Tag Archives: exchange

Disable Outlook cached mode for shared mailboxes

This posting is ~2 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

When you use Microsoft Outlook in cached mode, what I always recommend, and you add additional mailboxes to your outlook profile, you will notice that the OST file will grow. Outlook will download the mailbox items (mails, calendar entries, contacts etc.), and store them in the OST file. This is the default behaviour since Microsoft Outlook 2010. If you want to disable this behaviour, you have two options:

  • Edit the registry
  • Use a group policy object (GPO)

Edit the Windows registry

The easiest way is to use a reg file. Copy this text into a file and save it as disablecachedmode.reg. Then double click the file and confirm, that you want to import the registry file.

Please note the version number after “Office”.

OutlookVersion
Outlook 201616.0
Outlook 201315.0
Outlook 201014.0

Make sure that you use the appropriate version number for your Outlook! Otherwise this setting is applied, but not working.

Group Policy

If you want to apply this setting on a bunch of clients, you should use a GPO. Before you can use a GPO, you have to install the necessary template files for Microsoft Office/ Outlook. These ADMX files are part of the “Office 2013 Administrative Template files (ADMX/ADML)” or “Office 2016 Administrative Template files (ADMX/ADML)” package.

Copy the Outlk16.admx or Outlk15.admx files to the PolicyDefinitions folder (either C:\Windows or Central Store), and the Outlk16.adml or Outlk15.adml to the corresponding language folder.

Then you can create a new GPO. The desired setting can be found under User Configuration >> Administrative Templates >> Microsoft Outlook 201x >> Outlook Options >> Delegates >> Disable shared mail folder caching. Set this to “enable” and apply the GPO.

Still using Microsoft Outlook 2010?

Please note, that the GPO template for Microsoft Outlook 2010 doesn’t contain the necessary setting that controls this functionality!

Changes to supported .NET Frameworks for Exchange 2013/2016

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
EDIT: If you have already installed .NET 4.6.1, check this blog post on how to remove it (You Had Me At EHLO…)

Microsoft Exchange heavily relies on Microsoft .NET Framework. Because of this, Microsoft provides a matrix for the supported Microsoft .NET Frameworks. Mostly unknown is the fact, that Exchange doesn’t support the every Microsoft .NET Framework, and this is causing trouble sometimes. Some admins simply install the latest .NET releases because “it doesn’t hurt”. Well… it hurts!

Changes for .NET Framework 4.6.1

Microsoft has changed the support policy for .NET Framework 4.6.1 with the release of Exchange 2013 CU13 and Exchange 2016 CU2. Up to this versions, only .NET Framework 4.5.2 is supported. Starting with Exchange 2013 CU13 and Exchange 2016 CU2, Microsoft supports .NET Framework 4.6.1 together with a hotfix rollup (KB3146715 for Server 2012 R2, KB3146714 for Server 2012 and KB3146716 for Server 2008 R2). If you wish to install .NET Framework 4.6.1, make sure to install Exchange 2013 CU13 or 2016 CU2 first.

.NET Framework/ Microsoft ExchangeExchange 2007 SP3Exchange 2010 SP3Exchange 2013 CU13 and laterExchange 2016 CU2 and later
.NET Framework 3.5.1XX
.NET Framework 4.0
.NET Framework 4.5X
.NET Framework 4.5.1X
.NET Framework 4.5.2XX
.NET Framework 4.6.1
.NET Framework 4.6.2

¹ .NET 3.5 or 3.5.1 must be installed

² Supported with hotfix rollup (KB3146715 for Server 2012 R2, KB3146714 for Server 2012 and KB3146716 for Server 2008 R2)

Other .NET Framework versions

Microsoft .NET Framework 4.6.2 isn’t supported for any version of Microsoft Exchange. Other example: If you’re running Exchange 2010 SP3, don’t install anything above .NET Framework 4.5, not even 4.5.1. Check the Exchange Server Supportability Matrix for the supported .NET Framework for the Exchange version you’re running.

