Exchange federation trust – part 2.

Finally here is the continuation of previous article about Exchange federation trust. So we have established the trust between Microsoft Federation Gateway and our organizations. Next step is to configure inter-organizational behavior. It is a mesh-like net, where 1:1 organization relationship is established.

Prerequisites

  • Autodiscover service must be accessible to at least one CAS server from the internet
  • EWS should be accessible to at least one server and External URL should match the name accessible from  internet and 3rd party certificate SN or SAN name

Organization Relationship

Once we have configured our organizations to trust MS Federation Gateway, we can use it to create organization relationship. We will use

command Get-FederationInformation about opposite organization and pipe it to create new organization relastionship. Access level on both side of relationship should be the same.

In our organization:

Get-FederationInformation -DomainName metrosys.cz | New-OrganizationRelationship -Name "Metrosys" -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel -LimitedDetails

Or directly:

New-OrganizationRelationship -Name <foreignorganizationname>  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -
Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr https://email.foreigndomain.cz/autodiscover/autodiscover.svc/wssecurity -
DomainNames .cz -TargetApplicationURI http://fydibohf25spdlt.foreigndomain.cz/ -TargetSharingEpr 
https://email.foreigndomain.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!
Result of creation test:

Test-OrganizationRelationship -identity <ForeignOrganizationname> -UserIdentity primarysmtpaddress@salonovi.cz -Verbose

OK success rel test

In foreign organization:

Get-FederationInformation -DomainName salonovi.cz | New-OrganizationRelationship -Name "Salonovi" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails

Or directly:

New-OrganizationRelationship -Name  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -Enabled $true -PhotosEnabled 
$true -TargetAutodiscoverEpr https://mail.salonovi.cz/autodiscover/autodiscover.svc/wssecurity -DomainNames salonovi.cz -TargetApplicationURI 
http://fydibohf25spdlt.salonovi.cz/ -TargetSharingEpr https://mail.salonovi.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!

Finally result of proper configuration is, that you can see Free/Busy limited details of users in foreign organization

Errors you might face

Index error is cause by Case sensitive domain name inserted (in my case Metrosys.cz instead of metrosys.cz or wrong URLs for EWS or Autodiscover.

test-orgrel_indexerror

Errors from the following picture are caused by wrongly or misspelled URLs (Self explaining)

test_org_rel_err2

Usually autodiscover URL is created in format https://autodisvocer.domianname.cz/autodiscover/autodiscover.xml, however Federation trust use autodiscover service, which is created as URL: https://autodisvocer.domianname.cz/autodiscover/autodiscover.svc/WSSecurity where WSSecurity is authentication used by federeation trust:

org_rel_res_our

Links:

Exchange 2013 – Set Page file size via PS

The page file size minimum and maximum must be set to physical RAM plus 10 MB regarding Exchange 2013.

The recommended page file size also accounts for the memory that’s needed to collect information if the operating system stops unexpectedly. On 64-bit operating systems, memory can be written as a dump file to the paging file. This file must reside on the boot volume of the server (source: Exchange 2013 System Requirements)

You can use the following cmdlets to ensure required size:

$PageFileSize = [math]::truncate(((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory+10MB)/1MB)

Set-CimInstance -Query "Select * from win32_computersystem" -Property @{automaticmanagedpagefile="False"}

Set-CimInstance -Query "Select * from win32_PageFileSetting" -Property @{InitialSize=$PageFileSize;MaximumSize=$PageFileSize}

Exchange 2013 – How to change config xml files in PowerShell

Let me show you with few examples how can we modify Exchange config files (e.g. EdgeTransport.exe.config) in PowerShell.

Change value

For example change key AgentLogEnabled and its value: 02-05-2013 1-31-5402-05-2013 1-44-39

$EdgeTransportPath = "D:\Exchsrvr\Bin\EdgeTransport.exe.config"
[xml]$EdgeTransport = Get-Content -Path $EdgeTransportPath
($EdgeTransport.configuration.appSettings.add | Where key -Match "AgentLogEnabled").value = "False"
$EdgeTransport.Save($EdgeTransportPath)

Create element

$EdgeTransportPath = "D:\Exchsrvr\Bin\EdgeTransport.exe.config"
[xml]$EdgeTransport = Get-Content -Path $EdgeTransportPath
$element = $EdgeTransport.CreateElement('add')
$element.SetAttribute('key', 'AgentLogLevel')
$element.SetAttribute('value', 'Disabled')
$EdgeTransport.configuration.appSettings.AppendChild($element)
$EdgeTransport.Save($EdgeTransportPath)

