Remove aliases for non-accepted domains

June 10, 2019 Angus Exchange

This describes how to fix the problem when a migration batch contains a mailbox that has an alias that isn’t in the Office 365 tenant and needs to be removed from the mailbox on-prem. If you only have a small number of mailboxes with errors then you can easily do this manually be removing the alias. If you have a large number of mailboxes simply removing the domains from the email address policy doesn’t remove the alias address from the mailboxes. You still need to run the command from the Exchange Management Shell:

Mailbox user@primarydomain.com -EmailAddresses @{remove='alias@unwanteddomain.com'}

In order to script this out from Exchange On-Prem I first run an export of all mailboxes capturing all the email addresses of the mailboxes:

Create a new folder called “Export” on the C:\ drive.

Run the following commands:

$mailboxes = Get-Mailbox -ResultSize Unlimited

$mailboxes | Select-Object RecipientTypeDetails,PrimarySmtpAddress -ExpandProperty emailaddresses | select RecipientTypeDetails,PrimarySmtpAddress, @{name="Type";expression={$_}} | Export-Csv C:\Export\Mailboxes-Emailaddresses.csv -NoTypeInformation

Now we need to open the Excel file and make some modifications:

Firstly we need to copy the Column C and paste it into Column E, then rename the header AliasAddress

Next we need to perform a split on Column C, select the entire column, click the Data ribbon of Excel and Text to Columns button. Choose the file type Delimited and click Next. Deselect all options except Other and enter the symbol for colon “:” and click Finish. Label the Column D “Alias”.

Add one more Column after the C column and label it Primary. Enter the following formula in the cell for D2 “=IF(ISNUMBER(FIND(“SMTP”,C2)),”Primary”, “Alternate”)” and copy the formula down through all the Rows.

Now highlight Row 1, click the Home ribbon, click Sort & Filter and select Filter.

We should now have something that looks like this:

Each Row represents an address for the mailbox and we can now remove any addresses that will remain on the mailbox. The idea is to have a file with only addresses that should be removed from mailboxes.

Filter on Column D and only show those with a value of Primary, select all rows and delete the rows, clear the filter on Column D.

Filter on Column C and select X500 and X400 and delete all rows with those values, clear the filter on Column C. We should be left with only values that have lowercase smtp.

Now we are doing to create a Column to that will allow us to filter by domain name. Highlight Column F “AliasAddress” and click the Data ribbon and select Text to Columns. Select Delimited, click Next and this time select Other with the symbol “@” and click Finish. We now have a Column G that can be labeled “Domain” and it will have values for the domain name. Filter the Column G “Domain” to only show domains that are verified in the Office 365 tenant. You want to delete these rows from the spreadsheet.

The result is now an Excel spreadsheet that contains only smtp alias addresses for mailboxes that will be removed from Exchange On-Prem. Save the Mailboxes-Emailaddresses.csv file.

Run the following script on the On-Prem Exchange Server to remove the smtp aliases on the mailboxes:

$mailboxes = Import-Csv "c:\Export\Mailboxes-Emailaddresses.csv"
ForEach ($Mailbox in $Mailboxes){
		$User = $Mailbox.PrimarySMTPAddress
		$Alias = $Mailbox.Alias
		write-host "Removing $Alias from $User"
		Set-Mailbox "$User" -EmailAddresses @{remove="$alias"}
		}

Remote mailbox moves without Hybrid

November 2, 2018November 13, 2018 Angus Exchange, Office 365

I have been working with a customer who recently acquired a new company that has 400+ mailboxes running on two Exchange 2010 servers. They need all mailboxes moved to Office 365 where the tenant is already setup has an existing Hybrid configuration to an on-prem Exchange 2016 environment. They don’t want the new users setup with Azure ADConnect and will be created In Cloud. If possible they want to perform MRS mailbox moves instead of paying for licenses for Migration Wiz. Besides you can’t have two Hybrid configurations connecting to one tenant.

I did some testing in a lab environment and have have been successful in setting up MRS mailbox moves without having ADConnect or running the Hybrid Configuration Wizard. I decided to share the steps involved if anyone is in a similar position and needs some help.

