RTF content archiving problem when using Mailstore against Exchange 2010 SPx – ErrorInternalServerTransientError

I have experienced problem in one of my customer´s Exchange environment after utilization of Mailstore archiving software. Mailstore is EWS and client based archiving solution for Exchange. All best practice configuration steps can be found here: http://en.help.mailstore.com/MailStore_Help


  • Virtualized Exchange 2010 SP3 RUx environment with 2 node DAG, multirole servers. Both running on ESX 5.1. No Firewall and router between production Exchange and Mailstore virtual servers.


  • RTF content messages cannot be archived using Mailstore via EWS
  • RTF messages can be easily simulated as new meeting request containing inline picture of any size. Meetings should not be answered to have error visible in 100 percent of cases
  • Error message in Mailstore job log as follows
08:36:58.874 [18] INFO Processing message: 23.1.2014 7:42:45 UTC 'FW: Problém s archivací meetingů', UID 1: @mail.domain.cz, UID 2: 
08:36:58.890 [18] INFO Retrieving message...
08:36:58.890 [18] INFO Sending EWS Request (GetMimeContent)
08:36:59.561 [18] INFO Sending EWS Request (GetMimeContent)
08:37:00.403 [18] INFO Sending EWS Request (GetMimeContent)
08:37:01.464 [18] INFO Sending EWS Request (GetMimeContent)
08:37:02.727 [18] INFO Sending EWS Request (GetMimeContent)
08:37:04.194 [18] INFO Sending EWS Request (GetMimeContent)
08:37:05.879 [18] INFO Sending EWS Request (GetMimeContent)
08:37:07.751 [18] INFO Sending EWS Request (GetMimeContent)
08:37:09.825 [18] INFO Sending EWS Request (GetMimeContent)
08:37:12.072 [18] INFO Sending EWS Request (GetMimeContent)
08:37:14.521 [18] INFO Sending EWS Request (GetMimeContent)
08:37:17.173 [18] INFO Sending EWS Request (GetMimeContent)
08:37:20.012 [18] INFO Sending EWS Request (GetMimeContent)
08:37:23.070 [18] INFO Sending EWS Request (GetMimeContent)
08:37:26.330 [18] INFO Sending EWS Request (GetMimeContent)
08:37:29.793 [18] INFO Sending EWS Request (GetMimeContent)
08:37:30.230 [18] EXCEPTION MailboxImportWorker:ProcessMailboxMessageWrapper
: Microsoft Exchange Server nedokázal dokončit úlohu. Detaily: An internal server error occurred. Try again later. EWS Error Kód: ErrorInternalServerTransientError.
  • Moving node to other ESX cluster or moving active database to another node solved error instantly, but after switch back error appeared again
  • User-generated load was also partly the problem


We have tried everything from re-creation of throttling policies, moving databases between nodes, updates to latest RU and Mailstore versions, Disabling TCP chimney, RSS and AutoTuning features, re-creation of Exchange databases, re-creation of Mailstore database and many many others.

What has finally helped was to re-create EWS virtual directory and restart IIS:

Get-WebServicesVirtualDirectory SERVER\ID | Remove-WebServicesVirtualDirectory
Get-WebServicesVirtualDirectory SERVER\ID | Set-WebServicesVirtualDirectory -InternalURL <IURL> -ExternalURL <EURL>

I suspect 2 things. 1 is problematic IIS 7 metabase or utilization of CGI (Common Gateway Interface –http://technet.microsoft.com/en-us/library/cc753077(v=ws.10).aspx ) on EWS virtual directory. Uninstallation of CGI did not solve the problem. Problem has been solved by re-cration of EWS virtual directory on affected DAG node after uninstallation of CGI.

Exchange 2013 / Exchange 2010, Windows Server 2012 – SChannel Event ID:36888 (1203) – TLS/SSL error – The root cause

I have problems in some environments, where these SChannel errors are generated. Well. It took me several days to find reasonable “why” it is logged.