02-05-2013 4-34-54Remove element

$EdgeTransportPath = "D:\Exchsrvr\Bin\EdgeTransport.exe.config"
[xml]$EdgeTransport = Get-Content -Path $EdgeTransportPath
$element = $EdgeTransport.configuration.appSettings.add | where key -like "AgentLogLevel"
($EdgeTransport.configuration.appSettings).RemoveChild($element)
$EdgeTransport.Save($EdgeTransportPath)

Other methods

ToString, AppendChild, Clone, CloneNode, CreateAttribute, CreateCDataSection, CreateComment, CreateDocumentFragment, CreateDocumentType, CreateElement, CreateEntityReference, CreateNavigator, CreateNode, CreateProcessingInstruction, CreateSignificantWhitespace, CreateTextNode, CreateWhitespace, CreateXmlDeclaration, Equals, GetElementById, GetElementsByTagName, GetEnumerator, GetHashCode, GetNamespaceOfPrefix, GetPrefixOfNamespace, GetType, ImportNode, InsertAfter, InsertBefore, Load, LoadXml, Normalize, PrependChild, ReadNode, RemoveAll, RemoveChild, ReplaceChild, Save, SelectNodes, SelectSingleNode, Supports, Validate, WriteContentTo, WriteTo

Exchange config files

EdgeTransport.exe.config, Microsoft.Exchange.AntispamUpdateSvc.exe.config, Microsoft.Exchange.Diagnostics.Service.exe.config, Microsoft.Exchange.Directory.TopologyService.exe.config, Microsoft.Exchange.EdgeSyncSvc.exe.config, Microsoft.Exchange.ProtectedServicehost.exe.config, Microsoft.Exchange.RpcClientAccess.Service.exe.config, Microsoft.Exchange.Search.Service.exe.config, Microsoft.Exchange.Servicehost.exe.config, Microsoft.Exchange.Store.Service.exe.config, Microsoft.Exchange.Store.Worker.exe.config, Microsoft.Exchange.TransportSyncManagerSvc.exe.config, mmc.exe.config, MSExchangeDelivery.exe.config, MSExchangeFrontEndTransport.exe.config, MSExchangeHMHost.exe.config, MSExchangeHMWorker.exe.config, MSExchangeMailboxAssistants.exe.config, MsExchangeMailboxReplication.exe.config, msexchangerepl.exe.config, MSExchangeSubmission.exe.config, MSExchangeThrottling.exe.config, MSExchangeTransport.exe.config, MSExchangeTransportLogSearch.exe.config, SetupUI.exe.config, UMservice.exe.config, UMWorkerProcess.exe.config

Exchange 2013 RTM CU1 – released

Exchange team released Exchange 2013 RTM CU1.

Blog http://blogs.technet.com/b/exchange/archive/2013/04/02/released-exchange-server-2013-rtm-cumulative-update-1.aspx

download http://www.microsoft.com/en-us/download/details.aspx?id=38176

Enjoy coexistence with Exchange 2010 SP3 and Exchange 2007 SP3 RU10!

Exchange – Offline Address Book – OAB download methods, Cached vs Online

Theory

By default OAB is a point in time snapshot of global address list and it is used as cached source of information about Exchange recipients properties. OAB is stored on Exchange servers (see my previous article http://ficility.net/2013/03/04/oab-differences-between-exchange-2010-and-exchange-2013-in-brief/) and downloaded to client once Outlook is configured in Cached mode. I would like to test modes of using address book,
while Outlook is in cached mode. There are several methods to download OAB. These methods depends on registry settings of Outlook (full article here:http://support.microsoft.com/kb/823580)
shortly:

If the following registry key is present (XX.0 means office version – 15.0 for Office 2013), Outlook behaves upon the DWORD value inside:

HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Outlook 
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\XX.0\Outlook

DownloadOAB DWORD supported values:
  0 = The Offline Address Book does not download automatically.
  1 = The Offline Address Book uses the Download Full Items download mode. This is the default setting.
  2 = Download the Offline Address Book in any download mode, but download a differential update in the Header only download mode.
  3 = Always download the Offline Address Book and a differential update in one of the following download modes:
Download Headers and then Full Items
Download Full Items
Download Headers

The goal of this article is to test differences in OAB behavior between modes 0 and 1. I want to see how it looks when:

1) Mode 1 – The Offline Address Book uses the Download Full Items download mode.
a)Download OAB and check
b)Change GAL and test downloading OAB instantly
c)Update OAB and check

2) Mode 0 – The Offline Address Book does not download automatically.
a) Test behavior once mode 0 is configured while old OAB files are still on the client
b) Test behavior once mode 0 is configured while old OAB files are removed from client

Test scenarios

1) Mode 1 – The Offline Address Book uses the Download Full Items download mode.