Installed Exchange 2010 SP3 as the customer on-prem server was SP1
Enabled MRSProxy on the Web Services Virtual Directory
- Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSProxyEnabled $True
Created new Receive Connector on the 2010 server scoped for the O365 IP addresses and configured with for Fqdn with a valid SSL certificate
Add the new domain to the Office 365 portal and verify
Changed the accepted domain in Exchange Online from Authoritative to Internal Relay
Add outbound connector for the domain in Exchange Online
Add inbound connector for the domain in Exchange Online
Create a migration endpoint pointing to the on-prem Exchange server
Setup federation from On-Prem Exchange to Exchange Online (this was easier to do the the EMC)
Setup Organization Relationship from On-Prem to Exchange Online
- New-OrganizationRelationship -DomainNames <tenant.mail.onmicrosoft.com> -FreeBusyAccessEnabled $True -FreeBusyAccessLevel LimitedDetails -MailboxMoveEnabled $True -DeliveryReportEnabled $True -MailTipsAccessEnabled $True -MailTipsAccessLevel All -TargetApplicationUri outlook.com -TargetOwaURL http://outlook.com/owa/on-rackspace.com -TargetAutodiscoverEpr https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity -ArchiveAccessEnabled $True -Enabled $True -Name “On-prem to O365 <tenant.onmicrosoft.com>”
Setup Organization sharing from Exchange Online to On-Prem (Exchange Admin Center)
Now you need to create new Mail Users in the Office 365 tenant and these can be scripted out and run from a PowerShell session
- New-MailUser -Name “Alan Border” -Alias “alan.border” -DisplayName “Alan Border” -FirstName “Alan” -LastName “Border” -ExternalEmailAddress “alan.border@<domain.com> -MicrosoftOnlineServicesID “alan.border@<domain.com>” -Password (ConvertTo-SecureString -String ‘P@ssw0rd’ -AsPlainText -Force)
Add the LegacyExchangeDN from the On-Prem 2010 to the Mail User ExchangeGUID in Exchange Online
- Set-MailUser -Identity “alan.border@<domain.com>” -ExchangeGUID <05c362f2-120d-472f-9cf0-f846e2f52e0f>
On-Prem Exchange will need to add the accepted domain for <tenant>.mail.onmicrosoft.com as authoritative
On-Prem mailboxes need the alias address for <tenant.mail.onmicrosoft.com>. This can be done using an Email Address Policy
Mail User recipients in Exchange Online need to have both the following addresses added <tenant>.mail.onmicrosoft.com> and <tenant>.onmicrosoft.com
- Set-MailUser -Identity “alan.border@<domain.com>” -EmailAddresses @{add=”smtp:alan.border@<tenant>.mail.onmicrosoft.com”,”smtp:alan.border@<tenant>.onmicrosoft.com”}
Assign the MsolUser with a valid license for Exchange Online

Note that because the MailUser has a value for ExchangeGUID the provisioning service within Exchange Online doesn’t convert this into an empty mailbox when you assign a license. Now you can perform a remote mailbox move and when the move completes the objects will convert from a MailUser to a UserMailbox in Exchange Online and from a UserMailbox to a MailUser in Exchange On-Prem.

I recommend testing this out before doing any live production mailboxes and ensure mail flow is working. You will also want to validate free/busy and ensure all mailboxes including resource and shared get provisioned as MailUser in Exchange Online before moving any mailboxes. You will also need to create Distribution Groups in Exchange Online and add the LegacyExchangeDN to prevent users getting bounce back messages when sending to them.

OAB Download Error

June 15, 2018 Angus Exchange

I recently completed a migration from Exchange 2013 to Exchange 2016 and after the Exchange 2013 server was uninstalled that’s when the issues with OAB started. I confirmed that all the mailbox databases were set with the Offline Address Book.

I confirmed that the OAB Virtual Directory was set with the correct URL.

I ran the Outlook Test Email AutoConfiguration and noticed that in the output it didn’t have a line for OAB.

It turns out that the Offline Address Book needed to be set for Global Web Distribution.

Get-OfflineAddressBook | fl name, *webdist*

1	Get-OfflineAddressBook \| fl name, webdist

Get-OfflineAddressBook | Set-OfflineAddressBook -GlobalWebDistributionEnabled $True

1	Get-OfflineAddressBook \| Set-OfflineAddressBook -GlobalWebDistributionEnabled $True

Now when I check the OAB both the Web Distribution settings have been enabled.

