Category Archives: Exchange

Fix: Error 500 when loading Shell or ECP on Exchange 2013 SP1

After installing Exchange 2013 with SP1 you might notice that when you open the Management Shell, you will get a bunch of errors with mainly the error 500: Internal Server Error. This can also be seen when you try to access the ECP or OWA on the server in question. This issue is only on Exchange 2013 with SP1 and with Client Access role installed.

The culprit can be the following three:

#1 Time synchronization

On the Primary Domain Controller (PDC) do the below

net stop w32time
w32tm /config /syncfromflags:manual /
w32tm /config /reliable:yes
net start w32time

On the other DCs and servers do the following

net stop w32time
w32tm /config /syncfromflags:domhier /reliable:no /update
net start w32time

#2 Kerberos issues

Do the following on the effected servers to re-create the Powershell virtual directory.

Get-PowerShellVirtualDirectory -Server | Remove-PowerShellVirtualDirectory
New-PowerShellVirtualDirectory -Server -Name PowerShell
Get-PowerShellVirtualDirectory -Server | Set-PowerShellVirtualDirectory -BasicAuthentication:$false

After virtual directory re-creation I have checked its modules in IIS and made sure, that Kerberos module is native and the path to its DLL is correct.

#3 WinRM Extensions

The feature might be missing, do the below to add the feature

Get-WindowsFeature *IIS* #to check if it is installed
Add-WindowsFeature Winrm-IIS-Ext # to install


How to: Remove Arbitration mailboxes from Exchange Mailbox servers

Sometimes you would like to uninstall a mailbox server or un-install a mailbox server but when you make the Get-Mailbox -Arbitration -Database DataBase1 you see some mailboxes there. These are there to prevent you from deleting the mailbox database or server. These are used by the Exchange server. You can either move or delete these mailboxes. If this is not the last mailbox server in your setup I would suggest you move them, otherwise delete them or you will not be able to uninstall the server.

Moving the mailboxes
Get-Mailbox -Arbitration -Database EXCHDB1| New-MoveRequest -TargetDatabase EXCHDB2

Disabling the mailboxes
Get-Mailbox -Arbitration -Database EXCHDB1| Disable-Mailbox -Arbitration

Deleting the mailboxes
Get-Mailbox -Arbitration -Database EXCHDB1| Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

If you would like to re-create them, I would suggest the below /PrepareAD /IAcceptExchangeServerLicenseTerms
.\Setup /PrepareAD /IAcceptExchangeServerLicenseTerms


Fix: Missing Server Configuration in Exchange 2010 management console

When opening the Management Console in your Exchange 2010 you might noticed the Server Configuration node missing. Also you might notice that when you open a mailbox you will not see the size and other information and you will get the yellow lock and no data is shown.

In most cases it would be because you have Outlook installed and you logged in with another user in Outlook. The credentials will be saved in the vault and it will try to log into the Management Console with that user. In fact when you launch the Management Console and click on the Microsoft Exchange On-Premises node, while loading you will notice it uses the user.

You would need to do the following:

– Open a command prompt using “Run as Administrator”
– Run the command “control keymgr.dll”
– Click “Back up vault” and follow the prompts to back everything up
– Remove any credentials related to the other user

After this, try to open the Management Console, if the problem persists a quick restart of the server will do the job.


How to: Remove duplicate items from Exchange Mailboxes using Powershell

During an Exchange migration you sometimes have the issues where users complain that there are duplicate entries of their calendar items. This is normal to happen and can be done directly from the server using Powershell . You will need to download the script here and then install Managed API 1.2 or later which can be downloaded here.

Remove-DuplicateItems.ps1 [-Mailbox] <String> [[-Type] <String>] [-Server <String>] [-Impersonation] [-DeleteMode <String>] [-Mode <String>][-WhatIf] [-Confirm] [<CommonParameters>]

The syntax is below:

-Mailbox is the name of the mailbox to process;
-Type determines what folders are checked for duplicates. Valid options are Mail, Calendar, Contacts, Tasks, Notes or All (Default);
-Server is the name of the Client Access Server to access for Exchange Web Services. When omitted, the script will attempt to use Autodiscover;
-When the Impersonation switch is specified, impersonation will be used for mailbox access, otherwise the current user context will be used;
-DeleteMode specifies how to remove messages. Possible values are HardDelete (permanently deleted), SoftDelete (use dumpster, default) or MoveToDeletedItems (move to Deleted Items folder).
-Mode determines how items are matched. Options are Quick, which uses PidTagSearchKey and is the default mode, or Full which uses a predefined set of attributes to match items, depending on the item class.

For this to work you need to setup the impersonation of the user which you will be running the script. This can be done as below for Exchange 2010

New-ManagementRoleAssignment -Name ImpersonationRole -Role ApplicationImpersonation -User administrator

-Name : Can be anything you put in, it’s just a name
-User: Is the user you will be impersonating as

On Exchange 2007 you can use the below command:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

More info on the script here


Fix: Lync fails to connect with Exchange for calendar

On Exchange servers with Lync, when using Lync from outside the site using Lync Edge, you might have the problem that it works in case of instant messaging, but it will not connect to your Exchange setup to get the calendar or in some cases it will keep re-asking your credentials with no success.

This might be an issue of authentication which can easily be solved by changing the authentication method on the AutoDiscover folder on IIS.