By default OAB is downloaded from server hosting Active mailbox database with Organizational mailbox. (or in 2010 from CAS server distribution point or in 2007 and 2010 from Public Folders)

a) Download OAB and check

I have opened OAB from my mailbox and result is in the Picture

1-Before change

b) Change GAL and test downloading OAB instantly

Creation of a mailbox doesn´t updtate OAB itsetf. To create mailbox use command

New-Mailbox OAB_Test_o1 -UserPrincipalName OABTestO1@salonovi.cz
WARNING: A script or application on the FRONTEND1.SALONOVI.CZ remote computer is sending a prompt request. When
prompted, enter sensitive information such as credentials or password only if you trust the remote computer and the
application or script requesting it.

cmdlet New-Mailbox at command pipeline position 1
Supply values for the following parameters:
Password: ********

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
OAB_Test_o1               OABTestO1            backend1         Unlimited

c) Update OAB and check

To update OAB use command

Get-OfflineAddressBook | Update-OfflineAddressBook

Now I have tested if OAB change is reflected in client computer (should not be)

1-After_change_Before_Download

And now I have downloaded new OAB to client and tested again

1-After change and download

2) Mode 0 – The Offline Address Book does not download automatically

One registry key setting and Outlook client will work online from Addres book point of view, BUT! This setting also requires to clean up OAB files from client computer to behave correctly. I will test both possibilities and try to find differneces in behavior.

First I will set up registry key and restart Outlook

In my lab I dont use any special GPO so yhe setting is done via registry key HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Outlook

2-Registry change - Added

OAB files are left on the client

a) Test behavior once mode 0 is configured while old OAB files are still on the client

New mailbox should be immediately visible for client without need to download OAB since information should be available online.

b) Change GAL and test if it appears immediately to client

Change in OAB is not visible immediately, because we have OAB files on the client computer and Outlook use those!

New-Mailbox OAB_Test_o2 -UserPrincipalName OABTestO2@salonovi.cz

2-RAfter change - no download!

c) Update OAB automatically by restarting Outlook

If Outlook is restarted, OAB version is checked / downloaded from Exchange server.

2-RAfter change - after download!

AND NOW THE NAUGHTY stuff! OAB is not updated anymore even you download files successfully from Exchange. In this stage Outlook is stuck somewhere between mode 0 and 1 and updates are not received by client.

d) Update OAB and download change to client manually even mode 0 is used

In this scenario I would like to prove, that setting mode 0 is not the only thing to consider to have Outlook work correctly.

  • To update OAB use command
Get-OfflineAddressBook | Update-OfflineAddressBook
  • Download OAB to client and check if changes are displayed to client.

2 - OAB manual download result

 Changes are only reflected if I try to manually download full or incremental copy of address book. OAB is not downloaded during the client startup!

OAB files are removed from client

a) Test behavior once mode 0 is configured while old OAB files are removed from the client

I added new mailbox again, updated OAB, but for now I have removed all OAB-Related files from client. Changes should appear to client immediately.

To remove OAB files

  • locate:
    c:\Users\<USERNAME>\AppData\Local\Microsoft\Outlook\Offline Address Books\
  • Delete folders
    Example: (c:\Users\lelicek\AppData\Local\Microsoft\Outlook\Offline Address Books\6a285982-48d6-43ee-979b-f84dd5b7d989\)
  • Start Outlook
  • After Outlook startup, folders will be re-creaded, but will be empty. It proves we have mode 0 set to Outlook client.
  • open Offline Address Book
  • Newly created mailbox should be here

2 - OAB folders removed change present

 d) Do change in GAL and test if it appears immediately to client

  • Create new mailbox
New-Mailbox OAB_Test_o5 -UserPrincipalName OABTesto5@salonovi.cz
  • Open Offline Address Book and new mailbox should be again there

2 - OAB folders removed change present again

e) Download OAB manually and test if the changes made to GAL after OAB download will be imediatelly visible to client

2 - OAB manual download

Conclusion

Mode 1

  • Conclusion is , that mode 1 works fine and as it should and user will get updated OAB after regularOAB update schedule or after manual run of Update-OfflineAddressBook command.
  • Note that in Exchange 2010 you must restart File distribution service, to distribute updated OAB to WEB distribution points. In Exchange 2013 it is not needed anymore.

