Exchange – Database Availability Group – FSW on DC

I needed to use DC as File Share Witness for my LAB and in one small environment. Microsoft doesn´t recommend that, but if you have only limited number of servers, you dont have a choice.


Really basics, full article can be found on MS Technet)

  • FSW must be configured every time you create Database Availability Group for Exchange 2010 and Exchange 2013 (if you do not specify, Exchange will configure FSW on first CAS server without mailbox role installed). Besides the other parameters you should specify the WitnessServer and WitnessDirectory parameters
New-DatabaseAvailabilityGroup -Name DAG1 -WitnessServer CAS1 -WitnessDirectory D:\DAG1_FSW
    • FSW is used to maintain quorum (node majority for DAG application) when even number of nodes in the DAG
    • FSW is only actively used, when there is even number of servers in the DAG. One case is that you have configured even number of servers by design or you have conffigured odd number of servers by design and one of those is broken. Otherwise Witness directory on Witness server is empty
    • Alternate FSW must be also configured, if you enable Datacentre Activation Coordination
Set-DatabaseAvailabilityGroup <identity> -DatacenterActivationMode DAGOnly -AlternateWitnessServer <FQDN or NetBIOS name of the server> -AlternateWitnessDirectory <Path>
  • More then one DAG can have FSW on the same server, but directory must be unique


To configure FSW on DC there are more steps to perform before configuration of FSW:

  • Add domain controller to Exchange Trusted Subsystem security group
  • Add Exchange Trusted Subsystem to Buildin\Administrators
  • Create Directory on the DC and share the directory with the share name of the DAG
  • Set sharing permissions so that virtual account for DAG will have Full Control


If set some of the point incorrectly, you will get the result, that DAG cannot access FSW and availability of DAG is limited

Get-DatabaseAvailabilityGroup -Status

Result is shown in Picture:


If this happens to you, fix incorrectly set steps and re-enable FSW:

Set-DatabaseAvailabilityGroup <identity> -WitnessServer <FQDN or NetBios name of the server>

Exchange 2013 CU1 setup problem – Install-RuleCollection error in Organization preparation step (protected until CU1 is officially out for public)

I have been upgrading my RTM Exchange 2013 to CU1.  I have 2 multirole servers in DAG. I have started to install CU1 on the node hosting only passive copies of databases. In step 1 of 18. Organization preparation from GUI setup it generated error as it can be seen in the following Picture.

install-rulecollection error

Recommended workaround from Microsoft is to delete the following object from AD configuration partition using AdsiEdit

CN=ClassificationDefinitions,CN=Rules,CN=Transport Settings,CN=<Your organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>i,DC=<com>

The object is also shown in the Picture

install-rulecollection object to delete

After deletion setup can be restarted. Object is then re-created and setup can continue.

Exchange 2010 complete certificate request problem

I was renewing Exchange certificate for my test domain I was doing it via EMC console but behind of GUI it is done via certificate request CMDlet. For Example this CMDlet:

New-ExchangeCertificate  -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName ','',...

I am using certificate from Startcom certification authority (however this happened to me also vith GeoTrust), because it is free, so I have passed the request to web browser and generated new certificate, downloaded it and tried to import the certificate to Exchange environment.

First import went OK, but I havent seen pending certificate request to be completed

Second try of import generated an error:

CSR problems

I have checked local certificate store for the computer account and the certificate was there, but didn´t have private key attached to it.


Solution is simple. Run the command bellow, where red text is the serial number of your certificate

certutil -repairstore my "SerialNumber"

After running the command certificate with serial number “SerialNumber” will be connected to its private key and pending certificate request will be completed, and you can continue as usual.


MS KB on




PS 2.0 – Remove and compress IIS logs automatically

I created a PS script for removing and compressing IIS log files.


  • Define variables: the log folder $LogFolder (basically it could be %SYSTEMROOT%\System32\LogFiles\W3SVC) and the retention periods ($DeletionRetention = -120, $CompressionRetention = -60).
  • Scripts handles only files with expired retention for attribute LastWriteTime  (e.g. -120 = older than 120 days).
  • It deletes all* files with expired retention ($DeletionRetention) from the log folder. (* Be careful, the folder doesn’t have to contain only logs.)
  • It compresses log files with expired retention ($CompressionRetention) into one zip based on month number from LastWriteTime ( Number 2502132135 is the time stamp.
  • The script can be simply scheduled via Windows Task Scheduler if needed (e.g. Trigger: Monthly – last day).HowToScheduleScript


I used in my script zip functions from David Aiken – Compress Files with Windows PowerShell then package a Windows Vista Sidebar Gadget


$LogPath = "D:\IISLogs"
$DeletionRetention = -120
$CompressionRetention = -60

function New-Zip
 set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
 (dir $zipfilename).IsReadOnly = $false

function Add-Zip

 if(-not (test-path($zipfilename)))
 set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
 (dir $zipfilename).IsReadOnly = $false 

 $shellApplication = new-object -com shell.application
 $zipPackage = $shellApplication.NameSpace($zipfilename)

 foreach($file in $input) 
 Start-sleep -milliseconds 500

function Get-Zip
 $shellApplication = new-object -com shell.application
 $zipPackage = $shellApplication.NameSpace($zipfilename)
 $zipPackage.Items() | Select Path