The event ID from the picture can be seen from time to time:



Based on several articles I have read and some discussions. First you have to make sure, that the process causing this error is LSASS.exe, which is by the way local security authentication server (authenticating users to winlogon service, using authentication such as msgina.dll and so on). To make sure it is LSASS.EXE. Open Event ID and check the Event ID details, Click on Details tab -> Expand System while friendly view is selected. Check Process ID.


Then use powershell and run:

Get-Process | select name,id | sort id

Result should give you the name of the processes. It will be lsass.exe.


Reason is simple. Not standard or corrupted behavior of web browsers or users. The problem behind SChannel and Exchange 2012 is, that sometimes users use HTTP protocol, but on port 443, which expects certificates exchange rather than GET command.

How to test:

Option 1#:

Test is easy. For example you can input URL to your browser address bar, which is obviously wrong and see the results: HTTP://MAIL.DOMAIN.LOCAL:443/OWA – It says to use HTTP protocol (not HTTPS) on the 443 port and it generates errors immediately.

Option 2#:

Run Telnet and test command:

Telnet localhost 443 (to connect to HTTPS)

In Telnet window:

Get /index.htm (on HTTPS SSL must be established first so it will generate errors immediately. Result will not be seen in telnet window)

What is the solution?

Solution #1:

Some IT guys recommend to disable SCHannel logging to get rid of these events, but I cannot recommend that. To be honest. It is better to see, that somebody is trying to connect using HTTP on HTTPS port, because this might be some attempt to DoS attack or info, that users don´t know how to type OWA URL correctly. Shortly it is better to know something is wrong than disable logging.

Solution #2:

I suspect wrong redirect configuration for the websites from HTTP to HTTPS. I would check IIS if redirect is set correctly. For those having this issue without redirect I would suspect problem in web browser area.


To test SSL via command line:


LSASS description:


How to quickly clean mailbox in Exchange 2010/2013

I had troubles and a lot of mess in my test mailbox and didn´t have time to cleanup, so here is, what I did. Basically I used a method, which is also used, when there are problems in production and server / database goes down and you must use Dial tone restore.

  • Gather mailbox database
Get-Mailbox <identity> | select MailboxDatabase
  • Rehome mailbox (set different database to mailbox)
Get-Mailbox <identity> | Set-Mailbox -Database <DB identity>
Get-mailbox x9xxxx | Set-Mailbox -Database MDB12
Confirm Rehoming mailbox "domain.local/Persons/Administrators/test/CZ/X9XXX" to database "MDB12". This operation will only modify the mailbox's Active Directory configuration. Be aware that the current mailbox content will become inaccessible to the user. [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):

Use Clean-MailboxDatabase on old database to see the mailbox in disconnected mailboxes.

Get-MailboxDatabase <old MDB identity> | Clean-MailboxDatabase
  • Your old data will be removed according your Exchange configuration or you can force deletion by command Remove-StoreMailbox <your old data mailbox identity> as well described here:


  • Your mailbox is clean.

Exchange 2010 SP upgrade failed (0x80070003)

Let me provide you fresh experience with Exchange 2010 SP3 upgrade.

In the first place, thank you Zbynek, because final solution was his idea!


Exchange 2010 SP3 upgrade unexpectedly failed for 2 servers from 9. Those servers had separated Exchange roles. So the following error occurred for MBX as well as HUB role.

