Share iT…

Last week microsoft released Windows Management Framework (WMF) 3.0 which includes Powershell 3.0 (KB2506146 for Windows 2008 SP2 and KB2506143 for Windows Server 2008 R2) as an optional Windows update. So everyone can approve and install the update via Windows update, WSUS or any other updating mechanism you are using.

But installing this update on a Small Business Server (SBS) 2008 and 2011 or on an Exchange Server 2007 and 2010 will give all kind of trouble.

Symptoms for an Exchange Server:
Installation of Exchange update rollups will fail one of the errors is: error code of 80070643.

The Exchange Team wrote this blog about this issue. It states: “Windows Management Framework 3.0 (specifically PowerShell 3.0) is not yet supported on any version of Exchange except Exchange Server 2013. If you install Windows Management Framework 3.0 on a server running Exchange 2007 or Exchange 2010, you will encounter problems, such as Rollups that will not install, or the Exchange Management Shell may not run properly.”

Symptoms for a Small Business Server:
When running some SBS wizards like the Fix My Network wizard it will end up with errors about access denied for the Exchange Management Shell.
Also other kind of problems may occur with the Exchange and / or SharePoint 2010 Management Shell and as written for Exchange Servers installation of Exchange update rollups may fail.

On the Small Business Server Blog there is a post on these issues.

Recommendation for both Exchange and Small Business Servers is to NOT install the Windows Management Framework 3.0 update at this time. If you already installed the update and encoutered the previously described problems, uninstall the update. Your server should be fine when it comes back online after a restart.

Update:
There is another problem reported in the Small Business Technet forum uninstallation of the also removes a registry key that gives problems to the event log. This is the key that is deleted: “HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ WINEVT \ Channels \ ForwardedEvents”

Anytime later in the same post there is a mention that the updates are removed from Microsoft Update:

As a result of these regressions and feedback from customers and experts like you, we have expired the WMF 3.0 Update for all platforms (Windows 7, Server 2008, and Server 2008 R2) as of 5:07 pm PDT.

doug neal
Microsoft Update (MU)

Most people have multiple aliases on their mailbox, with aliases on the same email domain or even with multiple domain names. But when you try to send from (send as) one of these aliases you get the following undeliverable error message returned:

“You can’t send a message on behalf of this user unless you have permission to do so. Please make sure you’re sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.”

The answer to this problem is relatively easy, by default and design this isn’t possible, but there are a couple of workarounds available:

• Create a separate mailbox and put the alias on the mailbox and configure it with send as permissions.
• Create a distribution group and put the alias on the distribution group and configure it with send as permissions.
• Create a dummy pop account in outlook and configure the alias as email address.
• There are some third party tools available that create a workaround.

Workaround 1:
Create a separate mailbox and put the alias on the mailbox and configure it with send as permissions.

First we start with removing the alias we want to send as from the original mailbox.

Now we create a new mailbox, give it a logical name, etc. and give the alias as email address.

After the account has been created we need to set Send As permissions for the newly created account. We do this via the Exchange management console by right clicking on the newly created mailbox and choose Manage Send As permissions…

Add the original user (user@domain.com) to grant Send As permission for the alias@seconddomain.com

Now you are able to send as user@domain.com also with the alias@seconddomain.com address.

We do this by using the From… field in outlook, add the alias in the from field when you want to send from the alias. When you don’t see the from field go to the options menu and choose Show From.

Best thing to do is click the From… button and select the alias mailbox from the address list.

Of course when email is send to the alias@seconddomain.com it now will be delivered to this newly created mailbox. If you would like to receive the email just as before in the same mailbox (user@domain.com), then go to the properties of the newly created alias mailbox and choose the Mail Flow Settings tab, select Delivery Options… and choose properties.

Add the original mailbox at the Forward to: field, via the Browse… button. Now all mail is forwarded to your original mailbox and all mail will be in same mailbox as before removing the alias.

Workaround 2:
Create a distribution group and put the alias on the distribution group and configure it with send as permissions.

First we start with removing the alias we want to send as from the original mailbox.

Now we create a new distribution group, give it a logical name, I always give it the name of the email alias and set the alias as email address.

Then we add the original mailbox as only member.

Now we need to set the Send As permissions for the original mailbox (user@domain.com) on the newly created distribution list. This cannot be done via the exchange management console, we have to use the exchange management shell.

This is the command syntax: Add-ADPermission “public folder name ” -ExtendedRights Send-As -user “Domain\Username”

Now you are able to send as user@domain.com also with the alias@seconddomain.com address.

We do this by using the From… field in outlook, add the alias in the from field when you want to send from the alias. When you don’t see the from field go to the options menu and choose Show From.

Best thing to do is click the From… button and select the alias distribution group from the address list.

Workaround 3:
Create a dummy pop account in outlook and configure the alias as email address.

WARNING: This option is the least recommended, because setting up this will create the posibillity to open a security hole for smtp virusses.

With this workaround we leave the email aliases as they are on the mailbox. We are going to configure a dummy / fake pop account in outlook, so no server configuration needed.
Open outlook and go to Account Settings, choose for New…, choose the email services that include Pop3, choose for manual configure server settings and choose Internet E-mail (Pop).

