Tuesday, October 11, 2016

Outlook 2016 Autodiscover for Non-Domain Joined Computers

Outlook 2016 requires Autodiscover to connect to Exchange, which can make it difficult for users on non-domain joined PCs.

Meaning: unlike previous versions of Outlook, there is no manual setup for Exchange accounts.

If some of your users have personal machines that they use to connect to Exchange, there's a registry fix (hack), that will bypass that domain check and allow them to configure their Outlook profile.

First, download the Outlook2016.reg key file from my
Google Drive.

**Note** You can also create the reg key manually:

Open Notepad, and paste the following into it:

Windows Registry Editor Version 5.00



Close and Save the file as Outlook2016.reg

Once you have downloaded or created the registry key, we'll need to import it.

Simply double-click Outlook2016.reg

Click Yes that you are sure you want to continue.

Click Ok.

Now try to set up your Outlook profile to connect to your Exchange environment.

Friday, October 7, 2016

Exchange 2013 Filtering Management and Transport Service Won't Start

I've seen this issue crop up from time to time on Exchange 2013 builds, where you get an error for the Microsoft Filtering Management Service which throws an 80004005, which also causes the Microsoft Exchange Transport Service to throw a 1068 error.

The Filtering Service is the Exchange protection/antimalware scanning component and it's a dependency of the Transport Service.

What usually causes this is a misconfigured A/V solution that doesn't have the proper Exchange exclusions set, and it rips out a needed file.

**Note** Follow this not-so-short MS article to set those A/V exclusions.

There's a couple ways to go about fixing the issue, but I'll show you the easiest.

Here's the errors you'll likely see:

MS Filtering Service Error
Transport Service Error

First, search in the Event Viewer > Application Logs for an error stating that the ConfigurationServer.xml file is missing.

If so, we'll need to add that file back in.

Mount or open the Exchange Cumulative Update setup file that matches the current build you're running on your Exchange servers.

**Tip** Always keep your most recent CU files, because things like this happen *cough* often *cough* with recent versions of Exchange - test much, Microsoft?

Once you have your CU setup files open, browse to the Setup\Filtering directory, and you'll see the "ConfigurationServer.xml" file in there.

Copy the "ConfigurationServer.xml" file to "C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Data" on your Exchange server.

**Note** You can copy that file from a working Exchange server, but it involves many more steps such as disabling the malware scanning, rebooting, disabling services, renaming files, blah blah...my way is faster.

Now that you've copied over the missing file from the CU setup, you should be able to:

Start the Filtering Service

Start the Transport Service

**Note** You may have to reboot before you're able to start those services.

Now you should have a healthy Exchange server...go check those A/V exclusions!

Thursday, September 22, 2016

Exchange 2016 Adding Custom Fields to Outlook Contact Cards

In my current project, we have a need to add certain fields to Outlook contact cards such as Employee ID number, Location Code, and the like.

These fields are controlled by the Address List, and to make changes to them, you use the Details Template Editor in the Exchange Toolbox.

With the editor you can: change field sizes, add/remove fields, add/remove tabs, rearrange the layout, and more to suit your needs. Once you're done, all changes will presented in the users' clients.

In the Exchange Toolbox, double-click the Detail Templates Editor


We'll be editing the details for English Users, so scroll down and double-click the en-US\User template

It will open the default settings

First, we'll need more real estate to work in, so drag the bottom re-sizer bar to make the are larger.

Next we'll be adding a new Listbox.

The easiest way to add a listbox and keep the correct formatting is to copy one of the default boxes.

Right-click one of the default boxes and click Copy

Next right-click anywhere in the empty space below the default boxes and click Paste

Now we can position the listbox.

Drag the new listbox to the location that you want. Blue guide bars will appear telling you that it is in line with the other boxes.

You can also manually position the box by editing the x/y axis and height/width in the left editor pane

Tip: Click the default box above the newly created one and look at its height/width and X axis settings. Edit the height, width, and X axis of the new box to match. In our case it will be height: 12; width: 100; X axis: 82

**Note** MS TechNet says there is no undo and that you have to delete and start over, but that's wrong. You can CTRL-Z to revert to your last step.

Now, we'll add a Label to the listbox by selecting Label in the left pane, and dragging it next to the new Listbox

Next, name the label. In my example, this will be an Employee ID box, so we'll edit the label in the right editor pane

Now we need to link the Listbox to an attribute. As you can see, if you click on a default box, and check the right pane, you'll see the attribute that the box is pulling data from. Here, the attribute for the Phone field is called Telephone-number.