[10/05/2013 18:58:41.0984] [2] Saving object "EXMBX02\PowerShell-Proxy (Default Web Site)" of type "ADPowerShellVirtualDirectory" and state "New".
[10/05/2013 18:58:42.0015] [2] Previous operation run on domain controller 'DC03.contoso.local'.
[10/05/2013 18:58:43.0481] [2] Searching objects "DEXMBX02\PowerShell-Proxy (Default Web Site)" of type "ADPowerShellVirtualDirectory" under the root "$null".
[10/05/2013 18:58:43.0497] [2] Previous operation run on domain controller 'DC03.contoso.local'.
[10/05/2013 18:58:43.0497] [2] Ending processing new-PowerShellVirtualDirectory
[10/05/2013 18:58:43.0497] [1] The following 1 error(s) occurred during task execution:
[10/05/2013 18:58:43.0497] [1] 0.  ErrorRecord: A failure occurred while trying to update metabase properties.
[10/05/2013 18:58:43.0497] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Common.LocalizedException: A failure occurred while trying to update metabase properties. ---> System.Runtime.InteropServices.COMException (0x80070003): The system cannot find the path specified.

As can be seen it was IIS related problem (a failure occurred while trying to update metabase properties) especially with PowerShellVirtualDirectory.

Root Cause

Only suspicion:

  • firewall or application (e.g. an anti-virus) was cutting the connection
  • an application was locking the IIS metabase (e.g. a backup solution)
  • not sufficient permissions


This solution is intended for separated (CAS, MBX, HUB) as well as multi roles.

1.  Remove corrupted PowerShellVirtualDirectory:

* remove all virtual directories whether CAS role

Get-PowerShellVirtualDirectory EXMBX02\* | Remove-PowerShellVirtualDirectory

2.  Recover Exchange server:

Setup /m:RecoverServer


Get remote server names from receive connector

I was asked to make a list of all remote servers (including IP addresses) which are able to use a receive connector in Exchange 2010.

2013-08-21 00_59_27

The remote IP addreses of the receive connector can be found under RemoteIPRanges property of Get-ReceiveConnector cmdlet. Those addreses can be devided based on RangeFormat declaration:

  • SingleAddress (
  • CIDR (
  • LoHi (

Theoretically if we need to get all IP addresses, we have to know also IP addresses in particular ranges and then we can resolve those addreses in DNS.

Here are two functions. The first one (New-IPRange) is created by Dr.Tobias Weltner and ensures us to find all IP addresses (also from CIDR or LoHi ranges). The second one is my helper (Get-ReceiveConnectorRemoteIPName) which goes through RemoteIPRanges, calls the first function and resolves IP address by System.Net.Dns .NET class. The processing time depends on amount of IP addreses so be careful about your ranges!

function New-IPRange ($start, $end) {
 # created by Dr. Tobias Weltner, MVP PowerShell
 $ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
 $ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
 $ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
 $ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address
 for ($x=$ip1; $x -le $ip2; $x++) {
 $ip = ([System.Net.IPAddress]$x).GetAddressBytes()
 $ip -join '.'

function Get-ReceiveConnectorRemoteIPName ($Identity) {
 $Connector = Get-ReceiveConnector -identity $Identity | select Identity,RemoteIPRanges
 if($Connector -ne $null){
 $IPs = $Connector.RemoteIPRanges | % { New-IPRange $_.LowerBound $_.UpperBound }
 foreach($IP in $IPs){
 $Output = New-Object PSObject
 $IPName = ([Net.DNS]::GetHostEntry("$ip")).HostName
 if($IPName -eq $IP){$IPName="unresolvable"}
 $output | add-member -Type NoteProperty -name “ReceiveConnector” -value $Connector.Identity
 $output | add-member -Type NoteProperty -name “RemoteIp” -value $IP
 $output | add-member -Type NoteProperty -name “RemoteName” -value $IPName

How to use it? Only paste both functions into EMS, that’s it.