Side notes

Microsoft PowerShell is part of the Windows Management Framework (WMF). Microsoft Exchange only supports the WMF built into the underlying Windows Server version.

This also applies to Microsoft Outlook. I wonder how many Exchange projects fail because the Microsoft Outlook version, that is used by the customer, isn’t supported.

Receive Connector role not selectable in Exchange 2016 CU2

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Another bug in Exchange 2016 CU2. The Role of a new receive connector is greyed out. You can select “Front-End-Transport”. This is a screenshot from a german Exchange 2016 CU2.

receive_connect_role_not_selectable

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Solution

Use the Exchange Management Shell to create a new receive connector. Afterwards, you can modify it with the Exchange Control Panel (ECP).

Microsoft has confirmed, that this is a bug in Exchange 2016 CU2.

Exchange 2013 Offline Address Book visible after Exchange 2016 deployment?!

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

After deploying a new Microsoft Exchange organization with Exchange 2016, or after deploying a Microsoft Exchange 2016 into an existing organization, you might notice a strange behaviour regarding the Offline Address Books (OAB).

Huh?! Where does this Exchange 2013 OAB come from? As you can see in the cmdlet output, there’s no Exchange 2013 in this organization.

There is no Exchange 2013 server in this organization. Only Exchange 2010 (Build 14.3) and 2016 (Build 15.1).

This is nothing to worry about. Microsoft has confirmed that this is a bug. The OAB simply has the wrong name and Microsoft will fix it in an upcoming cumulative update. It’s not fixed in the latest CU2 for Exchange 2016! There’s also no need to change the name of the OAB.

So don’t panic, if you deploy a Microsoft Exchange 2016 CU2 and you see “Ex2013” in the OAB name. Ignore it.

Setting up split DNS using Windows DNS server

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to have two DNS servers that are authoritative for the same DNS namespace. This is the case if you use the same namespace for your web site and your internal Active Directory domain, e.g. terlisten-consulting.de. Or that you have created the zone terlisten-consulting.de in your Windows DNS to point specific hosts to internal IP addresses. The DNS servers at your ISP would be authoritative, and the domain controllers of your Active Directory would also be authoritative for the same domain. The response to a query depends on which DNS server you ask. So what would happen if you try to resolve www.terlisten-consulting.de, and the internal DNS has no record for it?

In this case, the domain controller in my lab is authoritative for terlisten-consulting.de. But he doesn’t has a A record for www.terlisten-consulting.de. If I remove the zone from my domain controller, or if I use an external DNS server, I get a non-authoritative answer.

This, the same DNS namespace on different DNS server, is called “split DNS” (sometimes also called split-horizon DNS, split-view DNS or split-brain DNS).

Do it right

Split DNS is pretty handy, and sometimes it’s necessary. When it comes to Microsoft Exchange, it a common practice to use the same external DNS namespace for the internal and external URLs. This requires, that I create a zone for the externally used DNS namespace on my internal DNS (in most cases: Microsoft Windows Activice Directory domain controllers). The downside: I must create all DNS entries on my internal DNS, and I must point them to their external IP addresses, except the ones that should point to an internal IP.

FQDNInternal/ External IP address
www.terlisten-consulting.deexternal IP address
exchange.terlisten-consulting.deinternal IP address
shop.terlisten-consulting.deexternal IP address

Otherwise, users that use the domain controllers as DNS server, wouldn’t be able to resolve www or shop. This is challenging. But there’s a solution.

Create split DNS for single hosts

The Domain Name System is hierarchy organized. Because of this, I can tell my DNS server to be authoritative only for a sub-tree of a domain, e.g. exchange.terlisten-consulting.de. If I try to resolve www.terlisten-consulting.de, the DNS server would go down the hierarchy starting at the DNS root servers (or it would ask a forwarder). Instead of creating a zone for the whole namespace, create a zone for the host. Simply add

  • a new primary zone
  • don’t allow dynamic updates to the zone, and
  • create a new A or AAAA record for the host

Make sure

  • to leave the name field empty
  • don’t create a PTR record
  • point it to the internal IP of the host
single_host_zone

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

A simple nslookup will show if split DNS works as expected.

