Exchange federation trust – part 2.

Finally here is the continuation of previous article about Exchange federation trust. So we have established the trust between Microsoft Federation Gateway and our organizations. Next step is to configure inter-organizational behavior. It is a mesh-like net, where 1:1 organization relationship is established.


  • Autodiscover service must be accessible to at least one CAS server from the internet
  • EWS should be accessible to at least one server and External URL should match the name accessible from  internet and 3rd party certificate SN or SAN name

Organization Relationship

Once we have configured our organizations to trust MS Federation Gateway, we can use it to create organization relationship. We will use

command Get-FederationInformation about opposite organization and pipe it to create new organization relastionship. Access level on both side of relationship should be the same.

In our organization:

Get-FederationInformation -DomainName | New-OrganizationRelationship -Name "Metrosys" -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel -LimitedDetails

Or directly:

New-OrganizationRelationship -Name <foreignorganizationname>  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -
Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr -
DomainNames .cz -TargetApplicationURI -TargetSharingEpr

Note: Domain names are CASE SENSITIVE!
Result of creation test:

Test-OrganizationRelationship -identity <ForeignOrganizationname> -UserIdentity -Verbose

OK success rel test

In foreign organization:

Get-FederationInformation -DomainName | New-OrganizationRelationship -Name "Salonovi" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails

Or directly:

New-OrganizationRelationship -Name  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -Enabled $true -PhotosEnabled 
$true -TargetAutodiscoverEpr -DomainNames -TargetApplicationURI -TargetSharingEpr

Note: Domain names are CASE SENSITIVE!

Finally result of proper configuration is, that you can see Free/Busy limited details of users in foreign organization

Errors you might face

Index error is cause by Case sensitive domain name inserted (in my case instead of or wrong URLs for EWS or Autodiscover.


Errors from the following picture are caused by wrongly or misspelled URLs (Self explaining)


Usually autodiscover URL is created in format, however Federation trust use autodiscover service, which is created as URL: where WSSecurity is authentication used by federeation trust:



ADFS / Office 365 / Exchange 2010 – How to force synchronization – Event ID:0, Event ID:1, Event ID:3, Event ID:4, Event ID:6126, Event ID:6127

I have created new admin account to manage Exchange 2010 SP3 / Office 365 hybrid deployment using ADFS (advanced SSO config). By default it takes up to 3 hours to sync newly created / added accounts to Office 365. To force synchronization perform:

  1. Logon to DirSync server
  2. Open Powershell module: Microsoft Online Services Module for Windows PowerShell
  3. Or you can use remote powershell if WinRM has been konfigured by running:
    Invoke-Command -ScriptBlock {Add-PSSnapin Coexistence-Configuration;Start-onlinecoexistencesync} –ComputerName <DIRSYNC server name>
  4. Run command for immediate AD synchronization:

After running command you can check Event log if all is OK.

  1. Open application Event log and check for the following events:
  2. Event ID: 0 – Connecting to MS Online and starting Synchronization
  3. Event ID: 6127 – The management agent “SourceAD” completed run profile “Delta Import Delta Sync” with a delta import or delta synchronization step type. The rules configuration has changed since the last full synchronization
  4. Event OS: 6126 – The management agent “TargetWebService” completed run profile “Delta Confirming Import” with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.
  5. Event ID: 1 – Import to Dirsync started
  6. Event ID: 2 – Import to Dirsync completed
  7. Event ID: 3 – Export to Office 365 started
  8. Event ID: 4 – Export to Office 365 completed



Default Sync interval can be changed here:

C:\program files\Microsoft Online Directory Sync\Microsoft.Online.DirSync.Scheduler.exe.Config

To run online coexistence sync for new versions of DirSync run:

Import-Module DirSync

Default path: C:\Program Files\Windows Azure Active Directory Sync\dirsync

Exchange 2013 / 2010 / 2007 – How to configure OAB for offline Thumbnail photo

One of our customers wanted to have Thumbnail photo attribute configured for offline access.


  • Enhance AD schema of AD attribute ThumbnailPhoto (Done by default for Exchange 2010 SP2+)
  • Upload pictures via Powershell or Sharepoint
    Enable ThumbnailPhoto attribute in OAB (Done by default in Exchange 2010 SP2, but only indicator to fetch data from AD online)
  • Configure ThumbnailPhoto to true Offline access (change attribute Thumbnailphoto,indicator to ThumbnailPhoto,value)

The rough process is simple, but in my case there was a problem, because customer has coexistence scenario Exchange 2007 / Exchange 2010 in single AD site. In this scenario OAB has been first created in Exchange 2003 -> Then Exchange 2003 has been replaced by Exchange 2007 and after that Exchange 2007 left for business purpose (several mailboxes ) and it was extended by Exchange 2010 (Currently SP3). In this scenario OAB is missing ConfiguredAttributes (It is empty) So the process is as follows:

1. Get info about OAB

Command lists OAB and its empty attribute.