Mode 0

  • Use mode 0 only in case, that you do a lot of changes in GAL and you need clients to see changes immediatelly while taking advantages of Outlook Cached connection.
  • Once mode 0 is used, administrator has to make sure, that OAB files will be removed from client computer (for example by logon script / GPO), otherwise user must use manual OAB update via Send/Receive -> Send/receive groups / Download Address Book.
  • If user tries to manual download OAB while mode 0 is used, Online functionality will STOP working from that time until OAB files are deleted again!

Exchange federation trust – part 1.

I need to configure federation trust between two organizations, but what is federation trust? It is secure trusted connection of separate organizations, which need to share their internal data (From Exchange point of view it is Calendar,Free/busy and contact information and others (see Set-OrganizationRelationship) without a need of establishing special Forests/Domains trusts, VPN connections or buying expensive synchronization servers.

Federation trust works based on free Microsoft cloud service Microsoft Federation Gateway. Microsoft Federation Gateway acts like middle authority, with which all Exchange organizations need to establish one time trust before those will be able to communicate with each-other. After one time trust is established, Microsoft Federation Gateway issues SAML tokens for users, which requests to get information about users from federated Exchange organization. These tokens are then trusted by fedetated partners and contain info about user e-mail address, immutable (constant) number and action to which token is issued for.
If we imagine the description above, all Exchange organizations will be trusted with Microsoft Federation Gateway, but it will not allow it to communicate with each-other, before 1:1 trust relationship “Organization Relationship” is not established between 2 Exchange organizations. Organization Relationship connects 2 Exchange organizations and allow them to share data defined by Sharing policies.

In first part of article I will go through prerequisites, you need to start configuring Federation trust, actual configuration of Federation trust with Microsoft Federation Gateway, Configuring of Organization identifier. Preparation for configuration of Organization relationship will be part 2 of this series. Reason is simple. I don´t have DNS records in place during the time writing this article.

For full technology description please visit MS Technet

Prerequisites

  • Autodiscover and EWS virtual directories must be published to internet (or in case internal connection exists between your organizations, these must be accessible in both directions)
  • Federation trust needs to have WSSecurity authentication in place on EWS and Autodiscover virtual directories

Run the following commands to check if all of these are in place:

Get-ClientAccessServer | Get-WebServicesVirtualDirectory |select *auth*

CertificateAuthentication     :
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True
OAuthAuthentication           : True
AdfsAuthentication            : False

Get-ClientAccessServer | Get-AutodiscoverVirtualDirectory |select *auth*

InternalAuthenticationMethods : {Basic, OAuth}
ExternalAuthenticationMethods : {Basic, OAuth}
LiveIdNegotiateAuthentication : False
WSSecurityAuthentication      : False
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : False
OAuthAuthentication           : True
AdfsAuthentication            : False

As you can see in the result, AutoDiscover virtual directory doesn´t have WSSecurity authentication enabled. To enable it use the command below followed by IIS reset.

Get-ClientAccessServer | Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $true

After these are ready, we can continue configuring Federation trust.

Federation trust

  • To get Federation trust working we need to generate self-signed certificate with unique Subject Key Identifier. This certificate will be used to sign and encrypt delegation tokens  (3rd party sign certificate can be used too, but why if we can use free self-signed one with longer validity period).

First command generates unique SKI, second generates the certificate

$ski = [System.Guid]::NewGuid().ToString("N")
New-ExchangeCertificate -FriendlyName "Exchange Federated Sharing" -DomainName "salonovi.cz" -Services Federation -KeySize 2048 -PrivateKeyExportable $true -SubjectKeyIdentifier $ski

Next command creates Federation trust, but we are not able to communicate with MFG yet.