Since our new Listbox is for the Employee ID number, we'll map that attribute by selecting the new box, and in the right pane, use the drop-down to find Employee-Number

**Note** You can set all kinds of attributes on the boxes, including the Exchange Custom Attributes 1-15, or as we do in my environment Attributes 16-30 that were imported from MIM :)

Once you're satisfied with your new Listbox, click File > Save in order for changes to take effect

Now, give it time for the address list to replicate the changes then close and reopen Outlook and you should see the newly created field in the contact card

If you are unhappy with the results, you can go back into the editor and make changes, then save again and then new changes will be applied.

If you need to revert back to the default template just follow these simple steps:

In the Details Template Editor, select the template you changed (en-US\User) and in the right pane, click Restore. Click Yes. Now your template will be back to the original state.

Friday, September 2, 2016

Exchange 2016 Removing a DAG Network

In my project of setting up a greenfield Exchange 2016 environment, our project managers kind of jumped the gun on forcing us to install Exchange before we acquired a shiny new VM infrastructure - seems like that happens quite a bit huh?

This resulted in me having to stand up Exchange on our current/old VM environment, which was painfully slow, and Exchange didn't exactly perform well. I also had to configure separate DAG networks, one for MAPI and one for Replication since the networking was rather slow; Exchange 2016 Preferred Architecture advises to use only one NIC for both types of traffic - providing you have the infrastructure for it!

When we were finally able to get the new gear with 10GB networking, we now had to migrate those Exchange servers over; the problem was the Replication LAN was non-routable and couldn't be moved to the new VM infrastructure.

So, now I had to deal with removing the Replication DAG Network, which if you've ever done this, you've probably noticed that when you remove it, it comes back automatically because the Cluster still sees it.
The MS TechNet article on removing the DAG Network says nothing of this, it just gives you the cmdlet, which doesn't work anyhow because you'll get an error saying that you need to assign the active subnets to other networks...huh?

Here's how I finally removed the Replication DAG Network, with what did and didn't work:

What Didn't Work:

In our setup, we have two NIC's; one for MAPI, one for Replication:

First, I tried to remove the network, by clicking the "Remove" link in the EAC under Servers > Database Availability Groups > DAG Network > ReplicationDagNetwork01:

This threw an error saying to use the -IgnoreNetwork cmdlet instead, which is fine but it still leaves the network there, which isn't gonna work properly later when we migrate the VM's:

Next, I tried deleting the subnet from the Replication Network, which resulted in the cluster creating another network automatically:

Great, now we have an extra DAG network, and it has reassigned the subnet and NICs and has replication enabled.

Go ahead and Remove the first Replication network (the one without the subnet) to get us back to two networks again:

What Did work:

On each DAG node, I deleted the Replication NIC, so I'm left with just the MAPI NIC:

Give it a few minutes, and Exchange will show that the Replication DAG Network is misconfigured:

**Note** In most cases "misconfigured" is bad, but in this case we want it that way, so we can remove the network.

Now, that it's misconfigured, your can remove the subnet by clicking "View Details" on the DAG Network and hitting the minus sign "-" under Subnets:

And then remove the DAG Network itself:

Now we have one DAG Network:

Now we're where we need to be with one DAG Network for both MAPI and Replication running nicely on the 10GB LAN!

Sunday, August 28, 2016

Exchange 2013/2016 Using The Exchange Management Shell Through A Web Proxy

In my current project, we have Exchange 2016 running in a pretty secure environment consisting of a Resource Forest, and all servers are behind a HTTP Proxy Server.

Having Exchange behind a proxy can cause all sorts of headaches including not being able to download CU .iso files, FIPS (anti-malware) update failures, Remote PowerShell connection problems, and Federated Sharing issues.

The best course of action is to get your security team to allow Exchange out through the proxy, or at the very least disable authentication requirements...but sometimes that's not an option, so I'll show you the next best option.

Most likely, you'll have your Web Proxy configured in Internet Explorer, and you can use PowerShell to import those settings into the Exchange Management Shell (EMS).

**Note** Importing the proxy settings only works with explicit proxy settings in IE, it cannot use a PAC script.

**Note** Since Exchange 2013/2016 runs a web-based EAC (Exchange Admin Console), you really only need to set exclusions in the proxy for local addresses, and that should allow all connections to the EAC.

On each Exchange server do the following:

First, fire up an elevated Windows PowerShell to ensure that you have your exclusions set, by running:

netsh winhttp set proxy ";*.exchangeitup.com;*.exchangeitup.org;*.exchangeitup.net"

**Note** Change "" to your proxy server IP address, and whatever domain names you need to exclude for instance "exchangeitup".