Works as expected. Make sure to clear the DNS server cache after you have added the zones.

Windows DNS Server Policies

Windows Server 2016 will introduce Windows DNS Server Policies. DNS Policies will allow you to control how a DNS Server handles answers to queries based on parameters like source IP address, IP address of the network interface that has received the query etc. In future, DNS Server Policies can be used to configure split DNS.

Data Protector: Exchange backup failes because of database lock

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Today I had a customer call, where a Exchange 2010 backup repeatedly failed. HPE Data Protector was unable to create a differential or incremental backup. For each database, the following error was logged:

Interestingly, there was no other backup session running. But the night before, the backup jobs failed because of a network failure.

The solution is easy. This error is caused by a wrong information in the Data Protector database. To remove this, open an administrative CMD on the Data Protector Cell Manager and run this omnidbutil command:

This command  will free up the locked resources in the Data Protector database.Then, run the job again.

Exchange Management Shell (EMS) and new PowerShell releases

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Some day ago, I installed a new Exchange 2013 CU11 for some test ins my lab. Nothing fancy, just a single server deployment on a Windows Server 2012 R2 VM. I deployed this Windows Server from a template, which was updated with the latest Windows Patches and WMF some days ago. The Exchange setup went smooth. I updated the SSL certificates and the internal and external URLs for the virtual directories. Then I started the Exchange Management Shell (EMS), to update the Autodiscover URL in the service connection point (SCP) of the Active Directory.

Well… that doesn’t look successful. I quickly switched to a PowerShell windows and imported the Exchange snap-in manually.

Looks better, isn’t it?

I compared my lab setup to a running Exchange 2013 single server deployment and I stumbled over the PowerShell version. In addition, I found the Windows Management Framework 5 Production Preview (KB3066437) on my freshly deployed Windows Server 2012 R2 VM.

After checking the Exchange Server Supportability Matrix, it was clear what had happened: WMF 5 is not supported (Source). Not supported with Exchange 2013, and also not supported with Exchange 2016.

exchange_supported_wmf

After I had removed KB3066437 from my Exchange server, the EMS loaded successfully.

You should ALWAYS check if installed applications are supported with newer version of PowerShell/ WMF! Currentyl, no Exchange version is supported with PowerShell 5/ WMF 5.

Outlook license requirements for Exchange features

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Microsoft Exchange Server licensing is rather simple. You can choose between two Exchange licenses:

  • Standard (up to 5 mailbox databases)
  • Enterprise (up to 100 mailbox databases)

Standard and Enterprise only differ in the number of supported databases! Feedl free to use Exchange DAG with Exchange Standard and Windows Server Standard! To license your clients, you have to purchase a Client Access License (CAL) for each user or device that accesses your Exchange server environment. There are two types of CALs:

  • Standard
  • Enterprise (add-on for Standard CAL)

The Standard CAL is always necessary and enables most features of Exchange. The Enterprise CAL is an add-on license. If a user needs one of the Enterprise CAL features, you have to purchase a Standard AND an Enterprise CAL. The Enterprise CAL enables the following features:

  • In-Place Archive
  • Retention policies
  • Apply Information Rights Management (IRM)
  • Site mailboxes
  • DLP Policy Tips

Pretty simple, isn’t it? But have you thought about your Microsoft Outlook license? To use the Exchange Enterprise CAL features, you have to consider your Microsoft Outlook licensing! You have to use a Outlook version that is supported with your specific Exchange Server version, and you also have to consider if you have retail or volume license licenses. Microsoft Exchange Enterprise CAL features can be used with the following Microsoft Outlook licenses:

Outlook 2016

  • Outlook 2016 stand-alone (Retail or Volume License)
  • Outlook 2016 included with Microsoft Office Professional Plus 2016 (Volume License)

Outlook 2013

  • Outlook 2013 stand-alone (Retail or Volume License)
  • Outlook 2013 included with Microsoft Office Professional Plus 2013 (Volume License)