At Your Name: we give your name (this is the name the receiver will see), at E-mail Address we give alias@seconddomain.com, at incoming mail server, just give in something it doesn’t matter, at outgoing mail server give in your Exchange server and at username and password give in your logon credentials (the users domain account credentials).

Choose More Settings…

Make sure that you enable “My outgoing server (SMTP) requires authentication” on the Outgoing Server tab. This is needed to let you send via your exchange server, then finish the wizard.

Now you are able to send as user@domain.com also with the alias@seconddomain.com address.

We do this by using the Account button that is created after creating the dummy pop account. You just choose the email address you would like to send your email from.

Conclusion:
So you see there are a couple of workarounds available, which one is the best, there isn’t it all depends on your needs and wishes.

Exchange 2007 (no-SP, SP1 and SP2) isn’t supported on Windows 2008 R2, but since SP3 it is. As my installation disc / iso only contains Exchange 2007 SP1 I had to install first this iso and then directly update it to SP3.

Installations looks to go well. But first got a warning on the hub transport: “Setup cannot detect an SMTP or Send connector with an address space of ‘*’.”.

This warning could be ignored, the only thing we have to do after installation is create a SMTP connector, more information about this read here.

But at the end of the installation the Mailbox Role Failed with error: “An error occurred. The error code was 3221684229. The message was Access is denied..”

Solution:
To get the Mailbox Role installed we have to set the compatibility mode from the exchange setup.exe to Windows Server 2008 (Service Pack 1) and run the setup again and add the Mailbox Role.

Now installation goes fine.

After you finished the installation please update Exchange 2007 directly to SP3.

When accidentally set a http redirect for your OWA on your Exchange 2007 / 2010 and SBS 2008 via IIS7 and inherited to all virtual sub directories and then try to remove it for the virtual directories public, exchange, exadmin and exchweb you get an error like this one:

HTTP Redirect:
There was an error while performing this operation.
Details:
Filename: \\?BackOfficeStorage\yourdomain.extension\Public Folders\web.config
Error: Cannot write configuration file

Solution: This error is generated because these virtual directories don’t have a physical path.
You can solve this issue by opening a command prompt window. Change directory to Windows\system32\Inetsrv. Then run this command: appcmd set config “/” /section:httpredirect /enabled:false -commit:apphost. Change and for your specific environment.

More information about this topic and setting http redirect for owa can be found here: Simplify the Outlook Web App URL

There are 3 levels to control the message size limits for sending and receiving emails through a Exchange 2007 or 2010 mail server. Mail transport is controlled by the hub transport role so settings are made on the hub transport role.

Global settings: In Exchange Management Console, on Organization level, Hub Transport, Global Settings tab, select Transport settings properties you can set the Maximum receive size (KB) and Maximum send size (KB) at Transport limits for the whole Organization.

Connector settings, Receive connector: In Exchange Management Console, on Server Configuration level, Hub Transport, select the server and receive connector you want to set the Maximum message size (KB) for. You can set different values for all servers and receive connectors, so be sure you change the settings for the right Hub Transport server and the right receive connector.

Connector settings, Send connector: In Exchange Management Console, on Organization level, Hub Transport, Send Connector tab, you can set the Maximum message size (KB) for your Send connector(s). The setting is organization wide so for all servers if you have multiple send connectors you can make differences for the specific send connectors.

Last possibility is to set it on a User Mailbox: In Exchange Management Console, on Recipient Configuration level, Mailbox, select a User you want to set the limit for, properties, on the tab Mail Flow Settings select Message size restrictions

The setup of Exchange 2007, Exchange 2010 or even SBS 2008 stops with the error “Access control list (ACL) inheritance is blocked”

Solution: Exchange setup requires that permission inheritance is enabled for the following objects:
Exchange Organization object, Exchange Administrative Group object, Exchange Servers container object, Exchange Address List object, Exchange Public Folder object and Exchange Public Folder tree object.

For Exchange 2003 start Exchange system manager and goto the objects and right click and choose properties, then on the security tab choose advanced and make sure “Allow inheritable permissions from the parent to propagate to this object and all child objects” is enabled. After that restart the Exchange server.

If security tab isn’t available you have to create the following registry value:
Value Name: ShowSecurityPage, Data Type: REG_DWORD, Radix: Binary, Value: 1 At the HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin key.

For Exchange 2007 and 2010 use adsiedit, and browse to the object you want to change. Right click and choose properties, then on the security tab choose advanced and make sure “Allow inheritable permissions from the parent to propagate to this object and all child objects” is enabled. Wait till Active Directory replication has replicated the changes.

On a exchange server you notice the following error in the application event log.
Event id 8207, MSExchangeFBPublish
Error updating public folder with free/busy information on virtual machine servername. The error number is 0x80004005.

Solution:
Start a elevated Exchange management shell and run the following command:
set-publicfolder -identity “\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY\EX:/o=orgnizationname/ou=First Administrative Group” -replicas “public folder database”

After migrating your Exchange server (I’ve seen this in transition to exchange 2007 and 2010) the PublicFolderDatabase for your OfflineAddressBook is still pointing to the old servers public folder store.

