Test Layout

There is a bug in Exchange Server 2016 CU6, CU7, and CU8 that prevents clients from using offline access for Outlook on the web. It was working properly in CU5. In CU5, in Options, you select Turn on offline access and then another window pane is shown that asks whether you have exclusive use of the computer or not. In CU8 (also CU6 and CU7), that pane appears very quickly and then goes away. Basically the text flickers but it is removed right away. You can see a video of this behavior below. I tested this with Internet Explorer, Edge, Firefox, and Chrome with consistent results. I also tested this using both Windows 10 and Windows Server 2016 as the client operating systems. After trying everything I could think of for testing, I posted this issue to the Microsoft support forums and they confirmed that this is a bug and will be fixed in a future update. https://social.technet.microsoft.com/Forums/office/en-US/3fbc0750-4a4c-4860-a3cc-f8112e3eec8a/outlook-on-the-web-owa-offline-mode-fa...

Not many organizations enable the antispam agents on their Exchange servers since they're probably paying for an additional service to do spam filtering. However, if you attempt to enable it on Exchange Server 2016 CU7 or CU8, there is an error in the script that you need to run. As of right now, CU8 is the latest update available so, this may continue in later updates. To enable the antispam agents in Exchange Server 2016, you run the Install-AntispamAgents.ps1 script located in C:\Program Files\Microsoft\Exchange Server\V15\Scripts. However in CU7 and CU8, you get an error like this: There are several screens of error information, but the key part is: A parameter cannot be found that matches parameter name 'EscalationTeam'. If you open the script and go to line 50, you'll see the following at the end of the line: If you delete the following text from that line, the script works properly: -EscalationTeam "AntiSpam"; Please note that this script does have a di...

The script that I reference in this post can be downloaded here: GoDaddyDNSUpdatePublic.ps1.txt I love the concept of using Let's Encrypt for free SSL/TLS certificates. However, the short 90-day lifetime of the certificates is designed for automated renewal. In this blog post I'm going to show the steps required to script the use of GoDaddy for DNS verification. For the basic steps on how to get a SAN certificate by using Let's Encrypt and DNS verification by using Windows PowerShell, please see my previous blog post: Using Let's Encrypt Certificates for Exchange Server Let's Encrypt requires you to create an identifier for each DNS name that you want to include on a certificate. You need to validate each identifier to prove ownership of the domain. When you are using DNS validation, you need to create a TXT record in DNS for each identifier. Unfortunately (from an ease of user perspective), the validation for an identifier is only valid for 30 days. This means, wh...

In Office 365 or Exchange Server 2013/2016, you can use the administration console to view information about migration batches. To find out information about failing moves, you can view the details of the migration batch and then view the report for individual mailboxes. When you view the report for a mailbox a text file is downloaded for viewing. The report provides detailed information about how much data has been downloaded. Also, if there are errors, they are contained in the report. Unfortunately sometimes the errors are pretty generic. For example, one error I got recently was: Transient error TimeoutErrorTransientException has occurred. The system will retry (200/1300). Instructions on how to review the report: https://technet.microsoft.com/en-us/library/jj898491(v=exchg.150).aspx Since the error was happening often, we needed to get more information. Fortunately that detail is available, but not in that report. Instead, you need to use Windows PowerShell to view the move reques...

Have you ever fantasized about using free SSL/TLS certificates for Exchange Server? If so, then this blog post is for you. I’ve always hated the cost associated with SSL/TLS certificates. For what seemed like a pretty basic service some of the certificate authorities (CAs) were charging hundreds or thousands of dollars. You could always set up your own CA, but that didn’t work well with random clients on the Internet because they won’t trust certificates generated by your CA. At the end of 2015, there was a game changing development. Let’s Encrypt started giving away SSL/TLS certificates for free. At the time, the certificates were only for a single name. So, without SAN support, not good for Exchange Server. However, now there is support for SAN/UCC certificates. And, in 2018 they are planning to support wildcard certificates. What’s the Catch? The certificates are free. There is no catch there. But, they do have a short lifetime of 90 days. The short lifetime is to ensure that compro...