Outlook 2010

  • Outlook 2010 stand-alone (Retail or Volume License)
  • Outlook 2010 included with Microsoft Office Professional Plus Subscription (Retail)
  • Outlook 2010 included with Microsoft Office Professional Plus (Volume License)

Outlook 2007

  • Outlook 2007 stand-alone (Retail or Volume License)
  • Outlook 2007 included with Microsoft Office Ultimate 2007 (Retail)
  • Outlook 2007 included with Microsoft Office Professional Plus 2007 (Volume License)
  • Outlook 2007 included with Microsoft Office Enterprise 2007 (Volume License)

The correct Outlook client license is important! If you try to use Outlook 2013 included with Microsoft Office Professional (Retail) with In-Place Archive for example, the archive will not show up in Outlook. If everything is licensed correctly, your Outlook with enabled archiving should look like this:

in-place_archive_outlook2016

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Please note, that Outlook 2007 is not supported with Exchange 2016. Please also note, that the Enterprise CAL features “Site mailboxes” and “DLP Policy Tips” can only be used with Outlook 2013 and later.

Microsoft Exchange 2013 shows blank ECP & OWA after changes to SSL certificates

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.
EDIT
This issue is described in KB2971270 and is fixed in CU6.

I ran a couple of times in this error. After applying changes to SSL certificates (add, replace or delete a SSL certificate) and rebooting the server, the event log is flooded with events from source “HttpEvent” and event id 15021. The message says:

If you try to access the Exchange Control Panel (ECP) or Outlook Web Access (OWA), you will get a blank website. To solve this issue, open up an elevated command prompt on your Exchange 2013 server.

Check the certificate hash and appliaction ID for 0.0.0.0:443, 0.0.0.0:444 and 127.0.0.1:443. You will notice, that the application ID for this three entries is the same, but the certificate hash for 0.0.0.0:444 differs from the other two entries. And that’s the point. Remove the certificate for 0.0.0.0:444.

Now add it again with the correct certificate hash and application ID.

That’s it. Reboot the Exchange 2013 server and everything should be up and running again.

Publishing Outlook Web Access with Microsoft Web Application Proxy (WAP)

This posting is ~4 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Microsoft has introduced the Web Application Proxy (WAP) with Windows Server 2012 R2 and has it positioned as a replacement for Microsoft User Access Gateway (UAG), Thread Management Gateway (TMG) and IIS Application Request Routung (ARR). WAP ist tightly bound to the Active Directory Federation Services (AD FS) role. WAP can be used

  • pre-authenticate access to published web applications, and
  • it can function as an AD FS proxy

The AD FS proxy role was removed in Windows Server 2012 R2 and it’s replaced by the WAP role. Because WAP stores its configuration in the AD FS, you must deploy AD FS in your organization. The server, that hosts the WAP, has no local configuration. This allows you to deploy additional WAP servers to create a cluster deployment. The additional servers get their configuration from the AD FS.

The deployment of WAP can be split into two parts:

  • deployment of the AD FS role
  • deployment of the WAP role

The AD FS deployment

You can deploy the AD FS role on a domain controller or on a separate server. AD FS  acts as an identity provider. This means, that it authenticates users and provides security tokens to applications, that trust the AD FS instance. On the other hand it can act as a federation provider. This means, that it can use tokens from other identity providers and can provide security tokens to applications that trust AD FS. The AD FS role can be deployed onto a domain controller or a AD member server.

The first step is to install the AD FS role onto a AD member server or domain controller. I used the DC in my lab. Depending on your needs, this can be different. I used the PowerShell to install the AD FS role.

