWA – This works
3. Put Outlook in non-cached mode and searched – this worked

Suspected Problem:

Offline Address Book Generation is not happening – Possible cause, resources (memory) on host server, service failure.

Steps Taken: *note* I have seen this before so I know where I am looking first

1. Stop the Microsoft Exchange File Distribution Service

2. Stop the Microsoft Exchange Address Book

3. Clear the files from ‘C:Program FilesMicrosoftExchange ServerV14ExchangeOAB’ putting them into a backup folder of some sort.

4. Restart the services above.

5. To get the OAM to immediately generate run the following command: Update-OfflineAddressbook “name of offline address book”. You may encounter an issue stating that the System Attendant Service is not running or you do not have permission. 1. Make sure you are running the Exchange Management Shell as Administrator and 2. The System Attendant Service is running. *note* The Service is named “Microsoft Exchange System Attendant”.

6. You will now notice that the GUIDS and files have started to populate under ExchangeOAB folder

Follow-up Testing that things now work:

1. Exit Outlook and delete the Offline Address Book cache from ‘C:Users%user profile%AppDataLocalMicrosoftOutlookOffline Address Books’

2. Open outlook again cache should repopulate at this point.

3. Open a new email message or click the Address Book and search for the person(s) who were not showing previously.

Conclusion:

The Outlook Client failed to download an updated copy of the Offline Address Book because the services have stopped functioning. I was unable to obtain errors in the event logs regarding this, however having experienced this in the past it has become suspect

– For Darlene

Simple Exchange 2010 Database White Space Report

I was looking at some of my database on Exchange that seemed to be very large in size so first thought was that an offline defrag may be needed, but before I reach that point I wanted to know how much ‘slack’ or white space existed in each of my Exchange databases.

This was done by using the following command syntax in the Exchange Management Shell:

To export this into a CSV format the following can also be done, so that you can give to any management members for review of your findings:

Next, I may find a way to setup this to email a weekly report…