As I was doing a public folder migration today, I got a couple of errors that took me some time to resolve. These are caused by mail enabled public folders migrated from Exchange 2003. You will see these errors when you run Get-MailPublicFolder on Exchange 2010. Some of these errors will show up in the public folder migration logs when migrating to Exchange 2016. So, I prefer to clean these up first to ensure migration is successful. Error #1 WARNING: The object domain.com/Microsoft Exchange System Objects/PF Name has been corrupted, and it's in an inconsistent state. The following validation errors happened: WARNING: Could not convert property OnPremisesObjectGuid to type Guid. Byte array for GUID must be exactly 16 bytes long. My best guess is that this property is left over from Exchange 2003 (or maybe earlier). The quick fix is to disable mail for the public folder and then mail-enable it again. However, when you do so, verify the email addresses before and after. Error #2 WARN...

I recently did a migration from Exchange 2010 to Exchange 2016 where the client uses a high volume of moderated messaging. There were over 100 transport rules that did message moderation of some sort. The initial deployment consisted of Exchange 2010 SP3 RU17 and Exchange 2016 CU4. Deployment of Exchange 2016 into the Exchange 2010 environment didn't seem to have any effect. However, after we directed the internal namespace to Exchange 2016 for proxying, the approvals generated by the transport rules when whacky (yep that's the technical term). Here is the process we saw: Message requiring moderation sent. Approval request sent to moderator. Moderator approves request Approval request sent to moderator Moderator approves request Repeat request and approval process a few more or a lot more times. This process was happening even though we had not moved any mailboxes to Exchange 2016 yet.  When searching, there were very few references to this issue on the Internet or support foru...

I'm working on an Exchange 2016 migration project and it was all looking good. We setup the load balancer and verified it worked for OWA and Outlook. Things were good. Today we did the switch over and updated the DNS records to route all of the client traffic through Exchange 2016. IE and Edge were fine, but Firefox gave an error: NS_ERROR_NET_INADEQUATE_SECURITY Protocol issues for web browsers, certificates, and web servers can be tricky. It's hard to track it down with generic error messages like this. So, as an alternative to figuring out the details, I used IIS Crypto from Nartac with the best practices settings on the Exchange 2016 servers. After those were applied all was good. Just apply the settings and reboot. For more about using the free IIS Crypto to see: https://www.nartac.com/Products/IISCrypto UPDATE: Here is an ongoing thread from the Exchange Technet forums. Seems to be known issue for Exchange 2016 at this point. https://social.technet.microsoft.com/Forums/en...

Today while moving a mailbox from on-premises to Office 365 in a hybrid environment, I got the following error: Transient error SourceMailboxAlreadyBeingMovedTransientException has occurred. The system will retry (5/620). This error occurs when a previous move attempt did not get cleaned up properly. From a bit of reading, this should timeout and fix itself after about 2 hours. However, since I didn't want to wait that long, I did the following that got it going again. IISReset.exe to restart the web services Restart the Microsoft Exchange Mailbox Replication service It is possible that only one of those two items was required, but I was more concerned about getting the move going than recording exact details.

A large client is currently running Exchange 2010 and is evaluating moving to Office 365 vs upgrading to Exchange Server 2016. I talked with them about it and thought it would be useful to document it for future reference. If you are a very small organization, then Office 365 is a slam dunk. It's going to perform better and be more cost effective than your could ever implement on your own. This is even before we consider the cost of the the consultants to get your on-premises Exchange up and running. For mid-sized and large businesses there are more things to think about.... Cost Direct cost is the first thing everyone wants to evaluate when considering Office 365. Your exact costs are going to vary depending on how you want to implement Exchange and which Office 365 plans you think are appropriate. So, I'm going to let you figure out the exact costs, but here are the things you need to consider: On premises: Exchange Server licenses Exchange Server CALs (basic and enterprise i...