2013-08-21 00_44_51

Now you are ready to use both functions especially Get-ReceiveConnectorRemoteIPName:

[PS] C:\>Get-ReceiveConnectorRemoteIPName "EX2010S01\Application Relay"

ReceiveConnector             RemoteIp    RemoteName
----------------             --------    ----------
EX2010S01\Application Relay  appolo.ficility.intra
EX2010S01\Application Relay   helt01.ficility.intra
EX2010S01\Application Relay   unresolvable
EX2010S01\Application Relay   unresolvable
EX2010S01\Application Relay  kepro.ficility.intra

2013-08-21 01_54_48

Feel free to use Get-ReceiveConnectorRemoteIPName cmdlet in the following scenarios:

[PS] C:\> Get-ReceiveConnectorRemoteIPName "EX2010S01\Application Relay"| Export-Csv -Path "C:\ReceiveConnectorRemoteIPName.csv"

[PS] C:\> $connectors = Get-ReceiveConnector | ? { $_.identity -like "*relay*" }
[PS] C:\> $connectors| % { Get-ReceiveConnectorRemoteIPName $_.identity }

Exchange – One option to restore data from lagged database copy

Recover data from lagged copy:

1. Gather info where user resides

Usually we need to know in which database user resides

2. Check if mailbox is still in disconnected mailboxes

Get-MailboxDatabase mdb13 | get-mailboxstatistics | where {$_.disconnectdate -ne $null}

DisplayName               ItemCount    StorageLimitStatus                                                 LastLogonTime
-----------               ---------    ------------------                                                 -------------
a1			  1962                 BelowLimit                                           5/7/2013 4:01:41 PM
S 		          2075                 BelowLimit                                          6/19/2013 9:26:52 AM
Hän		          185                  BelowLimit                                          4/30/2013 9:19:26 AM

3. Mailbox is not in disconnected state

If mailbox is not in disconnected mailboxes anymore, we have another 14 days before lagged copy disconnected date expires

4. Suspend lagged copy

Suspend lagged copy by command:

Get-MailboxDatabase mdb13 | Get-MailboxDatabaseCopyStatus

Name                                          Status          CopyQueue ReplayQueue LastInspectedLogTime   ContentIndex
                                                              Length    Length                             State
----                                          ------          --------- ----------- --------------------   ------------
MDB13\SRVMBX1                          		Mounted         0         0                                  Healthy
MDB13\SRVMBX2                          		Healthy         0         2           7/9/2013 11:33:38 AM   Healthy
MDB13\SRVMBX3                         		Healthy         0         2           7/9/2013 11:33:38 AM   Healthy
MDB13\SRVPF1                           		Healthy         0         110355      7/9/2013 11:33:38 AM   Healthy

Suspend-MailboxDatabaseCopy MDB13\SRVPF1

Are you sure you want to perform this action?
Suspending mailbox database copy "MDB13" on server "SRVPF1".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

5. Copy lagged database to different location

To perform non destructive recovery we need to create additional copy of lagged database. This database will be restored to particular point in time.

6. Check if database is in clean shutdown

Dump headers of database by command:

eseutil /mh .\MDB13.edb

Extensible Storage Engine Utilities for Microsoft(R) Exchange Server
Version 14.03
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating FILE DUMP mode...
         Database: .\MDB13.edb

Checksum Information:
Expected Checksum: 0xf3fb4807
  Actual Checksum: 0xf3fb4807

        File Type: Database
         Checksum: 0xf3fb4807
   Format ulMagic: 0x89abcdef
   Engine ulMagic: 0x89abcdef
 Format ulVersion: 0x620,17
 Engine ulVersion: 0x620,17
Created ulVersion: 0x620,17
     DB Signature: Create time:01/24/2012 02:52:12 Rand:391137630 Computer:
         cbDbPage: 32768
           dbtime: 3824249608 (0xe3f16b08)
            State: Dirty Shutdown

7. Determine PIT backup time and move newer logs elsewhere

In my example I want DB to be recovered to 29.6.2013. Be careful! You need EDB file 🙂


8. Reply logs to database to specified point in time:

Newer logs than specified PIT should be moved elsewhere or deleted (better after recovery process has been done)
Chk file should be removed (checkpoint) to reply all logs present in directory.
The following command will reply logs till PIT to database