You will need to perform an IISreset for the settings to be applied.

Completing Individual Moves in a Migration Batch

June 8, 2018 Angus Exchange

In order to complete an individual mailbox move within a migration batch was previously done by running the commands:

Set-MoveRequest -Identity <email address> -SuspendWhenReadyToComplete $false 
Resume-MoveRequest -Identity <email address>

1 2	Set-MoveRequest -Identity <email address> -SuspendWhenReadyToComplete $false Resume-MoveRequest -Identity <email address>

Recent updates to both Exchange Online and Exchange On-Prem have changed the way move requests are created within a migration batch. Exchange Online can now set an option for when the move requests should be started and/or completed.

Now if you want to complete a move request for an individual mailbox you will need to run the following:

Set-MoveRequest -Identity <email address> -CompleteAfter (Get-Date)
Resume-MoveRequest -Identity <email address>

1 2	Set-MoveRequest -Identity <email address> -CompleteAfter (Get-Date) Resume-MoveRequest -Identity <email address>

Exchange Database Content Index Corrupt

April 20, 2018 Angus Exchange

Fixing a corrupt content index on an Exchange database with only one copy can be done in the following method:

If you run the following command you can see the content index state and error message.

Get-MailboxDatabaseCopyStatus <databasename>| fl

1	Get-MailboxDatabaseCopyStatus <databasename>\| fl

Next you will need to stop the following services:

Stop-Service MSExchangeFastSearch
Stop-Service HostControllerService

1 2	Stop-Service MSExchangeFastSearch Stop-Service HostControllerService

Now you will need to delete the content index folder which is a GUID in the same location as the database edb file. It has three sub folders that all need to be deleted.

NOTE: If you try and delete the files without stopping the search services you will get an error that the file is in use.

With the files successfully deleted you can start the services:

Start-Service MSExchangeFastSearch
Start-Service HostControllerService

1 2	Start-Service MSExchangeFastSearch Start-Service HostControllerService

Now wait a few minutes for the content index folder to be re-created.

To verify this worked you can run the same command from before:

Get-MailboxDatabaseCopyStatus <databasename>| fl

1	Get-MailboxDatabaseCopyStatus <databasename>\| fl

SCOM alert proxying to Unknown

April 12, 2018April 12, 2018 Angus Exchange

SCOM Alerts can be related to SSL certificates and it is worth checking the IIS BackEnd Site Binding to see if the certificate is valid. One example of this is the alert for OutlookRpcDeepTestMonitor. Also note that if the server alerting is getting a “proxying to unknown” error that the Certificate issue is likely on a different Exchange Server.

Open IIS, browse down to Site and Exchange Back End. Click bindings and edit the site bindings on port 444. The site should be bound with the certificate called “Microsoft Exchange”. When you view the certificate I found the certificate being used had an error “The CA Root certificate is not trusted”.

To fix this issue the self signed certificate needs to be exported from the Personal Store and imported into the Trusted Root CA.

Run mmc

Add the Snap-in for Certificates

Browse down to Personal and Certificates and Export the self-signed certificate where the friendly name is “Microsoft Exchange”.

Export it using the format P7B and select the option to “Include all certificates in the certification path if possible”

Name the file and Save it anywhere you like.

Browse down to Trusted Root Certification Authorities and right click Certificates -> All Tasks and Import…

Select the certificate you exported, click next and ensure the certificate is placed in the Trusted Root CA.

Now back to IIS when you view the certificate that is bound to the Exchange Back End Site it should look like this:

Now you need to restart the Exchange Health Manager service MSExchangeHM on the server that reported the issue or restart it across all the Exchange Servers:

$Servers = Get-ExchangeServer
ForEach($server in $servers){
Write-Host Restarting Health Manager Service on $Server
Get-Service MSExchangeHM -ComputerName $server | Restart-Service}

$Servers = Get-ExchangeServer

ForEach($server in $servers){

Write-Host Restarting Health Manager Service on $Server

Get-Service MSExchangeHM -ComputerName $server | Restart-Service}

MSExchangeDelivery service is failing

March 28, 2018March 28, 2018 Angus Exchange

The SCOM alert for MSExchangeDelivery service is failing due to this exception:

Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe+MailDeliveryAvailabilityProbeException: Multiple different exceptions

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.CheckAllInstancesForDifferentFailures()

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.DoWork(CancellationToken cancellationToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.Execute(CancellationToken joinedToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.<>c__DisplayClass2.<StartExecuting>b__0()

at System.Threading.Tasks.Task.Execute()

Turns out the health mailbox was full and unable to accept new messages.