Get-OfflineAddressBook "Default Offline Address List" | fl

Default OAB

2. Create new OAB to see configured attributes

To be sure users will not be disrupted by the change I have created new OAB on Exchange 2010.

New-OfflineAddressBook -Name 'Default Offline Address Book + offline photo' -Server 'PF1' -AddressLists '\Default Global Address List' -PublicFolderDistributionEnabled $false -VirtualDirectories 'CH1\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH1\OAB (Default Web Site)'

3. List configured attributes

To display all attributes configured we need to use the following cmdlets:

$FormatEnumerationLimit = -1
Get-OfflineAddressBook "Default Offline Address Book*" | select name, Configuredattributes | fl

New OAB with attributes

4. Change attributes

To change attributes I first read attributes to variable and adjusted ThumbnailPhoto,Indicator to ThumbnailPhoto,Value. It will phycically store ThumbnailPhoto data to OAB. Caution. This might increase network load, since OAB will increase its size based on user counts.

$attr = (Get-OfflineAddressBook "Default Offline Address Book*").configuredattributes



Attribute updated in variable

5. Import to OAB

To import modified set of attributes to OAB use:

Set-OfflineAddressBook "Default Offline Address Book*" -ConfiguredAttributes $attr

OAB with edited attribute

6. Update OAB and Check OAB

To generate new OAB and distribute it accross WEB distribution points use:

Get-OfflineAddressBook "Default Offline Address Book*" | Update-OfflineAddressBook

Restart Microsoft Exchange File Distribution service on each previously configured distribution points

New OAB folder on DP

7. Set generation time

Set-OfflineAddressBook -Schedule 'Sun.5:00 AM-Sun.6:00 AM, Mon.5:00 AM-Mon.6:00 AM,Tue.5:00 AM-Tue.6:00 AM, Wed.5:00 AM-Wed.6:00 AM, Thu.5:00 AM-Thu.6:00 AM, Fri.5:00 AM-Fri.6:00 AM, Sat.5:00 AM-Sat.6:00 AM' -Identity '\Default Offline Address Book + offline photo'

8. Assign OAB to mailboxes


Assign OAB

I selected a method to assign OAB for each mailbox database. Each mailbox inside database, which doesnt have explicitly defined OfflineAddressBook parameter will get the one from database. Exchange Information Store is using cache so changes will be visible after up to 2 hours of actual setting of database. To perform changes immediately you shoud dismount / mount database, where change must be visible immediately. Command:

Get-DailboxDatabase MDB* | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book + offline photo"

9. Download new OAB to mailbox via Outlook

You should check autodiscover record if OAB URL changed from old one to new one.

10. Test offline access

After OAB is successfuly downloaded turn on Offline access and test if OAB can be opened and if Thumbnail photo is visible.

Before change:

OAB before

After change:

OAB after


Exchange blog article

Works for Exchange 2013 as well.

Exchange – IIS problems after upgrade (Event IDs: 10010, 3, 1016)

One of our customers has Exchange 2010 (currently SP3). When I was installing latest build (SP3 from SP4 RU 5v2), I experienced problems that server was unaccessible, Exchange web services were not able to serve clients, Powershell was not working and Forefront was crashing taking down MS Exchange Transport service. I spent several hours troubleshooting and here is the overview and solution.


Lets say that my server was in Windows NLB cluster having:

LB IP: /24
 Production IP: /24
 Production IP2 /24

From the start server has been installed and configured with the following  IP´s:

LB IP: /24
Production IP: /24

and second Production IP address has been added later as requirement for one business Exchange Web Services-related application.

From IIS point of view:

From the begining there was only one application pool with all virtual directories as shown in the following picture (NOTE binding settings).

Site bindings for Default application web site application pool:


After business application has been added new application pool has been added too(NOTE binding settings).


Site Bindings for business application Application pool


Process of upgrade:

The process of upgrade was normal and well known from MS Technet, however after reboot of server I lost connectivity to Powershell and to EWS on the server. Therefore I expected problems in IIS, but how to find it?

Errors in IIS:

IIS error

Errors in Event log:

Event ID 3 Event ID 1016 Event ID 10010


I checked IIS:

  • Application pools up and running
  • IIS up and running
  • Server giving error 404 page cannot be displayed if I tried https://localhost/OWA url
  • I checked virtual directory paths and all needed files were in place
  • I checked bindings and voila! Bidning of localhost has been moved from Default Web Site to Application Web Site

Binding on Bussiness application web site has now localhost:


Bindings on Default Web Site is missing localhost record:


Move Localhost binding to correct place and restart IIS!


There is a logic how IP addresses are set in IIS. One basic logic says, that WEB server can have as many IP addresses as needed, BUT the default one must be the one with lowest number. For example if I

have 3 IP addresses:

IP address with highest priority is and in some circumstances localhost binding can be moved under application pool, which is listening under IP address with highest priority without notice. This is quite logical, that Powershell and OWA virtual directories stopped to work against localhost binding, because there was no virtual path inside newly created application pool for bussiness application.