Next, import the proxy into PowerShell by running:

netsh winhttp import proxy source=ie

**Note** IE proxy settings are set per user, not per computer so you'll need to import them on each admin account that logs into the Exchange servers. Or you can set it through a GPO, but I try to keep GPO's on Exchange servers to a minimum :)

Next, add your proxy server authentication to the Credential Manager under Control Panel.

Next, we'll add the proxy to the EMS on each Exchange server, by running:

Set-ExchangeServer -identity EXCH01 -internetwebproxy:
Set-ExchangeServer -identity EXCH02 -internetwebproxy:
Set-ExchangeServer -identity EXCH03 -internetwebproxy:

**Note** Change the server name and proxy IP to match your environment.

You can verify that the proxy is set on each server by running:

Get-ExchangeServer |fl name,internetwebproxy

Now you shouldn't be blocked by your proxy when trying to do everyday Exchange management, but like I said above best is to allow Exchange out to the internet "uninhibited" to alleviate all the headaches :)

Wednesday, July 27, 2016

Exchange 2016 Installing Exchange In A Resource Forest: Part 4

This is a continuation from Part 3 of my Installing Exchange 2016 in a Resource Forest series.

I've also created this guide as an eBook. Click the following links for each format:

Request and Import a new UC certificate

Generate the Cert Request (CSR)

1.      On one Mailbox Server, open the Exchange Admin Center (EAC) and navigate to Servers > Certificates.
       2.      Hit “+” button
       3.      Choose to create a request for a certificate from a certification authority
       4.      Enter a friendly name for the cert (can be anything you want). You’ll see this name in the list of certificates installed on the server, so make it something that you will easily recognize; maybe call your new certificate something like “Exchange 2016 UC Cert”.

Although you can technically use a Wildcard cert, don’t select Wildcard – it makes things painful later on.

5.      Choose a server to store the cert request on. This server will be used to complete the request, and will be the first server that has the certificate installed.
       6.      Now, just hit “Next” because we’ll select the SSL names on the next screen.
       7.      At the next step you can select and remove any unwanted names, edit existing names, or add more names to the certificate request.

The most important ones we need will be:


**Note** The server name will be present, and won’t hurt anything. You’ll also need to add any extra domains you will be using. For instance us.domain.com or domain.org.

You will need to pay for each additional domain name, but it depends on your provider, so it’s best to only include the ones you need.

8.      Enter your Organization info.
       9.      Enter a UNC path to save the request on: \\EXCH-MBX-01\c$\temp\exchcert.req
       10.  Click Finish and submit that .req to your Certificate Authority like DigiCert or GoDaddy.

Complete the Pending Cert Request

1.      Download the cert file provided from your CA to C:\Temp
       2.      In the EAC, go to Servers > Certificates
       3.      Click the Pending Request, and in the right-hand pane, click Complete near the bottom.
       4.      Enter the UNC for the cert file: \\EXCH-MBX-01\c$\temp\newcert.cer

If successful, it will show as “Valid”.

Assign the Cert to Services

Once your cert is installed, you can assign it to Exchange services such as IIS, SMTP, etc.

1.      Still in Servers > Certificates, select the new SSL cert, and click the “Pencil” button.
       2.      Check every box that you need – most times you’ll need IIS, SMTP, POP, IMAP. If you run UM, check those too.
       3.      Click “Save”.
       4.      You will be prompted to overwrite the existing SMTP service, click “Yes”.

Configure Outlook Anywhere

1.      In the EAC, go to Servers, and double-click your first server.
       2.      Choose Outlook Anywhere.
       3.      Set your namespace for Internal and External host names to match your namespaces you used in the Set Namespace section i.e. Mail.domain.com
       4.      And set NTLM for the auth method.

Import certificates on the Load Balancer

Each Load Balancer is different, but for Kemp follow these steps:

1.      Export your certificate from Exchange.

On the Load Balancer:
       2.      Go to Virtual Services > View/Modify Services.
       3.      Click the Add New button under the Certificate Installed Column.
       4.      Click Import Certificate in the upper-right, then next to Certificate File, click Browse.
       5. Select your .pfx file that you exported from Exchange, input the passphrase, and specify the cert name: Exchange 2016 UC Cert
       6.      Click “Save
       7.      On the Cert Config screen, select the VIP in the “Available VSs” and hit the right arrow to move it to the Assigned VSs box.
       8.     Save Changes
       9.      Now back at the View/Modify Services page, you can see the cert is assigned to the VIP.