Eseutil /r eXX /a


9. Put DB to clean shutdown

If the database is still in Dirty shutdown mode, we need to run integrity check and hard repair the database

eseutil /p .\MDB13.edb /g

DB repaired

10. Check if DB is in clean shutdown after repair

eseutil /mh .\MDB13.edb

Clean Shutdown

11. Delete all log files since those are not needed anymore

12. Create recovery database

New-MailboxDatabase -Recovery -Name RDB_13 -Server SRVPF1 -EdbFilePath e:\lagged_mdb13\mdb13
.edb -LogFolderPath e:\lagged_mdb13
WARNING: Recovery database 'RDB_13' was created using existing file e:\lagged_mdb13\mdb13.edb. The database must be
brought into a clean shutdown state before it can be mounted.

Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
RDB_13                         SRVPF1   True            None

13. Mount database

Mount database by issuing command:

Mount-Database RDB_13

14. Gather data about mailbox, you want to restore

Display name or StoreMailbox guid. For example use this command:

get-mailboxdatabase rdb_13 | Get-MailboxStatistics | where {$_.Displayname -like "Niitty*"}


15. Restore mailbox

To restore mailbox use the following command:

New-MailboxRestoreRequest -SourceDatabase RDB_13 -SourceStoreMailbox "Surname, name" -TargetMailbox alias -AllowLegacyDNMismatch

16. Check results

Get-MailboxRestoreRequest "MailboxRestore"


Exchange 2010 – DAG – Mapi network issue (MapiAccessEnabled, IgnoreNetwork)

One of our customers has ExRAAS ( Exchange health and remediation check service) every year to audit their environment for health, performance and MS best practices implementation. ExRAAS tools are developed every year and this years tool discovered very interesting issue about DAG networks.


Our customers DAG has 3 networks:

  • Production – meant to be client network, where only client traffic is enabled, replication traffic is disabled
  • Replication – not routable to MAPI network – custom 5Gbit bandwidth only for log replication
  • Backup – only for VSS backups, no MAPI nor replication traffic should flow there


By design DAG is set, that Backup network should be ignored, however if I give Get-DatabaseAvailabilityGroupNetwork command, I can see MapiAccessEnabled parameter in $True, even though this network doesn´t have Clients for Windows Networks feature enabled and according to MS it is not supported network for clients. The magic starts when I set IgnoreNetwork to $false. Right after the change MapiAccessEnabled parameter is in correct value.

Get-DatabaseAvailabilityGroupNetwork DAG1\BACKUP | Set-DatabaseAvailabilityGroupNetwork -IgnoreNetwork $false
Get-DatabaseAvailabilityGroupNetwork | fl

RunspaceId         : 7d204cce-1dde-4e6f-9d52-cde8b238d2a9
Name               : BACKUP
Description        : VSS BACKUP Backup subnet - Ignored
Subnets            : {{,Up}, {,Up}}
Interfaces         : {{DC1MBX1,Up,}, {DC1MBX2,Up,}, {DC1MBX3,Up,172.24
                     .188.112}, {DC1PF1,Up,}, {DC2MBX1,Up,}, {DC2MBX2,U
                     p,}, {DC2MBX3,Up,}, {DC2PF1,Up,}}
MapiAccessEnabled  : False
ReplicationEnabled : False
IgnoreNetwork      : False
Identity           : DAG1\BACKUP
IsValid            : True

RunspaceId         : 7d204cce-1dde-4e6f-9d52-cde8b238d2a9
Name               : MAPI
Description        : Production and possible replication
Subnets            : {{,Up}}
Interfaces         : {{DC1MBX1,Up,}, {DC1MBX2,Up,}, {DC1MBX3,Up,192.168
                     .0.112}, {DC1PF1,Up,}, {DC2MBX1,Up,}, {DC2MBX2,
                     Up,}, {DC2MBX3,Up,}, {DC2PF1,Up,}}
MapiAccessEnabled  : True
ReplicationEnabled : False
IgnoreNetwork      : False
Identity           : DAG1\MAPI
IsValid            : True