When you run the get-OfflineAddressBook | fl command in a exchange management shell on your new server, you get a result like this:

At Server you see the new servername and the PublicFolderDatabase is still pointing to your old server. Public folder replica’s and offline address book generation server are already moved to the new server.

Solution: I found if you do the following steps you can change the PublicFolderDatabase.
First start adsiedit and browse to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=First Organization, CN=Address Lists Container, CN=Offline Address Lists and open the properties of CN=Default Offline Address List

Look for the siteFolderServer attribute, here you will see the old public folder store. Choose clear and close with ok, now you may close adsiedit.

Now go to the exchange management console, Organization Configuration, Mailbox, Offline Address Book open the properties of the Default Offline Address List and go to the tab distribution.

Uncheck “Outlook version 2 and 3” at client support and “Enable public folder distribution”. Make sure “Web-based distribution” is enabled. Choose apply and ok, then right click on Default Offline Address List and choose update. After that go back to properties and distribution and check “Outlook client support version 2 and 3” and “Enable public folder distibution”. Again choose apply and ok and right click and choose update.

When you go back to the exchange management shell and repeat get-OfflineAddressBook | fl you now will see the public folder store on your new server.

When you install a Exchange 2007 or 2010 client access server and using outlook 2007 or 2010. You will get a autodiscover error by default. Also connect with outlook webaccess or web app you get a certificate error.

To solve this problem you will have to import the certificate on all computers. Another way is to buy a trusted third party certificate. In most cases this will be a SAN / UCC certificate so you can use multiple names on the certificate, webmail.domain.name, autodiscover.domain.name, servername.domain.name and for a transition legacy.domain.name.

But after you request and installed the certificate you still get a autodiscover or certificate error.

Possible solution: you will have to change some autodiscover and client access setting, I will describe the wat to check and change the settings with the Exchange management shell. Some settings can also be changed by GUI.

Check the AutoDiscoverServiceInternalUri with the following command: Get-ClientAccessServer |ft Identity,AutoDiscoverServiceInternalUri
To change the setting: Set-ClientAccessServer -Identity “SERVERNAME” -AutoDiscoverServiceInternalUri “https://url.domain.name/autodiscover/autodiscover.xml”

For the next options you can set for both internal and external a different url. But you can choose to use same url for both in that case you will have to setup your internal and external dns right.

Check the AutodiscoverVirtualDirectory Get-AutodiscoverVirtualDirectory |ft internalurl,externalurl
To change the settings:
Set-AutodiscoverVirtualDirectory -Identity ‘SERVERNAME\Autodiscover (Default Web site)’ -ExternalUrl https://externalurl.domain.name/Autodiscover/Autodiscover.xml’
Set-AutodiscoverVirtualDirectory -Identity ‘SERVERNAME\Autodiscover (Default Web site)’ -InternalUrl ‘https://internalurl.domain.name/Autodiscover/Autodiscover.xml’

Check the WebServicesVirtualDirectory InternalUrl and ExternalUrl Get-WebServicesVirtualDirectory |ft internalurl,externalurl
To change the settings:
Set-WebServicesVirtualDirectory -Identity ‘SERVERNAME\EWS (Default Web site)’ -ExternalUrl ‘https://externalurl.domain.name/EWS/Exchange.asmx’
Set-WebServicesVirtualDirectory -Identity ‘SERVERNAME\EWS (Default Web site)’ -InternalUrl ‘https://internalurl.domain.name/EWS/Exchange.asmx’

You will have to do the same thing for all the next option. If you don’t use one of these options you can consider skipping the setting.

Get-OabVirtualDirectory |ft internalurl,externalurl
Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web site)” -InternalUrl ‘https://internalurl.domain.name/OAB’
Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web site)” -ExternalUrl ‘https://externalurl.domain.name/OAB’

Get-UMVirtualDirectory |ft internalurl,externalurl
Set-UMVirtualDirectory -Identity “SERVERNAME\UnifiedMessaging (Default Web site)” -InternalUrl ‘https://internalurl.domain.name/UnifiedMessaging/Service.asmx’
Set-UMVirtualDirectory -Identity “SERVERNAME\UnifiedMessaging (Default Web site)” -ExternalUrl ‘https://externalurl.domain.name/UnifiedMessaging/Service.asmx’

Note: when you using SBS 2008 you should replace (Default Web site) by (SBS Web Applications)

When you try to remove a Exchange 2007 public folder database after a migration to Exchange 2010 you’ll get a “Object is read only because it was created by a future version of Exchange: 0.10 (14.0.100.0). Current supported version is 0.1 (8.0.535.0).” error.

Solution: Run adsiedit.msc goto configuration container CN=Configuration , CN=Services , CN=Microsoft Exchange , CN=First Organisation , CN=Administrative Groups , CN=Exchange Administrative Group (FYDIBOHF23SPDLT) , CN=Servers , CN=EXCHANGE2007SERVER , CN=Information Store , CN=Second Storage Group delete the CN=Public Folder Database.