• Home
  • Cisco
  • Exchange
  • Linux
  • Navision
  • Network
  • Virtualization
  • Windows
  • About

    Active Directory operation failed on DC.dom.local. This error is not retriable. Additional information: Access is denied.

    October 8th, 2015

    When trying to set rights with the command: Add-ADPermission you get this error:
    Active Directory operation failed on DC.dom.local. This error is not retriable. Additional information: Access is denied.
    Add-ADPermission -Identity TestGroup1 -user TestUser1 -AccessRights writeproperty -Properties member

    You need to give “Full access” to the user “Exchange trusted subsystem” on the AD group opject.
    Tip: Enable “advanced features” in AD to add the security tab.

    OALGen skipped some entries in the offline address list

    June 18th, 2015

    Change log level, to see were the error happens.
    Most of the time, it is an error in the smtp address or an user without an email address.
    (user included in address book but having no email).

    Set-EventLogLevel “Exch1\MSExchangeSA\OAL Generator” -level high
    Set-EventLogLevel “Exch1\MSExchangeSA\OAL Generator” -level lowest

    Show disconnected mailboxes and purge – Exchange 2010

    January 2nd, 2015

    Get-MailboxStatistics -Database Exchange-DB1 | Where { $_.DisconnectReason -eq “Disabled” } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason

    Remove-Mailbox –Database Exchange-DB1 –StoreMailboxIdentity 7b4sss06-5000-4111-9111-11121c474e

    Exchange 2010 – Not updating archiving

    December 29th, 2014

    In powershell on server:
    Start-ManagedFolderAssistant -Identity “test1-user”

    Show Exchange version in powershell

    August 14th, 2014

    GCM exsetup |%{$_.Fileversioninfo}

    Exchange versions. Service packs and updates

    Message too large for this organization – Exchange

    July 2nd, 2014

    Check the limits:

    Get-ReceiveConnector | fl name,MaxMessageSize
    Get-TransportConfig | fl MaxReceiveSize,MaxSendSize

    Exchange 2010 – Fix failed DAG database replication

    August 30th, 2013

    If your replicated databaces is susspended or failed you may need to reeseed them.

    Check status:
    Get-MailboxDatabaseCopyStatus -server MyExchange

    Update-MailboxDatabaseCopy DatabaseName\ReplicaServerName -SourceServer ActiveServerName -DeleteExistingFiles:$True
    ReplicaServerName is the server with the FAILED copy.

    Id Content index is in failed:
    Update-MailboxDatabaseCopy -Identity DatabaseName\ReplicaServerName’ –CatalogOnly”

    Find exchange 2010 version information

    February 14th, 2013

    Find this in regedit:

    The key “DisplayName” gives the version (SP and rollup)

    Example: Update Rollup 6 for Exchange Server 2010 Service Pack 2 (KB2746164) 14.2.342.3

    Export/Import mailbox to/from PST – Exchange 2010

    January 17th, 2013

    First, give the right to do it, access to the new cmd’s:
    New-ManagementRoleAssignment –Role “Mailbox Import Export” –User Administrator

    Restart the EMC

    Next, you need a share where “Exchange Trusted Subsystem” have write access.

    Do the export:
    New-MailboxExportRequest -Mailbox kim.nielsen -FilePath \\nas1\pst\kim.nielsen.pst

    View the progress:
    Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

    New-MailboxImportRequest -FilePath \\nas1\pst\kim.nielsen.pst -Mailbox kim.nielsen -TargetRootFolder “Mailbox – Kim”
    TargetRootfolder creates a root folder inside the mailbox

    Recreate Rpc and RpcWithCert folders in IIS7

    October 16th, 2012

    For some reasons you might want to recreate the Rpc and RpcWithCert folders in IIS7. The reasons could be:

    – Something went wrong with the old ones
    – You have to use different SSL certificates, one for internal use and one for external use.
    – You are using SAN SSL, certificates with trusted internal names but now this type is discontinued.

    Lets make the Default Web Site the new “internal” with its own SSL for this use. Then we create a new “external”.

    How is all that done?
    Start with adding an additional IP to your net card.

    An example, You now have and The “internal” website should now listen on Add a SSL cert to this one. In Exchange 2010 EMC a self signed SSL can be created. For some reason only one year can be the limit. Export the SSL and make a GPO to make it trusted on your clients. When trusted there will be no errors in the webmail and Outlook will work.

