Hello,

I have a very unique customer that has deployed machines in their perimeter network that are joined to the corporate domain. Their rationale is that AV updates, Time sync etc are easier this way and they only have a verified and approved windows 2012R2 build for domain joined machines.

As part of a solution I am designing, we are planning on deploying Exchange 2013 Edge Transport servers in their perimeter network. I know that Exchange 2013 Edge Transport works when it is domain joined (as long as you install it in workgroup mode due to a bug in CU5 onwards). 

I understand this is not best practice but my question is more around this implementation of an Edge Transport joined to a domain being a supported configuration?  I'm just a bit weary of something working fine versus it being a supported configuration so am hoping someone can advise me if the solution will be supported.

I have started discussions around allowing the Edge Transport servers to be in a workgroup and not domain joined but am getting a lot of resistance form the customer.

Thank you.

Jamal

Hi,

I've recently stood up a Hybrid Deployment, and I've trudged through most issues.  I think my last one is sending mail from on-prem to the cloud.  I've migrated a test mailbox to the cloud, and when I try to send email to it, the message eventually bounced after a couple days of delays.  The delay message I get is:

Remote Server at Cas01.domain.com (10.128.13.66) returned '450 4.7.0 Proxy session setup failed on Frontend with '451 4.4.0 Primary target IP address responded with: "451 5.7.3 STARTTLS is required to send mail." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 207.46.163.215:25''

I checked the send connector, and the servers are set to EHLO as the expected hostname, pass the expected cert, and TLS is enforced.  Is there something I can check to determine why and how this breaking down?

Hi

I have an Exchange 2013 CU8 server (Win2012R2) in hybrid mode sitting behind a proxy server. Free busy info of online mailboxes is not working from on-premise mailboxes. I have chased the problem to EWS not appearing to use the proxy.

I have set the IE proxy. I have set the WinHTTP proxy. I have set the InternetWebProxy.

A WireShark trace also shows the token request coming directly from the server, bypassing any proxy set.

I have also tried to set the proxy directly in the web.config file of EWS, but that has no affect either.

This is really strange. Any thoughts?

Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx
-Mailbox onpremiseaccount@domainname.org -Verbose | fl

Produces the following output:

