Category: Exchange 2007

Configuring Exchange Impersonation

Exchange Impersonation enables a caller to impersonate a given account so that a caller can perform operations by using the permissions that are associated with the impersonated account instead of the permissions that are associated with the caller’s account. Microsoft Exchange Server 2007 provides two Active Directory directory service extended permissions that are used to determine which callers can perform Exchange Impersonation calls and which accounts can be impersonated by the caller.
 

This procedure grants fasapprov1 permission to impersonate fasaptest1

Add-ADPermission -Identity “username” -User “Username2” -extendedRight ms-Exch-EPI-May-Impersonate

See article link below to see step by step configuration instructions
 
 

Exchange is unable to mount the database that you specified

Issue: Exchange is unable to mount the database that you specified. Specified database: ServerEXVS25SG1Mailbox; Error code: MapiExceptionCallFailed: Unable to mount database. (hr=0x80004005, ec=-2147467259)

Resolution:

Error was due to lag in AD replication. Whenever a new mailstore is created, it updates the config in AD. Trying to mount too soon may reproduce the error stated above. So wait about 5 to 10mins and try to mount it again. It should mount OK

How to exclude domain controllers from AD access list in Exchange

Exchange server 2007 relies extensively on Active directory. All directory lookups are done using the MS Exchange AD topology DS access service.
 
For optimal lookups performance in exchange, use this powershell script to exclude some domain controllers that are not required for optimal directory lookups and performance. You will choose the DC exclusion list based on the datacenter your exchange servers are homed. Note that The excluded domain controllers list is based on recommendations from the Active Directory team:
 
This script must be run in Exchange 2007 management shell. It’s recommended that you run this script on all your exchange servers.
 

Set-ExchangeServer -Identity exchsrv1 -StaticConfigDomainController $null -StaticDomainControllers $null -StaticGlobalCatalogs $null -StaticExcludedDomainControllers dc1.domain.com,dc2.domain.com
  
Step by Step Configuration Steps:
1. Run the powershell script on the active node of your cluster. Remember to use the exchange server cluster name as the identity for Set-Exchangeserver command
2. Restart MSExchange Topology service. This will also restart transport log search, service host, search indexer, replication service, mail submission and mailbox assistants)
3. Verify by going to the exchange console, right click on cluster properties, system settings. You will see only domain controllers in the list
4. Repeat the same procedure for the passive node of your cluster
4. You have completed the change

create or renew self-signed certificate on Exchange server 2007

After creating a new hub transport server(or any exchange 2007 server), a new self-signed certificate with the server name is created
 
THis cert can be used to establish TLS connections. However, if service TLS setting advertises with a different FQDN, the domain name must be included during certificate creation in exchange
 
for eg, to create a certificate for SMTP services using 2 domain names, use the following command
 

get-exchangecertificate | New-ExchangeCertificate -DomainName “servername”, “publicname” -FriendlyName MSExchange
the certificate will be created with multi-domain names. In this case, server name and the public name
this resolves event 12014 on a hub transport server

Adding a new storage group to SCC cluster

Follow these steps to add a new storage group to Exchange 2007 SCC cluster
 
  • Using disk management tool, scan and initialize disks. format partition and create mount points as needed
  • Using Exchange management console, create storage group as needed
  • Using the Exchange console, create database for the SG, but don’t mount database yet
  • using cluster administrator, create physical disk resources for the exchange virtual cluster name
  • create disk dependencies for the newly created exchange resources
  • Bring online the new resources in cluster administrator
  • check exchange management console to ensure database is mounted

Your message wasn’t delivered because of security policies in Exchange 2007

Issue: Your message wasn’t delivered because of security policies in Exchange 2007
Synopsis: When a user tries to send an email to a distribution group, this error maybe returned: delivery
has failed to these recipients or distribution lists. Your message wasn’t delivered because of security policies in Exchange 2007
Cause: This can occur if customer/user tries to email a distribution list from outside the institution to an internal distribution list. By default only authenticated users are allowed to email a distribution list
Resolution: To allow emailing to the distribution group from outside your organization, follow these steps:
1. Open the Exchange Management Console
2. Expand Recipient Configuration
3. Click Distribution Group
4. Double click the distribution group
5. Select the Mail Flow Settings Tab
6. Double click Message Delivery Restrictions
7. Uncheck “Require that all senders are authenticated”
8. Click OK

Settings are immediately effective ,so it should work right away.

How to Forward email sent to a distribution list

Emails sent to a Distribution list can be forwarded to another email address.
 
for eg, if you want emails sent to a distribution group to be forwarded to a mail enabled Sharepoint folder on a Sharepoint site, you can simply achieve your goal by following the steps below:
 
1. Create a contact for the sharepoint folder email address, for eg test@domain.com
 
2. Make this contact a member of the distribution list
 
3. You ‘re done. Emails sent to the DL will also be sent to test@domain.com

Disable Automatic RUS update for a user using ADSIedit

In Exchange 2003, Recipient update service is required to update enterprise email address policy for all users. This is not required and not available for exchange 2007. under email address tab, the checkbox automatically update email addresses based on recipient policy enables rus for a user. Unchecking this box, disables rus. Below are the ad attributes used for disabling and enabling RUS for a user.
 
This attribute:
 
msExchPoliciesIncluded with this value
 
{7AC28272-F0F3-4294-8262-D23C6BE8F2CC},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
turns on rus update for a user.
To turn off RUS for a user, use this attribute with the value
msExchPoliciesExcluded
{26491CFC-9E50-4857-861B-0CB8DF22B5D7}

apply activesync policy to all exchange users

Use this powershell code to apply an activesync policy to all exchange users:
 
 Get-Mailbox -resultsize unlimited | Set-CASMailbox -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy “Policy Name”).Identity
 
 
 
To apply to a particular user:
 
set-casmailbox username -ActiveSyncMailboxPolicy(Get-ActiveSyncMailboxPolicy “Enterprise Exchange ActiveSync Policy”).identity