Remove aliases for non-accepted domains

This describes how to fix the problem when a migration batch contains a mailbox that has an alias that isn’t in the Office 365 tenant and needs to be removed from the mailbox on-prem. If you only have a small number of mailboxes with errors then you can easily do this manually be removing the alias. If you have a large number of mailboxes simply removing the domains from the email address policy doesn’t remove the alias address from the mailboxes. You still need to run the command from the Exchange Management Shell:

Mailbox -EmailAddresses @{remove=''}

In order to script this out from Exchange On-Prem I first run an export of all mailboxes capturing all the email addresses of the mailboxes:

Login to the On-Prem Exchange server and run the Exchange Management Shell

Create a new folder called “Export” on the C:\ drive.

Run the following commands:

$mailboxes = Get-Mailbox -ResultSize Unlimited
$mailboxes | Select-Object RecipientTypeDetails,PrimarySmtpAddress -ExpandProperty emailaddresses | select RecipientTypeDetails,PrimarySmtpAddress, @{name="Type";expression={$_}} | Export-Csv C:\Export\Mailboxes-Emailaddresses.csv -NoTypeInformation

Now we need to open the Excel file and make some modifications:

Firstly we need to copy the Column C and paste it into Column E, then rename the header AliasAddress

Next we need to perform a split on Column C, select the entire column, click the Data ribbon of Excel and Text to Columns button. Choose the file type Delimited and click Next. Deselect all options except Other and enter the symbol for colon “:” and click Finish. Label the Column D “Alias”.

Add one more Column after the C column and label it Primary. Enter the following formula in the cell for D2 “=IF(ISNUMBER(FIND(“SMTP”,C2)),”Primary”, “Alternate”)” and copy the formula down through all the Rows.

Now highlight Row 1, click the Home ribbon, click Sort & Filter and select Filter.

We should now have something that looks like this:

Each Row represents an address for the mailbox and we can now remove any addresses that will remain on the mailbox. The idea is to have a file with only addresses that should be removed from mailboxes.

Filter on Column D and only show those with a value of Primary, select all rows and delete the rows, clear the filter on Column D.

Filter on Column C and select X500 and X400 and delete all rows with those values, clear the filter on Column C. We should be left with only values that have lowercase smtp.

Now we are doing to  create a Column to that will allow us to filter by domain name. Highlight Column F “AliasAddress” and click the Data ribbon and select Text to Columns. Select Delimited, click Next and this time select Other with the symbol “@” and click Finish. We now have a Column G that can be labeled “Domain” and it will have values for the domain name. Filter the Column G “Domain” to only show domains that are verified in the Office 365 tenant. You want to delete these rows from the spreadsheet.

The result is now an Excel spreadsheet that contains only smtp alias addresses for mailboxes that will be removed from Exchange On-Prem. Save the Mailboxes-Emailaddresses.csv file.

Run the following script on the On-Prem Exchange Server to remove the smtp aliases on the mailboxes:

$mailboxes = Import-Csv "c:\Export\Mailboxes-Emailaddresses.csv"
ForEach ($Mailbox in $Mailboxes){
		$User = $Mailbox.PrimarySMTPAddress
		$Alias = $Mailbox.Alias
		write-host "Removing $Alias from $User"
		Set-Mailbox "$User" -EmailAddresses @{remove="$alias"}

Remote mailbox moves without Hybrid

I have been working with a customer who recently acquired a new company that has 400+ mailboxes running on two Exchange 2010 servers. They need all mailboxes moved to Office 365 where the tenant is already setup has an existing Hybrid configuration to an on-prem Exchange 2016 environment. They don’t want the new users setup with Azure ADConnect and will be created In Cloud. If possible they want to perform MRS mailbox moves instead of paying for licenses for Migration Wiz. Besides you can’t have two Hybrid configurations connecting to one tenant.

I did some testing in a lab environment and have have been successful in setting up MRS mailbox moves without having ADConnect or running the Hybrid Configuration Wizard. I decided to share the steps involved if anyone is in a similar position and needs some help.