RunspaceId  : d3d36eec-38d7-4371-8fd9-720b86ce2d1c
Task        : Checking EWS API Call Under Oauth
Detail      : The configuration was last successfully loaded at 06/07/2015 09:28:13 UTC. This was 49 minutes ago.
              The token cache is being cleared because "use cached token" was set to false.
              Exchange Outbound Oauth Log:
              Client request ID: ab8fed2b-321a-4100-ae01-152bb9552aa0
              Information:[OAuthCredentials:Authenticate] entering
              Information:[OAuthCredentials:Authenticate] challenge from
              'https://outlook.office365.com/ews/Exchange.asmx' received: Bearer
              client_id="00000002-0000-0ff1-ce00-000000000000",
              trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1",
              authorization_uri="https://login.windows.net/common/oauth2/authorize",Basic Realm=""
              Information:[OAuthCredentials:GetToken] client-id: '00000002-0000-0ff1-ce00-000000000000', realm: '',
              trusted_issuer:'00000001-0000-0000-c000-000000000000@*'
              Information:[OAuthCredentials:GetToken] start building a token for the user domain 'domain.org'
              Information:[OAuthTokenBuilder:GetAppToken] start building the apptoken
              Information:[OAuthTokenBuilder:GetAppToken] checking enabled auth servers
              Information:[OAuthTokenBuilder:GetAppToken] trusted_issuer includes the auth server 'ACS':
              00000001-0000-0000-c000-000000000000@9cdffd99-a391-4492-8b8b-03b8ef1da48c,
              Information:[OAuthTokenBuilder:GetAppToken] updating the tenant id with the auth server realm; current
              tenant id value is '', new value is '9cdffd99-a391-4492-8b8b-03b8ef1da48c'
              Information:[OAuthTokenBuilder:GetAppToken] trying to get the apptoken from the auth server 'ACS' for
              resource
              '00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@9cdffd99-a391-4492-8b8b-03b8ef1da48c'
              Information:[ACSTokenCache:GetActorToken] Each key and its counts are L:00000002-0000-0ff1-ce00-000000000
              000-AS:00000001-0000-0000-c000-000000000000@9cdffd99-a391-4492-8b8b-03b8ef1da48c, 0
              Information:[ACSTokenCache:GetActorToken] cache size is 0
              Information:[ACSTokenCache:GetActorToken] try to get a new ACS token synchronously
              Information:[ACSTokenBuildRequest:BuildToken] started
              Information:[ACSTokenBuildRequest:GetActorTokenFromAuthServer] Sending token request to
              'https://accounts.accesscontrol.windows.net/9cdffd99-a391-4492-8b8b-03b8ef1da48c/tokens/OAuth/2' for the
              resource
              '00000002-0000-0ff1-ce00-000000000000/outlook.office365.com@9cdffd99-a391-4492-8b8b-03b8ef1da48c' with
              token: {"typ":"JWT","alg":"RS256","x5t":"vGeyUPR3l9gDmgp4W4cFO5EhqHk"}.{"iss":"00000002-0000-0ff1-ce00-00
              0000000000@9cdffd99-a391-4492-8b8b-03b8ef1da48c","aud":"00000001-0000-0000-c000-000000000000/accounts.acc
              esscontrol.windows.net@9cdffd99-a391-4492-8b8b-03b8ef1da48c","nbf":1436177871,"exp":1436178471}
              Error:[ACSTokenBuildRequest:GetActorTokenFromAuthServer] Unable to get the token from auth server
              'https://accounts.accesscontrol.windows.net/9cdffd99-a391-4492-8b8b-03b8ef1da48c/tokens/OAuth/2'. The
              request has token {"typ":"JWT","alg":"RS256","x5t":"vGeyUPR3l9gDmgp4W4cFO5EhqHk"}.{"iss":"00000002-0000-0
              ff1-ce00-000000000000@9cdffd99-a391-4492-8b8b-03b8ef1da48c","aud":"00000001-0000-0000-c000-000000000000/a
              ccounts.accesscontrol.windows.net@9cdffd99-a391-4492-8b8b-03b8ef1da48c","nbf":1436177871,"exp":1436178471
              }, the error from ACS is , the exception is System.Net.WebException: Unable to connect to the remote
              server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party
              did not properly respond after a period of time, or established connection failed because connected host
              has failed to respond 191.235.135.222:443
                 at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
                 at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6,
              Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception&
              exception)
                 --- End of inner exception stack trace ---
                 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
                 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult)
                 at Microsoft.Exchange.Security.OAuth.ACSTokenBuildRequest.GetActorTokenFromAuthServer(Boolean
              throwOnError)
              Error:[ACSTokenBuildRequest:GetActorTokenFromAuthServer] the inner exception is
              System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party
              did not properly respond after a period of time, or established connection failed because connected host
              has failed to respond 191.235.135.222:443
                 at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
                 at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6,
              Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception&
              exception)
              Error:Unable to get token from Auth Server. Error code: ''. Description: ''.

              Exchange Response Details:
              HTTP response message:
              Exception:
              System.Net.WebException: The request was aborted: The request was canceled. --->
              Microsoft.Exchange.Security.OAuth.OAuthTokenRequestFailedException: Unable to get token from Auth
              Server. Error code: ''. Description: ''. ---> System.Net.WebException: Unable to connect to the remote
              server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party
              did not properly respond after a period of time, or established connection failed because connected host
              has failed to respond 191.235.135.222:443
                 at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
                 at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6,
              Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception&
              exception)
                 --- End of inner exception stack trace ---
                 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
                 at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult)
                 at Microsoft.Exchange.Security.OAuth.ACSTokenBuildRequest.GetActorTokenFromAuthServer(Boolean
              throwOnError)
                 --- End of inner exception stack trace ---
                 at Microsoft.Exchange.Security.OAuth.ACSTokenBuildRequest.GetActorTokenFromAuthServer(Boolean
              throwOnError)
                 at Microsoft.Exchange.Security.OAuth.ACSTokenBuildRequest.BuildToken(Boolean throwOnError)
                 at Microsoft.Exchange.Security.OAuth.ACSTokenCache.GetActorToken(ACSTokenBuildRequest
              tokenBuildRequest, IOutboundTracer tracer, Nullable`1 clientRequestId)
                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppToken(String applicationId, String
              destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
              userDomain)
                 at Microsoft.Exchange.Security.OAuth.OAuthTokenBuilder.GetAppWithUserToken(String applicationId,
              String destinationHost, String realmFromChallenge, IssuerMetadata[] trustedIssuersFromChallenge, String
              userDomain, ClaimProvider claimProvider)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.GetToken(WebRequest webRequest,
              HttpAuthenticationChallenge challengeObject)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.Authenticate(String challengeString, WebRequest
              webRequest, Boolean preAuthenticate)
                 at Microsoft.Exchange.Security.OAuth.OAuthCredentials.OAuthAuthenticationModule.Authenticate(String
              challenge, WebRequest request, ICredentials credentials)
                 at System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials
              credentials)
                 at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials
              authInfo)
                 at System.Net.HttpWebRequest.CheckResubmitForAuth()
                 at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
                 at System.Net.HttpWebRequest.DoSubmitRequestProcessing(Exception& exception)
                 at System.Net.HttpWebRequest.ProcessResponse()
                 at System.Net.HttpWebRequest.SetResponse(CoreResponseData coreResponseData)
                 --- End of inner exception stack trace ---
                 at System.Net.HttpWebRequest.GetResponse()
                 at Microsoft.Exchange.Monitoring.TestOAuthConnectivityHelper.SendExchangeOAuthRequest(ADUser user,
              String orgDomain, Uri targetUri, String& diagnosticMessage, Boolean appOnly, Boolean useCachedToken,
              Boolean reloadConfig)

