New distribution group: couldn’t find object

On creating a new distribution group in Exchange you could get the following error:

Couldn’t find object “<user object in AD>”. Please make sure that it was spelled correctly or specify a different object. Reason: the recipient <user object in AD> isn’t the expected type.

image

You probably logged in with an administrator account, which has no mailbox associated with it. When you create a mailbox,  you will automatically be the manager of the distribution group.

To bypass this (without creating a admin user mailbox), use the powershell command: New-DistributionGroup and specify the “ManagedBy” parameter

Exchange 2010: setting room permissions

To set permission’s on a room mailbox in Exchange 2010, you have to execute the PowerShell command Add-MaiboxFolderPermission.

Add-MailboxFolderPermission -identity <roomname>@<domain.com> -user <email address of user who needs access> -AccessRights <AccessRight>

The parameter AccessRight specifies the permissions for the user, you can use the following values:

  • ReadItems   The user has the right to read items within the specified folder.
  • CreateItems   The user has the right to create items within the specified folder.
  • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
  • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
  • EditAllItems   The user has the right to edit all items in the specified folder.
  • DeleteAllItems   The user has the right to delete all items in the specified folder.
  • CreateSubfolders   The user has the right to create subfolders in the specified folder.
  • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can’t read items, edit items, delete items, or create items.
  • FolderContact   The user is the contact for the specified public folder.
  • FolderVisible   The user can view the specified folder, but can’t read or edit items within the specified public folder.

AccessRight also accepts a Roles definition as a value:

  • None   FolderVisible
  • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
  • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
  • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
  • Reviewer   ReadItems, FolderVisible
  • Contributor   CreateItems, FolderVisible

So.. for example if I wanna give all users the rights to review the calendar of the Meetingroom and a user named John Doe will receive the contributer permission, I use the following commands:

new-TestCasConnectivityUser.ps1 error OU exists

When I wanted to create a test user for SCOM 2007 to monitor Exchange, I constantly ran into the error (whenever I ran the script
new-TestCasconnectivityUser.ps1):

CreateTestUser : Mailbox could not be created. Verify that OU ‘Users’ exists and that password meets complexity requirements.

I checked google, and all solutions pointed to the fact that there was more than one users OU.
When I edited the script and replaced the variable $OrganizationalUnit with a different OU, I still received the same error.

The solution came when I created a new OU in AD and edited the script again, now I changed the $OrganizationalUnit parameter to contain the newly created OU. After that the script ran perfectly.

Exchange: Failed to mount database

This morning when our Exchange server came back up after a planned shutdown, it couldn’t mount his database.
The error message I received when trying to mount the database was:

——————————————————–
Microsoft Exchange Error
——————————————————–
Failed to mount database ‘Mailbox Database xxxxxxxxxx’.

Mailbox Database xxxxxxxxxx’
Failed
Error:
Couldn’t mount the database that you specified. Specified database: Mailbox Database xxxxxxxxxx’; Error code: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionNotFound: Unable to mount database. (hr=0x8004010f, ec=-2147221233)
[Database: Mailbox Database xxxxxxxxxx', Server: <FQDN Server>].

An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionNotFound: Unable to mount database. (hr=0x8004010f, ec=-2147221233)
[Database: Mailbox Database xxxxxxxxxx', Server: <FQDN Server>]

An Active Manager operation failed. Error: Operation failed with message: MapiExceptionNotFound: Unable to mount database. (hr=0x8004010f, ec=-2147221233)
[Server: <FQDN Server>]

MapiExceptionNotFound: Unable to mount database. (hr=0x8004010f, ec=-2147221233)

Apparently this could happen when there is a mismatch between the value of the ConfigurationDomainController parameter and the value of the PreferredGlobalCatalog (see: http://support.microsoft.com/kb/977960/EN-US).

After executing the command “Set-ADServerSettings -PreferredServer <FQDN Domain Controller>, the database could be mounted again.

Exchange Spam SenderOnRecipientSafeList

In our Exchange 2010 environment (combined with forefront anti-spam) there was 1 user who kept on receiving spam. The spam originated from his own email address and got the tag SenderOnRecipientSafeList.

image

This was caused by the fact that our Receive Connector had the permission ms-Exch-SMTP-Accept-Authoritative-Domain-Sender. This right basically tells the exchange server: “accept mail from users that tell you to be from that you are authorative for”.

With a powershell command you can remove this right from the receive connector.

remove-ADPermission -Identity <connectorName> -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

note: <ConnectorName> is the name of the connector that is accepting your internet inbound mail.

Your Internet Inbound connector can be found under: Server Configuration\Hub Transport\Receive Connectors.
You can enable logging on this Connectors by opening the properties and on the general  tab you can set the [Protocol Logging Level] to “Verbose”.

image

Off course you also want to know where you can find the log files. You can find the path by opening the properties of your Server Configuration (in the Action Pane), the tab [Log Settings] has the path to your “Send Protocol Log Path”

image

Exchange 2010 – relaying to external email addresses

We have a scanner in our office which can send scanned documents to any email address specified. After our migration to Exchange 2010 this did not work anymore.

I created a new receive connector. Specified the IP addresses which we’re allowed to relay to external, and then checked the anonymous checkbox.

image

The scanner was able to send scanned documents to internal email addresses, but it could not send to any external domain.