  1. Installed Exchange 2010 SP3 as the customer on-prem server was SP1
  2. Enabled MRSProxy on the Web Services Virtual Directory
    • Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSProxyEnabled $True
  3. Created new Receive Connector on the 2010 server scoped for the O365 IP addresses and configured with for Fqdn with a valid SSL certificate
  4. Add the new domain to the Office 365 portal and verify
  5. Changed the accepted domain in Exchange Online from Authoritative to Internal Relay
  6. Add outbound connector for the domain in Exchange Online
  7. Add inbound connector for the domain in Exchange Online
  8. Create a migration endpoint pointing to the on-prem Exchange server
  9. Setup federation from On-Prem Exchange to Exchange Online (this was easier to do the the EMC)
  10. Setup Organization Relationship from On-Prem to Exchange Online
  11. Setup Organization sharing from Exchange Online to On-Prem (Exchange Admin Center)
  12. Now you need to create new Mail Users in the Office 365 tenant and these can be scripted out and run from a PowerShell session
    • New-MailUser -Name “Alan Border” -Alias “alan.border” -DisplayName “Alan Border” -FirstName “Alan” -LastName “Border” -ExternalEmailAddress “alan.border@<> -MicrosoftOnlineServicesID “alan.border@<>” -Password (ConvertTo-SecureString -String ‘P@ssw0rd’ -AsPlainText -Force)

  13. Add the LegacyExchangeDN from the On-Prem 2010 to the Mail User ExchangeGUID in Exchange Online
    • Set-MailUser -Identity “alan.border@<>” -ExchangeGUID <05c362f2-120d-472f-9cf0-f846e2f52e0f>

  14. On-Prem Exchange will need to add the accepted domain for <tenant> as authoritative
  15. On-Prem mailboxes need the alias address for <>. This can be done using an Email Address Policy 
  16. Mail User recipients in Exchange Online need to have both the following addresses added <tenant>> and <tenant>
    • Set-MailUser -Identity “alan.border@<>” -EmailAddresses @{add=”smtp:alan.border@<tenant>”,”smtp:alan.border@<tenant>”}
  17. Assign the MsolUser with a valid license for Exchange Online


Note that because the MailUser has a value for ExchangeGUID the provisioning service within Exchange Online doesn’t convert this into an empty mailbox when you assign a license. Now you can perform a remote mailbox move and when the move completes the objects will convert from a MailUser to a UserMailbox in Exchange Online and from a UserMailbox to a MailUser in Exchange On-Prem.

I recommend testing this out before doing any live production mailboxes and ensure mail flow is working. You will also want to validate free/busy and ensure all mailboxes including resource and shared get provisioned as MailUser in Exchange Online before moving any mailboxes. You will also need to create Distribution Groups in Exchange Online and add the LegacyExchangeDN to prevent users getting bounce back messages when sending to them.


Update 365 License from F1 to E3

Here is a script that can be used if you need to bulk change a license subscription from an F1 to E3 for a list of 365 user. In this script the requirement is to remove the license for Office 365 F1 and also Exchange Online (Plan 2) and adds a license for Office 365 Enterprise E3. The second requirement was to turn on E3 but only enable it for some of the services. 

To review which services are included with the E3 license subscription I ran the following:

In the script below I only enable the services for To-Do (Plan 2), Azure Rights Management, Office 365 ProPlus, Skype for Business Online (Plan 2), Office Online, SharePoint Online (Plan 2) and Exchange Online (Plan 2). As you can see the remaining services were all added to the $DisabledPlans variable. You should be able to change this as necessary to meet your needs.

This script is my version of the TechNet one that changes E1 to E3 licenses. 

Let me know if you find this helpful or have any issues with running the script.


OAB Download Error

I recently completed a migration from Exchange 2013 to Exchange 2016 and after the Exchange 2013 server was uninstalled that’s when the issues with OAB started. I confirmed that all the mailbox databases were set with the Offline Address Book.

I confirmed that the OAB Virtual Directory was set with the correct URL.