ResultType  : Error
Identity    : Microsoft.Exchange.Security.OAuth.ValidationResultNodeId
IsValid     : True
ObjectState : New

HI All,

I have Exchange 2010 Setup with around 13 Meeting Rooms and everything is working. Then I introduced Exchange 2013 Server in my setup and created a new User on Exchange 2013, I tested everything that Owa/Outlook/Autodiscover (Using Host file entries pointed Exchange2013) working for that user in coexistence except when i create a new meeting and click on room finder and meeting rooms from room list. It shows me that 13 Unknown, No available rooms. i can see in the GAL that room appears fine.

any idea why this behaviour

Regards

Usman

Usman Ghani - MCITP Exchange 2010

HI ALL,

We have federation trust with two domains. One of the federated is showing free/busy information on both end but thesecond domain not showing their free/busy in our end. but on their end, they are able to see our free/busy information.

For troubleshooting this issue.

Tested Federation

Tested Federation Certificate

OWAVirtualdirectory

Checked IIS Logs

Autodiscover

EWS External URL Setting.

Please feel free to put your suggestion. Let me know, if I miss some info

I have 2 physical exchange 2013 systems all replicating mailboxes in DAG, runs great! Auto Reseeding is setup and working.

Looking at migrating to Exchange 2016.

Without affecting my existing environment wonder what would be the best path for a seamless upgrade?

Seems as though I need a new server to do this, since my existing servers are physical I'm wondering if I should go back to virtual, is auto reseeding still in 2016. Does the new 2016 server have to be internet facing initially?

just wondering what the best path might be, thanks

When trying to access ECP/OWA from any web browser using https://IP/ecp or https://hostname/ecp(or /owa) it takes me to the log in page. Any solution regarding this issue?

Thank you

Setup - Exchange 2013 Standard with SP1 - Mailbox and CAs in one server.

We are getting hundreds and sometimes thousands of event id 4625 from w3wp process daily. Is anyone experiencing this issue and were you able to fix it? We opened a case with the Exchange team for this issue and they are telling us that this is by design. Everyone using Exchange 2013 should be experiencing the same issue if the event is by design.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/15/2014 3:31:42 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      mailserver.domain.local
Description:
An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:        mailserver$
    Account Domain:        DOMAIN
    Logon ID:        0x3E7

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:        
    Account Domain:        

Failure Information:
    Failure Reason:        Account currently disabled.
    Status:            0xC000006E
    Sub Status:        0xC0000072

Process Information:
    Caller Process ID:    0x21e4
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:    mailserver
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        Authz   
    Authentication Package:    Kerberos
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-05-15T10:31:42.051407100Z" />
    <EventRecordID>15165636</EventRecordID>
    <Correlation />
    <Execution ProcessID="780" ThreadID="13320" />
    <Channel>Security</Channel>
    <Computer>mailserver.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">mailserver$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">
    </Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="Status">0xc000006e</Data>
    <Data Name="FailureReason">%%2310</Data>
    <Data Name="SubStatus">0xc0000072</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Authz   </Data>
    <Data Name="AuthenticationPackageName">Kerberos</Data>
    <Data Name="WorkstationName">mailserver</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x21e4</Data>
    <Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Currently we cannot connect an Outlook 2016 email account to exchange 2013. If the computer is hard wired and connected to our domain it will find it but for our many users who use outlook outside of the office we are not able to connect outlook 2016.  Not sure how to proceed Outlook 2013 works fine manually setting it up.