It turns out that when you place a checkmark in the “anonymous users” checkbox the following permissions are given to the “Anonymous Logon” group:

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Accept-Headers-Routing
  • We are missing the “Ms-Exch-SMTP-Accept-Any-Recipient” , this is preventing the scanner to relay off the exchange server. You can add this permission by opening the EMS (Exchange Management Shell” and issuing the command:

    Get-ReceiveConnector "<Receive Connector name>" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Exchange 2010 Backup and Restore (powershell)

    In Exchange 2010 you can’t use ExMerge anymore. In Exchange 2010 you can create a backup from your database (with windows backup), you can then restore it in case of an emergency and attach it to Exchange as a seperate database (recovery database). You can then restore a mailbox’s content.

    Prerequisites:

    • Make sure your server has the Windows Backup Feature installed
      note: this is based on a windows 2008R2 Server
    • Start the Windows service “Microsoft Exchange Server Extension for Windows Server Backup” and set its Startup Type  to automatically

    Backup

    First of all you have to make a backup of your exchange environment.

    • Start Windows Backup
    • Click “Backup Schedule” (or Backup Once, if you don’t want the backup to be scheduled and run every night). In the Getting Started Screen click [Next]

      image

    • You can make a Full Backup of your server or just choose your Exchange directory. I opted to go for the latter one. Choose [Custom] and then click [Next]

      image

    • Next screens asks you to select the items to backup. Click [Add Items] and add the location where you’re Exchange is installed (mine was D:\Exchange Server). Then Click [Advanced Settings] and make sure you select “VSS full Backup” underneath the tab “VSS Settings”, then click [Next]

      image
      image

    • If you choose the “Backup Schedule” option  in the beginning, you will now be presented with a dialog box in which you can create your schedule. If you created one then click [Next]

      image

    • The next screen asks for a destination for your backup files.  I chose the “Back up to a shared network folder” option. Then click [Next]

      image

    • Next is to specify the remote shared folder. Choose one and click [Next]

      image

    • You will then be prompted with a username and a password question. Fill in an  account which has access to the shared folder you’re backing up to. Click [Finish]

      image

    • The wizard will create your backup schedule, and then will return the status. It should read “You have successfully created the backup schedule”. Then click [Close].

    Ok, you’re backup should be scheduled now. Now let’s see what you have to do whenever you want to restore a mailbox.

    Restore

    • First of all off course, you have to restore your latest backup. Again start Windows Backup en choose the option [Recover]. On the Recovery Wizard screen that opens select “A backup stored on another location”, then click [Next]
    • Specify “Remote Shared Folder” as the location type. Click [Next]
    • Enter the remote shared folder location and click [Next]
    • On the next screen you have to select the date of the backup you want to recover. Pick one and click [Next]
    • Select ”Files and Folders” as the recovery type, then click [Next]
    • Now you have to select the Exchange Folder that you created a backup from. Then Click [Next].
    • Choose to restore the database to a different location. Click [Next]
    • Confirm the restore by clicking [Recover]
    • After the restore is done, open up Exchange Management Shell and change the directory to the location where the edb file and the log files are located.
    • Run the command: “eseutil /r e00 /d <full path to restore folder>”

      image

    • Next run the command “eseutil /mh <edb filename.edb>”. In the output you must verify that the state of the database is “Clean Shutdown”

      image

    • You can now create a new recovery database, named RestoreDB. Execute the command:
      “new-mailboxdatabase –recovery -name RestoreDB -server <ServerName>
      -EdbFilePath <path to edbfile.edb> –logfolderpath <path to folder with logfiles>”

      image

    • Next is to mount the database with the command:
      ”mount-database –identity RestoreDB”

      image

    • To restore a mailbox you can now execute the command:
      ”restore-mailbox –identity <mailboxname> –RecoveryDatabase RestoreDB”

    That’s it.

    • To clean up: dismount the database en then remove the database
      a. ”dismount-database –identity RestoreDB”

      image

      b. ”remove-mailboxdatabase –identity RestoreDB”

      You only have to delete the files on the file system manually.

    Installing MS Forefront Security for Exchange Server

    image

      Microsoft Forefront Security for Exchange Server integrates multiple scan engines from industry-leading security firms into a comprehensive, layered solution, helping businesses protect their Microsoft Exchange Server messaging environments from viruses, worms, spam, and inappropriate content.

    • start forefrontexchangesetup.exe
    • Accept the License Agreement and click on [Next]

      image

    • You will be warned with the fact that “Microsoft Exchange Transport” will be restarted, so if this isn’t possible, abort the setup. Else just click [Next]

      image

    • The next screen prompts you for the installation locations. If you want to change this do so, then click [Next]

      image

    • If you use a Proxy Server fill in the details, then click [Next]

      image

    • Enable the Antispam feature (if needed), then click [Next]

      image

    • The next screen is about joining the CEIP (Customer Experience Improvement Program), if you want to be part of it, check the checkbox. Click [Next]

      image 

    • Verify your information, and then click [Next] to begin installation

      image

    • After the installation, click [Finish]

      image

    • Your start menu should now contain the “Forefront Protection for Exchange Server Console”. Fire it up.

      image

    • Activate your license, or continue with the evaluation (only valid for 119 days).

      image

    • If you have a Activation Key, you will be prompted to supply your License Agreement Number. Click on the link provided in the dialog screen.

      image