RunspaceId         : 7d204cce-1dde-4e6f-9d52-cde8b238d2a9
Name               : REPLICATION
Description        : Only replication
Subnets            : {{,Up}}
Interfaces         : {{DC1MBX1,Up,}, {DC1MBX2,Up,}, {DC1MBX3,Up,10.146.2
                     31.28}, {DC1PF1,Up,}, {DC2MBX1,Up,}, {DC2MBX2,Up,10
                     .147.231.27}, {DC2MBX3,Up,}, {DC2PF1,Up,}}
MapiAccessEnabled  : False
ReplicationEnabled : True
IgnoreNetwork      : False
Identity           : DAG1\REPLICATION
IsValid            : True

When I change the Ignorenetwork back to $true, MapiAccessEnabled is set to $True as well.

Get-DatabaseAvailabilityGroupNetwork DAG1\BACKUP | Set-DatabaseAvailabilityGroupNetwork -IgnoreNetwork $true
Get-DatabaseAvailabilityGroupNetwork | fl

RunspaceId         : 7d204cce-1dde-4e6f-9d52-cde8b238d2a9
Name               : BACKUP
Description        : VSS BACKUP Backup subnet - Ignored
Subnets            : {{,Up}, {,Up}}
Interfaces         : {{DC1MBX1,Up,}, {DC1MBX2,Up,}, {DC1MBX3,Up,172.24
                     .188.112}, {DC1PF1,Up,}, {DC2MBX1,Up,}, {DC2MBX2,U
                     p,}, {DC2MBX3,Up,}, {DC2PF1,Up,}}
MapiAccessEnabled  : True
ReplicationEnabled : False
IgnoreNetwork      : True
Identity           : DAG1\BACKUP
IsValid            : True


This lead to errors in ExRAAS report and to question what is the right way. How should I behave to the network configuration? Better way is to set IgnorenNetwork parameter to $True and just ignore MapiAccessEnabled in $True. This article will be updated after I get info from MS for the resolution. It is also worth to mention, that last best practice says, that compression and encryption should be ENABLED on DAG replication network!



Exchange federation trust – part 2.

Finally here is the continuation of previous article about Exchange federation trust. So we have established the trust between Microsoft Federation Gateway and our organizations. Next step is to configure inter-organizational behavior. It is a mesh-like net, where 1:1 organization relationship is established.


  • Autodiscover service must be accessible to at least one CAS server from the internet
  • EWS should be accessible to at least one server and External URL should match the name accessible from  internet and 3rd party certificate SN or SAN name

Organization Relationship

Once we have configured our organizations to trust MS Federation Gateway, we can use it to create organization relationship. We will use

command Get-FederationInformation about opposite organization and pipe it to create new organization relastionship. Access level on both side of relationship should be the same.

In our organization:

Get-FederationInformation -DomainName metrosys.cz | New-OrganizationRelationship -Name "Metrosys" -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel -LimitedDetails

Or directly:

New-OrganizationRelationship -Name <foreignorganizationname>  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -
Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr https://email.foreigndomain.cz/autodiscover/autodiscover.svc/wssecurity -
DomainNames .cz -TargetApplicationURI http://fydibohf25spdlt.foreigndomain.cz/ -TargetSharingEpr 

Note: Domain names are CASE SENSITIVE!
Result of creation test:

Test-OrganizationRelationship -identity <ForeignOrganizationname> -UserIdentity primarysmtpaddress@salonovi.cz -Verbose

OK success rel test

In foreign organization:

Get-FederationInformation -DomainName salonovi.cz | New-OrganizationRelationship -Name "Salonovi" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails

Or directly:

New-OrganizationRelationship -Name  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -Enabled $true -PhotosEnabled 
$true -TargetAutodiscoverEpr https://mail.salonovi.cz/autodiscover/autodiscover.svc/wssecurity -DomainNames salonovi.cz -TargetApplicationURI 
http://fydibohf25spdlt.salonovi.cz/ -TargetSharingEpr https://mail.salonovi.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!