I ran the Outlook Test Email AutoConfiguration and noticed that in the output it didn’t have a line for OAB.

It turns out that the Offline Address Book needed to be set for Global Web Distribution.

Now when I check the OAB both the Web Distribution settings have been enabled.

You will need to perform an IISreset for the settings to be applied.

ADFS Expired Certificate

The following event log on the ADFS server indicates the SSL certificate has expired:

ADFS Management Console shows the certificates:

Running the following command we can see the certificate settings for ADFS:

I changed the settings to Auto Rollover and have a certificate duration for 3 years.

Looking at the ADFS certificates now shows the decrypting certificate has been updated.

Without restarting any services the issue has been resolved.



Completing Individual Moves in a Migration Batch

In order to complete an individual mailbox move within a migration batch was previously done by running the commands:

Recent updates to both Exchange Online and Exchange On-Prem have changed the way move requests are created within a migration batch. Exchange Online can now set an option for when the move requests should be started and/or completed.

Now if you want to complete a move request for an individual mailbox you will need to run the following:



ADFS Logon Error

Working with an Office 365 tenant where the authentication was configured with on-prem ADFS servers and all users were getting the following error:

The event logs showed the following two errors:


To correct the certificate issue I ran the following:


The event logs now showed:


The WAP server is now showing healthy:





Exchange Database Content Index Corrupt

Fixing a corrupt content index on an Exchange database with only one copy can be done in the following method:

If you run the following command you can see the content index state and error message.

Next you will need to stop the following services:

Now you will need to delete the content index folder which is a GUID in the same location as the database edb file. It has three sub folders that all need to be deleted.


NOTE: If you try and delete the files without stopping the search services you will get an error that the file is in use.


With the files successfully deleted you can start the services:

Now wait a few minutes for the content index folder to be re-created.


To verify this worked you can run the same command from before:

SCOM alert proxying to Unknown

SCOM Alerts can be related to SSL certificates and it is worth checking the IIS BackEnd Site Binding to see if the certificate is valid. One example of this is the alert for OutlookRpcDeepTestMonitor. Also note that if the server alerting is getting a “proxying to unknown” error that the Certificate issue is likely on a different Exchange Server.

Open IIS, browse down to Site and Exchange Back End. Click bindings and edit the site bindings on port 444. The site should be bound with the certificate called “Microsoft Exchange”. When you view the certificate I found the certificate being used had an error “The CA Root certificate is not trusted”.

To fix this issue the self signed certificate needs to be exported from the Personal Store and imported into the Trusted Root CA.

Run mmc

Add the Snap-in for Certificates

Browse down to Personal and Certificates and Export the self-signed certificate where the friendly name is “Microsoft Exchange”.

Export it using the format P7B and select the option to “Include all certificates in the certification path if possible”

Name the file and Save it anywhere you like.

Browse down to Trusted Root Certification Authorities and right click Certificates -> All Tasks and Import

Select the certificate you exported, click next and ensure the certificate is placed in the Trusted Root CA.

Now back to IIS when you view the certificate that is bound to the Exchange Back End Site it should look like this:


Now you need to restart the Exchange Health Manager service MSExchangeHM on the server that reported the issue or restart it across all the Exchange Servers:


MSExchangeDelivery service is failing

The SCOM alert for MSExchangeDelivery service is failing due to this exception:

Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe+MailDeliveryAvailabilityProbeException: Multiple different exceptions

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.CheckAllInstancesForDifferentFailures()

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.DoWork(CancellationToken cancellationToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.Execute(CancellationToken joinedToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.<>c__DisplayClass2.<StartExecuting>b__0()

at System.Threading.Tasks.Task.Execute()

Turns out the health mailbox was full and unable to accept new messages.

To resolve this issue I stopped the MSExchange Health Manager service and deleted all the AD accounts for Health Mailboxes. Health Mailboxes can be found in the Monitoring Mailboxes OU which is inside the Microsoft Exchange System Objects OU by default. After removing the AD objects I restarted the health manager service and new health mailboxes are created automatically.