Log into the Exchange server
Open IIS Manager
Expand the [Server Name]/Sites/Default Website
Click on AutoDiscover application
Click on Authentication
Right-Click on Digest Authentication and select Enable


Fix: The Certificate Status could not be determined because the revocation check failed

Recently I came across a CAS server that was rebuilt. Think of it as a new server you are introducing in your environment. Everything looked good except certificate that we imported. The certificate looked good when looking at validity, issuing authority certificate and other dependencies.

However, Exchange Management Console complained:

“The certificate status could not be determined because the revocation checked failed.”

Since the error seemed clear enough, we checked and verified that we can reach CRL. We could successfully access it and download CRL. We also ensured that there was no proxy servers configured or required, which they weren’t.

However, the server had its own mind.

KB979694 wasn’t applicable since there was no proxy in the environment.

The only logical thinking here was, why is “Local System” account (which the service uses to get the revocation status) unable to get to CRL. To get to the answer, we needed to check proxy settings of Local System account. How do you do that? You can’t simply start IE as different user!

That exactly is the purpose of this post. I found bits and pieces of information that helped me resolve the issue but not a one step document. In this post, I am trying to put it all together so you have one stop solution.

Here’s how you can fix the issue:

Open up command prompt as Administrator
Run “sc create testsvc binpath= “cmd /K start” type= own type= interact”
This creates testsvc service which will run as local system and allow interaction with desktop
Run “sc start testsvc”
The error “[SC] StartService failed 1053” is expected and can be ignored safely
Locate “Interactive Services Detection” icon blinking in the taskbar and click “view message”
You are now in a command prompt window running as Local System and you will not see your desktop. The only other visible window is “Interactive Services Detection” window.
Launch Internet Explorer using the following command:
“c:\Program Files (x86)\Internet Explorer\iexplore.exe”
Internet Explorer may present Set up window. If it does, click “Ask me later”.
We will now check proxy settings. Go to Tools -> Internet options -> Connections -> Lan Settings.
Verify proxy and automatic configuration options and change them to match your environment. In my case we cleared all checkboxes since no proxy existed in environment.
In our case, either server build process or a setting from or a GPO was populating incorrect proxy settings.
Close Internet Explorer window and return to command prompt.
We will now clean certutil caches.
Run “certutil -urlcache ocsp delete”
Run “certutil -urlcache crl delete”
We’re almost done here. We now have to close and exit out of service.
Type “exit” and press enter to close command prompt that is running as Local System.
Now you should have only one “Interactive Services Detection” window.
Click “Return Now”.

You are now back to your desktop and we have corrected Internet Explorer settings for Local System (removing proxy configuration that was incorrect). After this, we restarted Exchange Management Console and verified certificate on CAS server in question. Certificate was no longer issuing the warning and we proceeded with assigning the certificate to appropriate services.

It is important to note that refresh time varies from immediate to more than few minutes so don’t fret over certificate still showing the same error. If, however, it takes more than 15 minutes, I would check if all steps were followed as mentioned above and configuration is correct for your environment.

Yet another issue put to bed. On to another.


How to: Manually purge Exchange server logs safely

Many had this problem when in crisis, one would need to purge the Exchange logs but ended up not doing it for the fact that it would be risky and not safe. One can manually and safely purge the Exchange logs with the below script. Open a command prompt and type the following.

Note: the m: would be your drive where the Exchange Mailbox databases are.

add volume m:
begin backup

At this moment, nothing will happen and after some time the screen will be populated. As soon as you see the prompt, enter the below.

end backup

After some time, you will see the space decreasing and the logs being purged. Although this works on Exchange 2010, it would be the same for Exchange 2007.


How to: Connect Remotely to an Exchange Management Shell

Powershell is a great tool and sometimes you need to connect to your prefered Exchange server without opening a remote desktop on the server. To connect remotely to any Exchange Management Shell you need the following:

To connect to the server using the logged-in user type,

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://my-exchange-server/PowerShell/ -Authentication Kerberos

and then type

Import-PSSession $Session

If you want to connect to the server using specified credentials, type the following,

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://my-exchange-server/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session

That should connect you to the desired server… enjoy


How to: Move mail queue to another server in Exchange

When having an Exchange server failing and you need to move your current mail in the queue which is stuck or the server is failing, you will need to export the queue and import it to another working Exchange server. This is how to do it.

– Open a Powershell on the source server
– Type $array = @(Get-Message -Queue "QueueName" -ResultSize unlimited)
– Type $array | ForEach-Object {$i++;Export-Message $_.Iden.ty |
AssembleMessage -Path ("c:\MyMailQueues\"+ $i +".eml")}

This will export all the mail in the queue specified in the ‘QueueName’ into the folder c:\MyMailQueues. From now copy the EML files created, into the other server’s Transport Pickup folder. The emails should be instantly be processed.


How to: Allow application to relay through Exchange server

When having applications to explicity relay mail inside or outside your network with Exchange server you might have some problems. This can be solved by creating a Receive connector in your Exchange infrastructure. This can be done as below:

Open Exchange Management Console
Navigate to Server Configuration and Hub Transport
Select the server
Right click on the Receive connector area
Select New Receive Connector
Enter the name for the connector
Select Custom
On the Local Network settings click Next
On the Remote Network setting enter the IP address or range from where the emails will be sent
Once created open the properties of the connector
Open the Permissions Group tab
Tick Anonymous Users and Exchange Servers
Open the Authentication tab
Tick Transport Layer Security (TLS)
Tick Externally Secured (for example, with IPSEC)

Try to send the email and there you have it.