    You can remote the local Activesync folder if you want

    remove-ActiveSyncVirtualDirectory -identity “Exchange\microsoft-server-activesync (default web site)”

    Remember the DNS
    The internal DNS shuld point to the “internal” website/IP (
    When adding the extra IP, a DNS reccord is automaticaly created on the DNS server. Remove this.
    On the DNS server remove the external IP from the list of interfaces it listen on.

    Then create a new website “external” and make it listen on

    Add a SSL certificate with external trust.

    Now create all the sub folders in the external website with this commands:

    New-OWAVirtualDirectory -Name “owa” -WebSite “External”
    New-EcpVirtualDirectory -WebSiteName “External”
    New-ActiveSyncVirtualDirectory -WebSiteName “External” -ExternalURL “https://externalDNSname.domain.com/Microsoft-Server-ActiveSync”
    New-AutodiscoverVirtualDirectory -WebSiteName “External”
    New-OABVirtualDirectory -WebSiteName “External” -recovery New-WebServicesVirtualDirectory -WebSiteName “External”

    Find the IIS7 website cobfiguration file:


    (You need to use Notepad to edit this one)

    Add this in the right sections


    Show mailbox sizes per organizational unit – Exchange 2010

    August 20th, 2012

    Get-Mailbox -OrganizationalUnit “OU-Name” | Get-MailboxStatistics | ft  displayName,TotalItemSize -Autosize

    Get-MailboxStatistics | Sort -Property TotalItemsize | Format-Table DisplayName, LastLoggedOnUserAccount, ItemCount, @{expression={$_.totalitemsize.value.ToMB()};label=”Size(MB)”}, LastLogonTime, LastLogoffTime

    Show users connected to a CAS – Exchange 2010

    August 20th, 2012

    Show number of users connected to Client Access Servers
    Get-Counter “\MSExchange RpcClientAccess\User Count” -ComputerName cas1,cas2 |ft

    Show number of users connected to Outlook Web Access / Webmail
    Get-Counter “\MSExchange OWA\Current Unique Users” -ComputerName cas1,cas2 |ft

    Show named users connected to CAS and Mailbox server
    Get-LogonStatistics -Server “exch1” | where {$_.clientname -eq “cas1”}| ft username,servername,clientname

    Exchange 2010 – File-Level Scanning Exclusions

    August 16th, 2012

    Detailed list from Microsoft here

    Folder Exclusions:
    C:\Program Files\Microsoft\Exchange Server\V14\Mailbox
    C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MDBTEMP
    C:\Program Files\Microsoft\Exchange Server\V14\ExchangeOAB
    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\IpFilter
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\Queue
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\IpFilter
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\Adam
    C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\SenderReputation
    C:\Program Files\Microsoft\Exchange Server\V14\Working\OleConvertor
    C:\Program Files\Microsoft\Exchange Server\V14\GroupMetrics
    C:\Program Files\Microsoft\Exchange Server\V14\Logging
    C:\Program Files\Microsoft\Exchange Server\V14\Logging\POP3
    C:\Program Files\Microsoft\Exchange Server\V14\Logging\IMAP4
    C:\Program Files\Microsoft\Exchange Server\V14\Working\OleConvertor
    C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\grammars
    C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\Prompts
    C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\voicemail
    C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\temp
    C:\inetpub\temp\IIS Temporary Compressed Files

    Processes Exclusions:
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeADTopologyService.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\ExFBA.exe
    C:\Program Files\Microsoft\Exchange Server\V14\bin\store.exe
    C:\Program Files\Microsoft\Exchange Server\V14\bin\mad.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\msftesql.exe
    C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.AddressBook.Service.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeFDS.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxAssistants.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe
    C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailSubmission.exe
    C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.ProtectedServiceHost.exe


    Autodiscover – Use NTLM instead of basic

    August 15th, 2012

    Set-OutlookAnywhere -Name EXCHSERVER -ClientAuthenticationMethod NTLM
    Set-OutlookAnywhere -Name EXCHSERVER -IISAuthenticationMethod Basic,NTLM

    Shared calendar – auto accept and reviver rights

    June 28th, 2012

    You have a shared calendar but the users cannot see the details and the appointments are not auto accepted.