Finally result of proper configuration is, that you can see Free/Busy limited details of users in foreign organization

Errors you might face

Index error is cause by Case sensitive domain name inserted (in my case Metrosys.cz instead of metrosys.cz or wrong URLs for EWS or Autodiscover.


Errors from the following picture are caused by wrongly or misspelled URLs (Self explaining)


Usually autodiscover URL is created in format https://autodisvocer.domianname.cz/autodiscover/autodiscover.xml, however Federation trust use autodiscover service, which is created as URL: https://autodisvocer.domianname.cz/autodiscover/autodiscover.svc/WSSecurity where WSSecurity is authentication used by federeation trust:



SMTP certificate renewal and EDGE subscription

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate
To import certificate to local certification store run:

import-exchangecertificate -FileData ([byte[]]$(Get-Content -Path "D:\tempo\certificate_mx1_2013.cer" -Encoding Byte -ReadCount 0))

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

certutil -repairstore my "1268f7300044bc90ff426d5f515d3729"

Explanation can be found in my previous article: http://ficility.net/2013/02/25/exchange-2010-complete-certificate-request-problem/

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate  -services SMTP


[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP

Overwrite the existing default SMTP certificate?

Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32> 

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

New-EdgeSubscription -FileName d:\subscription_2013.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false


[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false

The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "D:\subscription_2013.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successfulm you receive error.

Test-EdgeSynchronization -FullCompareMode

Successful result:

[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode

RunspaceId                  : 4f4c61e7-1059-43fc-963b-877641087e2a
SyncStatus                  : Normal
UtcNow                      : 4/26/2013 6:43:50 AM
Name                        : EDGE
LeaseHolder                 : CN=HUB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=OR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=SALONOVI,DC=cz
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 4/26/2013 7:12:12 AM
LastSynchronizedUtc         : 4/26/2013 6:42:12 AM
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
RemoteDomainStatus          : NotSynchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 6
CookieRecords               : Number of cookies 2

9. Test mailflow

10. To start Edge synchronization manually



[PS] C:\Windows\system32>Start-EdgeSynchronization

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Configuration
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Recipients
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0


Exchange 2010 – The ActiveSyncDevice identity cannot be found

Why not mention Exchange 2010 bug – The ActiveSyncDevice identity cannot be found.


  • The user has a Microsoft Exchange ActiveSync partnership that works as expected.
  • You move the user to a new organizational unit (OU) or rename a user account in Active Directory Domain Services (AD DS).
  • You try to perform a remote wipe operation for the device in the Exchange Management Console (EMC).

15-04-2013 12-19-41




Get-ActiveSyncDevice -Mailbox 00164 | select UserDisplayName,Identity 

UserDisplayName : liintra.intra/Users/00164
Identity : liintra.intra/Users2/00164/ExchangeActiveSyncDevices/NokiaEmail§IMiEI284675044284679

Affected objects can be found and reported (csv):

[PS] C:\>Get-ActiveSyncDevice -ResultSize unlimited | sort -Property Identity -Unique | select Identity,UserDisplayName | ? {$_.Identity -notmatch $_.UserDisplayName} | select UserDisplayName,Identity  | Export-Csv -Delimiter "," -Encoding unicode -Path "C:\Users\filip\Desktop\Report170413.txt"


  • Remove-ActiveSyncDevice –Identity “new path = Identity from Get-ActiveSyncDevice“
Remove-ActiveSyncDevice -Identity "liintra.intra/Users2/00164/ExchangeActiveSyncDevices/NokiaEmail§IMiEI284675044284679"
  • During the next mail sync user’s device will perform full sync automatically, but the sync will take longer than usually.