Plan the possibility to extend server with some more application pools and listeners already in design phase and reserve some IP addresses with higher numbers for future needs.

Exchange 2013 – Set Page file size via PS

The page file size minimum and maximum must be set to physical RAM plus 10 MB regarding Exchange 2013.

The recommended page file size also accounts for the memory that’s needed to collect information if the operating system stops unexpectedly. On 64-bit operating systems, memory can be written as a dump file to the paging file. This file must reside on the boot volume of the server (source: Exchange 2013 System Requirements)

You can use the following cmdlets to ensure required size:

$PageFileSize = [math]::truncate(((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory+10MB)/1MB)

Set-CimInstance -Query "Select * from win32_computersystem" -Property @{automaticmanagedpagefile="False"}

Set-CimInstance -Query "Select * from win32_PageFileSetting" -Property @{InitialSize=$PageFileSize;MaximumSize=$PageFileSize}

Comodo Antispam Gateway

I was looking for free Antispam GW for my lab and I came accross Comodo Antispam Gateway. It is free for 1 domain and 10 users.

Sign up for free license is here:

Why to use this GW?

  • Easy configuration
  • Access via Admin interface
  • Quarantine, blocklist, whitelist  – all accessible with free license
  • AD synchronization newly created also for free license!

Few screen shots:

Admin interface:


Quarantine settings: Quarantine_settings

Incoming spam detection settings: Spam_detection settings


Exchange 2013 – New features and coexistence (CZ)

I made 2 short  Powerpoint presentations about the new or enhanced features in Exchange 2013 for training purposes. You can download it in Czech. I used some test an some pictures from the following link:

Are you aware of the best Czech MVP in Exchange area? Please see

Thank you! Martin Pavlis!

News in Exchange 2013:

  • Architecture description
  • Description of enhanced features


  • Just 2 slides about coexistence and implementation


  • Detailed description what to say for particular page of presentation


Exchange 2013 – teorie k prezentaci_CZ (docx)

Exchange 2013 – teorie_CZ (pptx)

Exchange 2013-coexistence2007_2010_EN (pptx)

Exchange 2013-koexistence2007_2010_CZ (pptx)

Exchange – Autodiscover service overview (EN,CZ)

I made short Powerpoint presentation about Autodiscover service for training purposes. It is just overview with basic description of how Autodiscover service serves client requests. You can download it in English and Czech language.

  • —What is Autodiscover
  • —How it works
  • —How it works for client in domain
  • —How it works for client outside domain and client using DNS
  • —Autodiscover sequence

Exchange 2013-Autodiscover-overview_EN (pptx)

Exchange 2013-Autodiscover-prehled_CZ (pptx)

Event ID: 10033 – A folder is being scoped by a search which no longer exists

Hi everyone!

Thanks to Filip’s & Zbynek’s invitation I also have the privilege to be part of this excellent blog. So here we go. This is my first post 🙂

If you happen to have an Application log on your Mailbox server full of eventIDs 10033, Source: “MSExchangeIS Mailbox Store” with the following information:

EventID: 10033

A folder is being scoped by a search which no longer exists. This may result in failures or errors when attempting to update the folder contents. If this message continues to persist for this mailbox, moving the mailbox to a different database may resolve the issue.

As instructed this issue can probably be resolved by moving the affected mailbox to a different mailbox database but I’ve found out that you can fix this issue by using cmdlet “New-MailboxRepairRequest” on affected mailbox.

New-MailboxRepairRequest -Mailbox [mailbox name] -CorruptionType SearchFolder,AggregateCounts,ProvisionedFolder,FolderView

After that you’ll see that mailbox-repair request was created. Also check Application log on mailbox server where mailbox is homed for event with ID 10047:

Mailbox level online integrity check for request 7cef315f-60d7-4b8d-995f-32c22c68f4de started:Database=OPEXDAG1-MB1


Flags=Detect, Fix

Tasks=SearchFolder, View, AggregateCount, ProvisionedFid

After a while you should see EventID 10062 that corruptions were detected & fixed:

Corruptions detected during online integrity check for request 7cef315f-60d7-4b8d-995f-32c22c68f4de

Mailbox:DF49FD31-D429-423A-BECB-3594C19255FE (MAILBOX NAME)


Corruption        Is Fixed        FID        Property        Resolution

“Folder Backlinks”, Yes, “1-38645 (Synkronointiongelmia1)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-38649 (Ristiriidat)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-3864D (Paikallisia virheitä)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-38651 (Palvelinvirheitä)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-12829678 (Digium)”, 0x67870102, “Remove unfound folder(s) from the backlink list”


 And when Repair-request is completed you will find EventID 10048:

 Online integrity check for request 7cef315f-60d7-4b8d-995f-32c22c68f4de completed successfully.

 After that original EventID 10033 disappeared