Friday, December 30, 2011

Can't modify message delivery restrictions properties on Exchange 2010 EMC

In my case there was a distribution group with defined message delivery restrictions. That distribution group could accept messages only from senders defined in list box. And, when I tried to modify the list of users I was receiving following error message :
"Set-DistributionGroup Failed: Error: Couldn't find object "domain/local/disabled users/user who is no longer in company." 
The disabled user was not on the list presented by Exchange 2010 EMC, so I can't remove it from the console.
Resolution for this problem can be done by Exchage 2007 EMC (you can see the disabled user in message delivery restriction's dialog list box) if you are in migration period from Exchange 2007, or using Active Directory Users and Computers console from Windows Server 2008 or ADSIEdit. From properties of "problematic" distribution group using attribute editor tab (aduc console), there is authOrig attribute value populated with users that can send email messages to that group. In authOrig attribute value you can see and remove the disabled account. After removing the disabled user you can modify message delivery restrictions properties using Exchange 2010 EMC.

Thursday, December 29, 2011

How to request SAN certificate using mmc

You can use certificate mmc console to request SAN certificate for your web server (server authentication). After you have add snap-in for certificates for your local computer store, you can create custom request :

Certificate enrolment wizard will start. On Before You Begin page click Next and on Select Certificate Enrollment Policy select Custom Request (Proceed without enrollment policy) and Next.

On Custom Request page for Template options select (No template) Legacy key :

On Certificate Information click Details and click Properties :

enter friendly name for the certificate :

On Subject tab add desired common name and alternate names for certificate :

Some Public CAs require some additional information in certificate request, like Country:

On Extensions tab add Server authentication for application policies :

On Private Key tab select key options and key type :

Click OK to go back to wizard page and click Next to save the request to file :

After finishing wizard, you will have certificate request in BASE 64 format, and you can make a request to external or internal certificate authority. After processing your request, CA will issue certificate which you can import to computer local store and you will have valid SAN certificate with associated private key, ready for assigning to your web site.

Tuesday, December 27, 2011

How to create anonymous relay receive connector on Exchange 2010 ?

My best practice is to create another custom receive connector for anonymous users instead of using the default one, where you can limit by source IP address who will be able to anonymously relay emails. To do so you will have to grant anonymous connections extended right to accept any recipient email address (for example we have created new receive connector "AnoRel") :

Get-ReceiveConnector "AnoRel" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

More on this topic on

Monday, December 26, 2011

How to remove service pack (SP1) backup files on Windows 7 or Windows Server 2008 R2

If you're running out of space on your (virtual) machine with installed Windows Server 2008 R2 and you have installed SP1, and after some time you decide that everything is working fine with installed service pack, you have an option to remove service pack backup created files. One possible way to do that is using DISM :
DISM.exe /online /Cleanup-Image /spsuperseded
More on SP1 about deployment, removal and uninstall on .

Wednesday, December 21, 2011

How to decompress files that have been compressed by disk cleanup

If you would like to decompress files that have been previously compressed by disk cleanup, because you have probably replaced (imaged) old small disk with bigger one, and you want to achieve better performance run :

compact /u /s /a /q /i *.*
More on compact command

Tuesday, December 20, 2011

How to find delegated Send As on a user mailbox

If you would like to find delegated send-as permission on user mailbox, you can use the following powershell script :
Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like "*Send-As*") -and -not ($_.User -like "NT AUTHORITY\SELF") } | select Identity, User, ExtendedRights, IsInherited | FT -Wrap

For example you can use this script to find BES enabled users with delegated send as permission on BES admin user.

Changing logo on OWA Exchange 2010 SP1

If you would like to customize default owa logo after you log on to OWA 2010 :

you will have to change (replace) default OWA logo from the sprites file. You can find sprite and css file on following location : \Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\<version>\themes\base\ (csssprites.png and csssprites.css) . If you open the the sprites you will see the default logo:

If you open the css file, you will see that logo size should be 144x42 :

.sprites-logoowa-png{background-image:url(‘csssprites.png’);background-position:-62px 0px;width: 144px;height: 42px;}
After changing (inserting) new logo in the sprites file, you will be able to see your new logo after logging on to owa 2010 (note: be careful when modifying the sprites file).

Receiving warning event 1021 from MSExchangeTransport on Exchange 2010

You may experience following warning message on your Exchange 2010 HUB transport servers :

Receive connector <receive connector name> rejected an incoming connection from IP address a.b.c.d. The maximum number of connections per source (20) for this connector has been reached by this source IP address.
Receive connectors has parameter that specifies maximum number of inbound connections that receive connector serves at the same time from single IP address. You can change this value by using set-receiveconnector cmdlet (for example to set this parameter to 50 concurrent connections from same IP address:  set-receiveconnector "unique receive connector name" -MaxInboundConnectionPerSource 50 ). More on set-receiveconnector .

Tuesday, December 13, 2011

Insufficient access rights to perform the move mailbox operation from Exchange 2007 to Exchange 2010 organization

When moving mailbox from Exchange 2007 to Exchange 2010 organization I have experienced the following error message :

Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098:  problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.

The reason for this is that inheritable permissions are not turned on for the user. As a resolution for this error check the "Allow inheritable Permissions from this object's parent" check box from AD user's advanced security setting dialog:

After setting the check box move mailbox operation should complete successfully.

Wednesday, December 7, 2011

Receiving error event 4002 from MSExchange Availability on Exchange 2010

During upgrade process from Exchange 2007 to Exchange 2010 I was experiencing error event 4002 from Application log on Exchange 2010 servers. Here is a part of the error :

Process 5436: ProxyWebRequest IntraSite from S-1-1-0 to https://casserver2007.local.domain/EWS/Exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Web.Services.Protocols.SoapException: Microsoft.Exchange.InfoWorker.Common.Availability.TimeIntervalTooBigException: The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days. ---> The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling(). The request information is ProxyWebRequest type = IntraSite, url = https://casserver2007.local.domain/EWS/Exchange.asmx

By default, Exchange 2007 allows availability queries for 42 days, and for Exchange 2010 this limit is 62 days. So, when Exchange 2010 performs a request for a user on Exchange 2007, the request will fail because Exchange 2010 will be requesting for 62 days information, while Exchange 2007 expects maximum for 42 days request. To avoid this issue you can set maximumQueryIntervalDays value in EWS web.config located in exchange 2007 installation folder\ClientAccess\Exchweb\ews . maximumQueryIntervalDays must be added under appsettings section. By default, this value does not exists and Exchange 2007 is using the default interval of 42 days. Here is the sample how appsettings section should look like:

<add key="maximumQueryIntervalDays" value="62" />

After adding this setting, you will have to IISReset, and Exchange 2007 CAS server will accept the new value. This setting helped in my case for the error event 4002 on Exchange 2010 to disappear.