A reboot is not necessary. The next step is to configure the AD FS role. This process is supported by configuration wizard. Before you can start, it’s necessary to deploy the group Managed Service Account (GMSA). Open a PowerShell console and execute the following commands:

Then you can start the configuration wizard. If this is the first first AD FS server, select the first option “Create the first federation server in a federation server farm”.

adfs_setup_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

To perform the configuration, you need an account with domain administrator permissions. In my case, I simply used the Administrator account.

adfs_setup_02

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

You need to enroll an SSL certificate that is used for AD FS. This SSL certificate must include the DNS name for the AD FS server and also the Subject Alternative Names enterpriseregistration and enterpriseregistration.yourdomainname.tld. This screenshot includes the values that I used in my lab deployment. I entered this values into the “Attributes” box:

adfs_setup_03

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Create the certificate and export it with the private key as pfx file. You must import the certificate into the “Personal” store of the local computer, that acts as AD FS server. You also need two DNS entries for the names, that are included in the certificate.

adfs_setup_04

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If the certificate import was successful, you can select the certificate in the wizard. Add the Federation Service Name and the Display Name.

adfs_setup_05

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The Service Account can be a existing domain user account or a Managed Service Account. I used my Administrator account for simplicity.

adfs_setup_06

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you deploy a single server, you can use the Windows Internal Database. If you plan to depliy multiple AD FS servers, you have ot use a SQL server database.

adfs_setup_07

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Review the options and continue with the pre-requisite checks. If everything went well, you can proceed with the installation. Finish the setup and close the wizard.

adfs_setup_08

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Open a browser and enter the AD FS URL into the address bar. In my case this URL looks like this:

https://adfs.terlisten-consulting.de/adfs/ls/idpinitiatedsignon.htm

adfs_setup_09

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

If you get a screen like this, everything’s fine and AD FS works as expected. Check the Windows Server 2012 R2 AD FS Deployment Guide for more information. Now it’s time to deploy the Web Application Proxy.

The WAP deployment

To install the WAP role, simply open a PowerShell and run the Install-WindowsFeature cmdlet.

Then you can run the WAP configuration wizard. This wizard guides you through the configuration of the WAP role.

wap_setup_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

First you have to connect to the AD FS server. Enter the Federation service name you used to deploy the AD FS instance, and provide the necessary user credentials.

wap_setup_02

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

At this point you have to select the certificate, that is used by the AD FS proxy. You can use the same certificate you used for the AD FS server. But you can also create a new certificate. The certificate must be imported into the “Personal” store of the WAP server.

wap_setup_03

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Confirm the settings and click “Configure”. At this point, the wizard executes the shown PowerShell command.

wap_setup_04

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Close the wizard and open the management console of the Web Application Proxy to check the operational status. At this point, the WAP only acts as a AD FS proxy.

wap_setup_06

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

To test the functionality, I decided to publish Outlook Web Access (OWA). Use the “Publish New Application Wizard” to publish a new application.

wap_setup_07

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

To publish OWA, select “Pass-through” as pre-authentication method.

wap_setup_08

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Now it’s getting interesting. When you enter the external URL, the backend server URL is automatically filled. External and Backend URL have to be the same URL. Because of this, you need split DNS (see “Configure the Web Application Proxy Infrastructure” and “AD FS Requirements” at the Microsoft TechNet Library). You also need a valid external certificate, that matches the FQDN used in the external URL.

wap_setup_09

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Check the settings and click “Publish”. The wizard executes the shown PowerShell command.

wap_setup_10

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Close the wizard and check the functionality of the published application. This screenshot shows the access to OWA from one of my management VMs (MGMTWKS1):

wap_test_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

This drawing shows my lab setup. I’ve used two subnets (192.168.200.64/27 and 192.168.200.96/27) to simulate internal and external access, as well as split DNS.

wap-adfs

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

The host dc.vcloudlab.local (192.168.200.97) has the AD FS role installed and resolves cas.terlisten-consulting.de to 192.168.200.103 (HAProxy). MGMTWKS1 resolves the same FQDN to 192.168.200.109 (WAP1 – my WAP server).

Final words

This is only a very, very basic setup and I deployed it in my lab. The installation was not very difficult and I was quickly able to set up a working environment. Before you start to deploy AD FS/ WAP, I recommend to take a look into the TechNet Library: