Category Archives: Exchange 2010

Exchange 2010 backend with 2013 frontend proxy something has gone wrong error

At a customer site users were experiencing “:-( Something went wrong” errors in OWA (2013). The RPC endpoint was also broken, blocking a migration to Office 365.

Initial checks showed a few errors on the 2013 frontend server:


[Eas] Marking ClientAccess 2010 server NLEX01.domain.local (https://nlex01.domain.local/Microsoft-Server-ActiveSync) as unhealthy due to exception: System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

[Autodiscover] Marking ClientAccess 2010 server NLEX01.domain.local (https://nlex01.domain.local/Autodiscover) as unhealthy due to exception: System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

[RpcHttp] Marking ClientAccess 2010 server NLEX01.domain.local (https://nlex01.domain.local/rpc/rpcproxy.dll) as unhealthy due to exception: System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

[Owa] Marking ClientAccess 2010 server NLEX01.domain.local (https://nlex01.domain.local/owa) as unhealthy due to exception: System.Net.WebException: The remote server returned an error: (503) Server Unavailable.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.HttpProxy.ProtocolPingStrategyBase.Ping(Uri url)

The issue ended up being twofold;

  1. somehow the SCCM client on the Exchange backend had replaced the local server certificate that IIS uses, this certificate wasn’t accepted by the frontend server
  2. for some reason NTLM (Windows) Authentication was switched off on the Virtual Directories on the backend machine.

Quick overview of all unique email domains in use under a certain OU

We wanted an overview of which domains our users were using in a certain country (Netherlands in this case). So, a simple Powershell snippet that counts all unique domains it encounters in the ProxyAddresses field of all users under a certain OU.

Note that if you have set contacts / forwarders, some domains that appear may not actually be accepted domains in your exchange organization.


#Author: Jos Lieben (OGD)
#Date: 13-06-2016
#Script help: www.liebensraum.nl
#Purpose: retrieve all unique domains in use under a specific OU and count them
#Requirements:
#active directory PS module
########

ipmo activedirectory

$users = get-aduser -Filter * -Properties * -SearchBase "OU=Netherlands,OU=Countries,DC=lieben,DC=nu" -SearchScope SubTree

$domains = @{}
foreach($user in $users){

$emails = $user.ProxyAddresses
foreach($email in $emails){
$domain = $email.Split("@")[1]
if($domain){
$domains[$domain] += 1
}
}

}

Write-Output $domains

Exporting shared mailbox permissions to a CSV

A demonstration of one way to get shared mailbox permissions exported to a CSV file. We needed both users, groups and users in groups (so, a recursive search). Only Shared mailboxes had to be included, we could identity these by a simple rule:

the first portion of the primary email address does not contain a dot

See line 126 and 127 for this rule if you need a different method.

This export excludes Deny permissions and looks for users in groups up to 2 levels deep. Credits to Piotrek for his Get-ADNestedGroupMember function.

Script source: Continue reading Exporting shared mailbox permissions to a CSV

Exchange Forwarding Report

This powershell snippet will tell you which mailbox is actively forwarding email, in what method (dual delivery or pure forwarding), to which email address and if the corresponding contact still exists and is active.

#Module name: findForwarderDetails
#Author: Jos Lieben (OGD)
#Date: 01-04-2016
#Description: this snippet will discover all active forwarders in your organization, and will print the original mailbox, target contact and target address and forwarding method

$output = @()
$mailboxes = Get-Mailbox -ResultSize Unlimited | Where {$_.ForwardingAddress -ne $Null}

foreach ($mailbox in $mailboxes){

    $obj = New-Object PSObject
    $obj | Add-Member NoteProperty mailboxName($mailbox.DisplayName)
    if($mailbox.DeliverToMailboxAndForward){
        $obj | Add-Member NoteProperty forwardingMode("Dual delivery")
    }else{
        $obj | Add-Member NoteProperty forwardingMode("Forward Only")
    }
    try{
        $contact = Get-MailContact -Identity $mailbox.ForwardingAddress.DistinguishedName -ErrorAction Stop
        $obj | Add-Member NoteProperty forwardingToName($contact.DisplayName)
        $obj | Add-Member NoteProperty forwardingToEmail($contact.ExternalEmailAddress)
    }catch{
        $obj | Add-Member NoteProperty forwardingToName("CONTACT DOES NOT EXIST OR IS DISABLED")
        $obj | Add-Member NoteProperty forwardingToEmail("CONTACT DOES NOT EXIST OR IS DISABLED")
    }
    $output += $obj
}

Write-Output $output

Finding unused accepted domains in Exchange 2013

If, for some reason, you want to see which domains in your exchange organisation are not being used (not registered in the ProxyAddresses fields of your users), use below snippet in the Exchange Powershell Module.

Note: this does NOT (yet) check for domains used in Public Folders or Mail Contacts.