Thanks for any help that can be provided.

I am trying to build an Exchange 2010 server.  When I run the install it tells me I need to install the Microsoft Office 2010 Filter pack.  Ok, so I do a search and I am able to download sp1 and sp2 versions of the filter pack - neither one will install and it tells me there is no application installed that is affected by these applications.  Ok so it seems to me like I need to locate and install the original pre sp1 filter pack.  When I search I keep getting links back to microsoft's page but the link is dead.

Here is the link:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=17062

Why is it so difficult to find this software?

We are running exchange 2013 server. On windows computers we are running outlook 2016 (365) - and in outlook there is the online archive (on windows platform) where mails are archived

If the same user log on to a mac running outlook 2016 - the online archive is not listed in the view. If it works on windows for the user, should online archive also be avaliable on outlook 2016 for mac ? is there any settings that must be set ?

Hi,

Trying to make available the administrator account to receive from external.  Sending to administrator gives this message " Message xxxxxxx to administrator...... receieved remote SMTP response "from sender" = Queued mail for delievery

the account works fine internal.

Thanks

Dear Experts,

your assistant  is solving the below issue is highly appreciated...

EventID: 0x00001284 (4740) - A user account was locked out.

Subject:
Security ID: S-1-5-18
Account Name: xxxx$
Account Domain:NNN
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: S-1-5-21-1699241594-4287572650-2767143919-3647
Account Name: xyz

Additional Information:
Caller Computer Name:Apples-MacBook-Pro.local

As per the above log,  account xyz  keep getting locked from ""Apple-MacBook-Pro.local". user claimed that he don't owned the machine anymore & we need to blocked this machine. noting that is machine is trying to access from external & not joined to domain.

kindly suggest solution as we are getting daily 20 - 25 account locked out notification.

hello all,

I want a script or powershell command to get list of users mailboxes which the last logon date is  older than 60 days

is there any commandshell?

Mohammad Naji senior exchange administartor

Story so far:
I wanted to filter attachments in a single server Exchange 2013 environment I created a rule, fairly drastic I know:

New-TransportRule -Name 'Attachment Filter' -Priority 0 -Enabled $true -AttachmentNameMatchesPatterns 'ceo$' -RejectMessageReasonText 'Your Message was rejected due to a dangerous attachment.' -DeleteMessage $true

In fact there was a longer list of potentially nasty attachments.

Then I thought "perhaps to drastic" so I edit the rule in the GUI, and changed the action from delete to forward to another mailbox where I could check them.

Then a user noticed that messages with attachments with .doc extension (no in my list) were being dropped. (.docx are OK)

So I deleted me rule in the GUI, resarted the server and thought all would be well. 

However my rule is still there somewhere, because all the listed extensions and .doc are being dropped (an not delivered anywhere)

It is not visible in the GUI and get-transportrule does not show it either. 

One clue:
When I send a message with a formerly filtered attachment ask for a delivery receipt I do get one telling me the message has been delivered to a group, and has been EXPANDED

I would of course like to clean out this remainder of a rule and start again (maybe)

CarolChi

Hi,

i have to deploy Exchange Server 2013 for 1500 users.

What are the best practices??

Thanks,

KETATA Ramy (N'oubliez pas de Marquer et Voter la ou les réponses qui aident à résoudre votre problème)

Good day Guys

First of all I am not an Exchange Expert, and I might be asking a very stupid question, but please bare with me. :) 

While I was on leave our Mail server fell over and The company got a Specialist to help out for the time being.
We where\are on Microsoft Exchange 2007 , which Fell over, and the specialist was able to recover as much data as he could.

They then installed Exchange 2013 and tried to migrate everything from 2007 to 2013 and not everything migrated over.

But the problem is, Outlook Anywhere was enable on 2007 and worked a 100% (before the disaster)

With Exchange 2013 I get the following error message when trying to connect With Outlook 2013, using an external connection:

"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"

Outlook is unable to connect to the Proxy server. (Error Code 0)"

Has anyone had the Similar when migrating over from 2007 to 2013 or is this an Issue on IIS and nothing to do with Exchange migration?

Your assistance will be greatly appreciated.

:)