Now test your pings and nslookups to ensure that mail and autodiscover resolve to the LB and open OWA and Outlook to ensure you don’t get any cert prompts.
All Done!

You should now have your Exchange Resource Forest set up and functioning behind your Load Balancer, with mail flowing in and out through your Edge server.

Now create some linked mailboxes by following my previous post:

Exchange 2016 Installing Exchange In A Resource Forest: Part 3

This is a continuation from Part 2 of my Installing Exchange 2016 in a Resource Forest series.

I've also created this guide as an eBook. Click the following links for each format:
Setup POP and IMAP

If using POP and IMAP, run these cmdlets on each server:

Set-POPSettings -ExternalConnectionSetting {mail.domain.com:995:SSL}

Set-ImapSettings -ExternalConnectionSetting {mail.domain.com:993:SSL}

Set-POPSettings -X509CertificateName mail.domain.com

Set-IMAPSettings -X509CertificateName mail.domain.com

Next, start the POP and IMAP services and set to Automatic on each server

Redistribute (balance) the Database across the DAG

To redistribute the database across the DAG according to activation preference, run the following cmdlets in the EMS:

cd $exscripts

 Then, run:

.\RedistributeActiveDatabases.ps1 -DagName "DAG01" -BalanceDbsByActivationPreference -Confirm:$False  

Edge Server Setup

On a stand-alone server in the DMZ (not joined to the domain), configure the server name with a DNS suffix matching your Exchange Forest:

Right-click “This PC” > Properties > Advanced System Settings > Computer Name > Change > More.

Enter the DNS suffix to match your Exchange Forest, like so:


**Note** We’re only changing the suffix, leave the server in the workgroup it is currently in.

Reboot the Edge server for the name to take effect.

In the NIC properties, set a static IP and add your Exchange Forest DC\DNS servers as DNS providers, and mark the “register the IP in DNS” checkbox.

The Edge Server needs to be able to resolve the mailbox servers by name and vice-versa.

Ports that need to be open in your firewalls:

Port TCP 25 in/out between the Edge and the internet

Port TCP 25 in/out between the Edge and the internal LAN

Port TCP 50636 from internal LAN to the DMZ

Next install the Exchange Edge pre-reqs by running the cmdlet in an Elevated Windows PowerShell:

Install-WindowsFeature ADLDS

Run Windows Update and install all update except for .Net 4.6.1 – its best to hide that update.

Download the most current Exchange 2016 CU ISO to the C:\TEMP\CU folder and extract it.

In an Elevated CMD prompt, run:


And then run the following command:

setup /m:install /r:et /IAcceptExchangeServerLicenseTerms

Reboot the server and install any other needed updates.

Edge Subscription Creation

On the Edge server, in the EMS, run:

New-EdgeSubscription -FileName C:\Temp\Edge.xml

Copy the EdgeSubscription.xml file to C:\Temp on any Mailbox server.

On the mailbox server you copied the .xml file to, in the EMS, run:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\Temp\Edge.xml" -Encoding Byte -ReadCount 0)) -Site " resourcedomain.com/Configuration/Sites/Default-First-Site-Name"

On your Mailbox Severs in the EAC > Mail Flow > Send Connectors, you will see the new EdgeSync Send Connectors.

**Note** If you previously had any Send Connectors set up, you’ll need to remove those.

You will need to ensure that your MX records point to the Public IP of your Edge Server – which should be NAT’d behind your firewall on Port 25.

Verify inbound/outbound mailflow.

Load Balancer Setup

Gareth Gudger (SuperTekBoy) has written an excellent guide on setting up a Kemp Load Balancer for Exchange.

Follow his guide here:

CAS Setup

Set DNS Entries

We will be using Split-DNS – meaning on your internal DNS mail.domain.com will resolve to your internal VIP of your Load Balancer; while on the External DNS, mail.domain.com will resolve to the Public IP of your Firewall, which will NAT to your Load Balancer VIP.

Create the DNS A-Record for “mail” on Internal and External DNS.

This will be an A-Record for mail, pointing to the VIP of your Load Balancer, for instance:

Internally - Mail >

Externally – mail.domain.com >

Configure your autodiscover record pointing to your Load Balancer for both Internal and External DNS.

Internal – autodiscover >

External – autodiscover.domain.com >

Create Namespace

Use Paul Cunningham’s (ExchangeServerPro) awesome script to automatically set your namespaces in one shot.

Next, follow Part 4 here