$mailboxes = get-mailbox -Resultsize Unlimited
$groups = get-distributiongroup -Resultsize Unlimited
$domains = Get-AcceptedDomain
$output = @()

foreach ($domain in $domains){

 $obj = New-Object PSObject
 $obj | Add-Member NoteProperty domainName($domain.DomainName)
 $obj | Add-Member NoteProperty domainType($domain.DomainType)
 $res = $mailboxes | where-object {$_.EmailAddresses -Match $domain.DomainName}
 if(-not $res){
 $res = $groups | where-object {$_.EmailAddresses -Match $domain.DomainName}
 }
 if($res){
 $obj | Add-Member NoteProperty inUse("YES")
 }else{
 $obj | Add-Member NoteProperty inUse("NO")
 }
 $output += $obj
}

Write-Output $output

Automating remote mailbox creation in an Exchange 2010/2013 and Office 365 hybrid setup

In organisations that have moved to Office 365, or are moving to Office 365 while using a hybrid setup with an on-premises Exchange 2010, 2013 or 2016 server and/or Lync/Skype, your helpdesk tools and scripts need to be adjusted.

While previously, you would provision your account in Active Directory, the mailbox on the onpremises Exchange Server and voip functionality on the Lync/Skype server, after your migration, you no longer need to provision mailboxes or lync accounts on premises. After a user has been migrated to Office 365, his ‘user type’ in the Exchange on premises server is ‘Remote Mailbox’. But for new users, this is not set automatically.

If you’re using scripting or tools like ADManager, you can use some simple Powershell commands to set the correct properties on a newly created user.

Configure and run below script Continue reading Automating remote mailbox creation in an Exchange 2010/2013 and Office 365 hybrid setup

The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate,NTLM’. –> The remote server returned an error: (401) Unauthorized

Today, while migrating to Exchange Online from an on premises 2010 Exchange Server the Exchange console on the onprem client access machine threw the following error when creating a new Remote MoveRequest:

Deserialization fails due to one SerializationException: System.Runtime.Serialization.SerializationException: Unable to find assembly 'Microsoft.Exchange.MailboxReplicationService.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.
at System.Runtime.Serialization.Formatters.Binary.BinaryAssemblyInfo.GetAssembly()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.GetType(BinaryAssemblyInfo assemblyInfo, String name)
at System.Runtime.Serialization.Formatters.Binary.ObjectMap..ctor(String objectName, String[] memberNames, BinaryTypeEnum[] binaryTypeEnumA, Object[] typeInformationA, Int32[] memberAssemIds, ObjectReader objectReader, Int32 objectId, BinaryAssemblyInfo assemblyInfo, SizedArray assemIdToAssemblyTable)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, IMethodCallMessage methodCallMessage)
at Microsoft.Exchange.Data.SerializationTypeConverter.<>c__DisplayClass3.<DeserializeObject>b__0()

Unable to find assembly 'Microsoft.Exchange.MailboxReplicationService.Common, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'.

This didn’t tell me much, and restarting the Microsoft Exchange Replication Service didn’t help. So I tried Powershell (remote session to Exchange Online):

New-MoveRequest -Remote -Identity "xxx@xxx.nl" -TargetDeliveryDomain "xxx.onmicrosoft.com" -

RemoteHostName "mail.xxxx.nl" -remotecredential $cred

Another error:

The Mailbox Replication Service was unable to connect to the remote server using the credentials provided. Please
check the credentials and try again. The call to 'https://mail.xxx.nl/EWS/mrsproxy.svc' failed. Error details: The
HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from
the server was 'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.. --> The HTTP request is
unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was
'Negotiate,NTLM'. --> The remote server returned an error: (401) Unauthorized.
+ CategoryInfo : NotSpecified: (:) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : [Server=AMSPR01MB134,RequestId=ac5193f2-0d87-437a-85f1-01da5b8208b6,TimeStamp=25/08/2015
10:16:41] [FailureCategory=Cmdlet-RemotePermanentException] 8C76D656,Microsoft.Exchange.Management.RecipientTasks
.NewMoveRequest
+ PSComputerName : outlook.office365.com

If you run into this issue, there can be two causes:

-your user has email addresses for domains Office 365 does not know

-more likely: the user account you’re using with Get-Credential has the wrong UPN suffix or permissionset

Sync disabled users (shared mailboxes) to Office 365 with Azure Active Directory Sync

I often hear customers who run an onpremises Exchange 2010 or 2013 environment in Hybrid mode with Office 365 complain about their Shared Mailboxes not appearing in Office 365 when using AADSync (or AADConnect).

This is important for mail routing if they don’t exist as contacts, or if you are using Exchange Online Protection for these mailboxes.

So, two quick steps to configure AADSync to also sync disabled users to Office 365. Continue reading Sync disabled users (shared mailboxes) to Office 365 with Azure Active Directory Sync