$Items = get-childitem $LogPath

$DeleteLogs = $Items | ? {$_.LastWriteTime -le (Get-Date).adddays($DeletionRetention)}
if($DeleteLogs -ne $null) { $DeleteLogs | %{Remove-Item $_.fullname}}

$Items = get-childitem $LogPath |? {($_.extension -like "*.log") -and ($_.LastWriteTime -le (Get-Date).adddays($CompressionRetention))}

$GroupedItems = $Items | sort LastWriteTime | select @{n='Month';e={$_.LastWriteTime.month}},fullname,length,name | group month

if($GroupedItems -ne $null){
 foreach ($GroupedItem in $GroupedItems){
 $MonthNumber = $GroupedItem.Name
 $Time = Get-Date -Format ddMMyyHHss
 $ZipPath = "$LogPath\IISLogs-Month$MonthNumber-$"
 New-Zip $ZipPath
 $ | select fullname,length | %{
 Get-Item $_.fullname | Add-Zip $ZipPath
 start-sleep -s ($_.Length/20000000)
 if((Get-Zip $ZipPath).length -eq $GroupedItem.Count){
 $ | %{Remove-Item $_.fullname}
 Write-Host "`nERROR - Files are not zipped correctly. Deletion process skipped."
 $ | %{$}




We can remove logs also by command Forfiles (thank you Lukas).



Exchange 2010 – OABGen skipped users (Event ID: 9325)

I fixed OAB errors (Event ID: 9325) on generation server and I wanted to get OABGen skipped users from Application Event log.


Log Name: ApplicationSource: MSExchangeSA
Date: 2/19/2013 5:07:36 AM
Event ID: 9325
Task Category: (13)
Level: Error
Keywords: Classic
User: N/A
OABGen will skip user entry 'Filip' in address list '\Global Address List' because the SMTP address '' is invalid. 
- \Default Offline Address Book NEW

How to filter skipped users from event log?

Run EMS on generation server and use the following cmdlets. It will update and distribute the OAB to the CAS servers (do not forget to use also $date variable, it is needed for further action):

$date = get-date

Get-OfflineAddressBook | Update-OfflineAddressBook

Get-ClientAccessServer | Update-FileDistributionService

All errors related to OABGen should be written to the event log. After that you can use cmdlets below, it will find/count all OAB errors ($OABerrors) and  take out names of skipped users ($OABerrorsUser).

$OABerrors = Get-EventLog -LogName Application -EntryType error -Source MSExchangeSA | ?{$_.TimeGenerated -gt $date}  | select Message
Write-Host "Count of OAB errors:" ($OABerrors| Measure-Object).count
$OABerrorsUser = $OABerrors | % {$_.Message.Substring($_.Message.IndexOf(" '")+2,($_.Message.IndexOf("' ")-$_.Message.IndexOf(" '"))-2)}


Variable $OABerrorsUser could be used for another loop based on your needs of repairs.

Event ID: 9325 basically occurs because the recipient’s primary SMTP address (PrimarySmtpAddress) was changed without updating the Mail attribute (WindowsEmailAddress). If the Mail attribute does not match the primary SMTP address, the recipient will be dropped when the offline address book is generated. Description how to solve this issue is shown here: Using Powershell to Correct 9325 Events in Exchange 2007

The event could occur also for mail-disabled users if ShowInAddressBook attribute is not clear <not set>. All mail-enabled objects have this attribute always filled in (including users, contacts, groups, public-folders). The attribute can be erased via ADSI Edit or Active Directory Module for Windows PowerShell.

Get-ADuser GlenJohn -Properties showInAddressBook | Set-ADUser -Clear showInAddressBook


Exchange 2010 – Outlook Anywhere – Outlook is unable to connect to the proxy server. (Error Code 10)

I noticed the error message below:


Microsoft Outlook
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site.

Outlook is unable to connect to the proxy server. (Error Code 10)

Definitely it is related to Outlook Anywhere and client (Outlook 2013) which wraps remote procedure calls (RPCs) with an HTTP layer. By default this feature is enabled and all outlook connectivity takes place over it based on valid SSL certificate on CAS server(s). Mailbox servers only require the default self-signed SSL certificate. According to screen shot above is either needed to have value “s04.testexch.local” in the certificate on CASs, switch off requiredSSL or change the value regarding to your needs (e.g. you have certificate with different value).




  • ExternalHostname
  • InternalHostname
  • ExternalClientAuthenticationMethod (Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.)
  • SSLOffloadingNote: The SSLOffloading parameter specifies whether the Client Access server requires SSL. This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server.


Outlook Anywhere can be tested via Test-OutlookConnectivity or Remote Connectivity Analyzer


In my case I used a cert issued by internal CA with two subject alternative names mail.testexch.local and autodiscove.testexch.local. So it was needed to rewrite the attribute InternalHostname on each CAS server only.

[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.testexch.local -In
ternalClientsRequireSsl $true
[PS] C:\>Get-OutlookAnywhere | fl server,name,*hostname,ssl*,*auth*

Server : s03
Name : Rpc (Default Web Site)
ExternalHostname :
InternalHostname : mail.testexch.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Server : s04
Name : Rpc (Default Web Site)
ExternalHostname :
InternalHostname : mail1.testexch2013.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}


iOS 6.1.2 released! – Exchange problems solved?

Apple claims, that iOS 6.1.2 solves problems with Exchange sync. Good luck with update:  and hopefully no more