To resolve this issue I stopped the MSExchange Health Manager service and deleted all the AD accounts for Health Mailboxes. Health Mailboxes can be found in the Monitoring Mailboxes OU which is inside the Microsoft Exchange System Objects OU by default. After removing the AD objects I restarted the health manager service and new health mailboxes are created automatically.

Disable Read Receipts

February 7, 2018 Angus Exchange

Read Receipts can easily be disabled on a per message basis at the Outlook client by clicking the No button.

If you wanted to go the extra mile you can setup a rule within Exchange that would disable them on all inbound emails.

Create a new mail rule and select modify message

In the new rule window give it a name “Disable Read Receipt”

Apply this rule to all messages

Do the following and select “Remove this header” and enter the text “Disposition-Notification-To”

Now the header details that are requesting the read receipt are removed from the message and no action will be required from the end user.

If you wanted to perform the same task from the Exchange Management Shell you can run the following command:

New-TransportRule -RemoveHeader 'Disposition-Notification-To' -Name 'Disable Read Receipt' -StopRuleProcessing:$false -Mode 'Enforce' -Comments '
' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'

1 2	New-TransportRule -RemoveHeader 'Disposition-Notification-To' -Name 'Disable Read Receipt' -StopRuleProcessing:$false -Mode 'Enforce' -Comments ' ' -RuleErrorAction 'Ignore' -SenderAddressLocation 'Header'

MSExchangeDelivery service is failing

January 5, 2018January 5, 2018 Angus Exchange

The SCOM alert for MSExchangeDelivery service is failing due to this exception:

Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe+MailDeliveryAvailabilityProbeException: Multiple different exceptions

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.CheckAllInstancesForDifferentFailures()

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.DoWork(CancellationToken cancellationToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.Execute(CancellationToken joinedToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.<>c__DisplayClass2.<StartExecuting>b__0()

at System.Threading.Tasks.Task.Execute()

Turns out the health mailbox was full and unable to accept new messages.

How to find a deleted/disabled mailbox and reconnect it.

January 3, 2018January 25, 2018 Angus Exchange

When working with disconnected mailboxes I have found where the recently deleted/disabled mailbox doesn’t appear in the Admin Center.

From the exchange management shell you can run the following to find a mailbox, in this case I’m looking for a mailbox for Mark Taylor

Get-MailboxDatabase | Get-MailboxStatistics | Where-Object {$_.DisplayName -like "*taylor*"} | fl displayname, itemcount, database, discon*, mailboxguid

1	Get-MailboxDatabase \| Get-MailboxStatistics \| Where-Object {$_.DisplayName -like "taylor"} \| fl displayname, itemcount, database, discon*, mailboxguid

The information returned was the following:

As you can see the disconnect date and disconnect reason are blank.

I know the mailbox was on the database MDB01 so again from the shell you can run the following:

Update-StoreMailboxState -Database MDB01 -Identity b31c95ca-5e40-4bdf-bf1b-9766521e0570

1	Update-StoreMailboxState -Database MDB01 -Identity b31c95ca-5e40-4bdf-bf1b-9766521e0570

Now the results of the previous command show it was disabled and also the ECP shows the mailbox can be reconnected.

FYI – Even when the mailbox doesn’t have a disconnect date or reason it is still possible to reconnect it to the AD account from the exchange management shell by running:

Connect-Mailbox -Identity b31c95ca-5e40-4bdf-bf1b-9766521e0570 -Database MDB01 -User mark.taylor

1	Connect-Mailbox -Identity b31c95ca-5e40-4bdf-bf1b-9766521e0570 -Database MDB01 -User mark.taylor