    Set-CalendarProcessing User_in_Exchange -AutomateProcessing AutoAccept
    Set-MailboxFolderPermission User_in_Exchange:\Calendar -User Default -AccessRights Reviewer

    Set-CalendarProcessing -Identity recurce-cal -DeleteComments $false
    Set-CalendarProcessing -Identity recurce-cal -DeleteSubject $false

    get-CalendarProcessing -Identity recurce-cal| Format-List

    AutomateProcessing : AutoAccept
    AllowConflicts : False
    BookingWindowInDays : 180
    MaximumDurationInMinutes : 1440
    AllowRecurringMeetings : True
    EnforceSchedulingHorizon : True
    ScheduleOnlyDuringWorkHours : False
    ConflictPercentageAllowed : 0
    MaximumConflictInstances : 0
    ForwardRequestsToDelegates : True
    DeleteAttachments : True
    DeleteComments : False
    RemovePrivateProperty : True
    DeleteSubject : false
    AddOrganizerToSubject : True
    DeleteNonCalendarItems : True
    TentativePendingApproval : True
    EnableResponseDetails : True
    OrganizerInfo : True
    ResourceDelegates : {}
    RequestOutOfPolicy : {}
    AllRequestOutOfPolicy : False
    BookInPolicy : {}
    AllBookInPolicy : True
    RequestInPolicy : {}
    AllRequestInPolicy : False
    AddAdditionalResponse : False
    AdditionalResponse :
    RemoveOldMeetingMessages : True
    AddNewRequestsTentatively : True
    ProcessExternalMeetingMessages : False
    RemoveForwardedMeetingNotifications : False

    Microsoft Exchange Information Store Database [DB-Name] copy on this server experienced a corrupted search catalog

    February 2nd, 2012

    Microsoft Exchange Information Store Database [DB-Name] copy on this server experienced a corrupted search catalog

    Fix with this command:
    Update-MailboxDatabaseCopy -Identity “[type in your DB]\[Your Exchange server]” -CatalogOnly

    Exchange 2010 – set rights with powershell

    January 17th, 2012

    set-mailboxfolderpermission -Identity testuser:\calender -User cl -AccessRights editor

    Get-User -identity “user 1”
    Get-MailboxFolderPermission -identity “user 1”
    Add-MailboxPermission -identity “User 1” -User “user 2” -AccessRights ReadPermission
    Get-MailboxPermission -identity “User 1”
    Remove-MailboxPermission -identity “User 1” -AccessRights ReadPermission -user “user 2”

    Resource Calender:
    Add-MailboxPermission –Identity testresource -User all-usersgroup -AccessRights FullAccess -InheritanceType All

    Public folders:
    Get-PublicFolderClientPermission -Identity “\firm1\firm1 calender”

    Add-PublicFolderClientPermission -Identity “\firm1\firm1 calender” -AccessRights PublishingEditor -User testuser

    Public folders – and all subfolders:
    Get-PublicFolder –Identity “\folder\subfolder” –Recurse | Add-PublicFolderClientPermission –User user –AccessRights owner

    SMTP send connector SSL

    January 17th, 2012

    Get-SendConnector | fl fqdn
    Get-ExchangeCertificate | fl CertificateDomains
    Get-ExchangeCertificate | fl thumbprint, services
    Enable-ExchangeCertificate -Thumbprint A2AB2228777CE4539xxxxDF3F7D22A2E94326A99 -Services IMAP, POP, IIS, SMTP -DoNotRequireSSL

    Restricted Role Assignment Policy

    January 17th, 2012

    Rename the default role:
    Set-RoleAssignmentPolicy “Default Role Assignment Policy” -Name “Unrestricted Role Assignment Policy”

    Create new
    New-RoleAssignmentPolicy -Name “Restricted Role Assignment Policy” -Description “Only base options.” -Roles MyBaseOptions -IsDefault:$True

    If created grafical, you need to set it default this way:
    Set-RoleAssignmentPolicy -identity “Restricted Role Assignment Policy” -IsDefault:$True

    All new users get the new policy, but you need to run this command on everyone else:
    set-mailbox usertest -RoleAssignmentPolicy “Restricted Role Assignment Policy”

    more info

    Add global address list

    January 17th, 2012

    Add global address list:
    New-GlobalAddressList -Name “Firm 4 – GAL” -IncludedRecipients MailboxUsers -ConditionalCompany Firm4
    Creates the global address list based on “company” in the user object.

    Remove global address list: remove-GlobalAddressList -identity “Firm 4 – GAL”

    Show global address list: get-globaladdresslist

    Enable certificate – Exchange 2010

    September 27th, 2011

    [PS] C:\Users\Administrator\Desktop>enable-exchangecertificate -thumbprint 2baade861687416c03a099430228b345679999d8 -ser
    vices iis, imap, smtp, pop, um, none -DoNotRequireSSL

    Get-ExchangeCertificate |FL

    Autodiscover srv record test

    November 24th, 2010

    Standardserver:   domc.mydom.dk

    > set type=all
    > _autodiscover._tcp.internetdom.dk
    Server:   domc.mydom.dk

    Ikke-autoritativt svar:
    _autodiscover._tcp.internetdom.dk        SRV service location:
    priority       = 0
    weight         = 0
    port           = 443
    svr hostname   = server01.exchangeserver.dk

    Test here: www.testexchangeconnectivity.com

    Exchange 2010 – Quick setup tips

    November 9th, 2010

    Import-Module ServerManager
    Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

    Set-Service NetTcpPortSharing -StartupType Automatic


    Get-OabVirtualDirectory -server EXCH | Set-OabVirtualDirectory -InternalUrl https://exch.DOM.local/OAB -ExternalUrl https://webmail.Mydom.dk/OAB

    Get-WebServicesVirtualDirectory -server EXCH | Set-WebServicesVirtualDirectory -InternalUrl https://exch.DOM.local/EWS/Exchange.asmx -ExternalUrl https://webmail.Mydom.dk/EWS/Exchange.asmx

    Get-OwaVirtualDirectory -server EXCH | Set-OwaVirtualDirectory -InternalUrl https://exch.DOM.local/owa -ExternalUrl https://webmail.Mydom.dk/owa

    Get-EcpVirtualDirectory -server EXCH | Set-EcpVirtualDirectory -InternalUrl https://exch.DOM.local/ecp -ExternalUrl https://webmail.Mydom.dk/ecp

    Get-ActiveSyncVirtualDirectory -server EXCH | Set-ActiveSyncVirtualDirectory -InternalUrl https://exch.DOM.local/Microsoft-Server-ActiveSync -ExternalUrl https://webmail.Mydom.dk/Microsoft-Server-ActiveSync

    Get-ClientAccessServer EXCH | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://exch.DOM.local/Autodiscover/Autodiscover.xml

    enable-OutlookAnywhere -Server ‘EXCH’ -ExternalHostname ‘webmail.Mydom.dk’ -DefaultAuthenticationMethod ‘Basic’ -SSLOffloading $false

    Remember to use a SSL SAN Certificate.
    (With alternative names)

    If you have alot of domains you can setup a SRV record on every domain: _autodiscover._tcp.info-Mydom.dk exch01.hostingprovider.dk


    Set external EWS url:
    Set-WebServicesVirtualDirectory -identity “CAS1\EWS (Default Web Site)” -externalurl https://outlook.dom.com/EWS/Exchange.asmx
    Set-WebServicesVirtualDirectory -identity “CAS2\EWS (Default Web Site)” -externalurl https://outlook.dom.com/EWS/Exchange.asmx
    Get-WebServicesVirtualDirectory | select name, *url* |fl


    4.7.1 smtp Greylistet in 5 min please try again later – Exchange 2003 SP2

    August 6th, 2009

    Greylisting is an anti-spam measure.
    When a new server connects for the first time, the greylisting server sends a SMTP protocol message that says: “Graylistet in 5 min please try again later”.
    The wait time can be different, but usually 5 min.

    The problem is exchange 2003 (with SP2) by deafult only waits for 1 min.
    That has to be changed.

    Create a new DWORD value GlitchRetrySeconds

    Change the Base to Decimal
    Set 360 for 6 min.

    Restart the SMTP service.

    Exchange 2003 – Catch-all Mailbox

    July 19th, 2008

    It is possible to have a catch-all mailbox in exchange. I works like a *.domain.com into a specific mailbox. It does not have an impact on all the normal users/emails on the system.

    It can be done with a script by Michael B. Smith.

    Get it here, instructions inside.