Get-ExchangeCertificate | ?{$_.friendlyname -eq "Exchange Federated Sharing"} | New-FederationTrust -Name "Microsoft Federation Gateway"

To be able to communicate with MFG we must proove, that domains , which will be defined in Federation Organization Identifier are owned by us. This is accomplished by adding HASHES as TXT records to our DNS.
Hashes can be gathered by the following commands. Domain FYDIBOHF25SPDLT.salonovi.cz is used to create namespace for communication between organizations and to be honest I am not sure if this hash needs to be in place, but I put it there to be sure it works.

Get-FederatedDomainProof -DomainName salonovi.cz

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
DomainName : salonovi.cz
Name       : OrgPrivCertificate
Thumbprint : 82E68E80B61290475025A0E9737FECE922D4E8C3
Proof      : EmJKFNW+frdgGM+fkDZyKE+nbJzdRaouCKM2NHNzIjgVPB6TuwlEmWdqxCa1BWuxfTth+Do2R+fLLbbahTWmLg==
DnsRecord  : salonovi.cz TXT IN 
             EmJKFNW+frdgGM+fkDZyKE+nbJzdRaouCKM2NHNzIjgVPB6TuwlEmWdqxCa1BWuxfTth+Do2R+fLLbbahTWmLg==

Get-FederatedDomainProof -DomainName FYDIBOHF25SPDLT.salonovi.cz

The format of DNS records is as follows:

salonovi.cz TXT IN <hash>

And live example is

FYDIBOHF25SPDLT.salonovi.cz TXT IN iE64T7bsM8auQUYoAD/Dc/+sEAieDjG6gJFkGvZRIvyb+5FiwjCQY8BiIrrwafVUr7r3VdyAOXm9F/eb0R8kuA==

After hashes are in external DNS, we can set Federated Organization Identifier. It defines which domains of our organizations will be enabled for federation and what federation trust it will use.
Before setting of Federation identifier we get the following results

Get-FederatedOrganizationIdentifier

RunspaceId          : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
AccountNamespace    : missing
Domains             : missing
DefaultDomain       : missing
Enabled             : False
OrganizationContact : 
DelegationTrustLink : 
Identity            : Federation
IsValid             : True
ExchangeVersion     : 0.10 (14.0.100.0)
Name                : Federation
DistinguishedName   : CN=Federation,CN=SalonoviMail,CN=Microsoft 
                      Exchange,CN=Services,CN=Configuration,DC=salonovi,DC=cz
Guid                : 3a69e332-7156-4251-856c-f3cc17853e39
ObjectCategory      : salonovi.cz/Configuration/Schema/ms-Exch-Fed-OrgId
ObjectClass         : {top, msExchFedOrgId}
WhenChanged         : 1/7/2013 7:18:04 PM
WhenCreated         : 11/29/2011 9:21:30 PM
WhenChangedUTC      : 1/7/2013 6:18:04 PM
WhenCreatedUTC      : 11/29/2011 8:21:30 PM
OrganizationId      : 
OriginatingServer   : DC1.salonovi.cz
ObjectState         : Unchanged

Get-FederationInformation -DomainName salonovi.cz
Federation information could not be received from the external organization.
    + CategoryInfo          : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
    + FullyQualifiedErrorId : D04C5818,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
    + PSComputerName        : backend1.salonovi.cz

Federated Organization Identifier

Set-FederatedOrganizationIdentifier -Enabled $true -DefaultDomain salonovi.cz -AccountNamespace salonovi.cz -DelegationFederationTrust "Microsoft Federation Gateway"

Final step is to test if Federation Trust is working. I use verbose parameter to troubleshoot but in this example I was lucky and all worked as expected at first glance.

Test-FederationTrust -UserIdentity zbynek.salon@salonovi.cz

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : FederationTrustConfiguration
Type       : Success
Message    : FederationTrust object in ActiveDirectory is valid.

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : FederationMetadata
Type       : Success
Message    : The federation trust contains the same certificates published by the security token service in its 
             federation metadata.

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : StsCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : StsPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : OrganizationCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : TokenRequest
Type       : Success
Message    : Request for delegation token succeeded.

RunspaceId : 7b47ba54-c78f-4d73-8337-a457b9ebfd1b
Id         : TokenValidation
Type       : Success
Message    : Requested delegation token is valid.

Next part comes soon (tomorrow) continuing with setting 1:1 relationships.

IMAP pst file import problems – folders containing IMAP items (IPF.Imap) type are not displayed in Exchange 2010 / 2013 OWA

Problem description

I have been solving problem in my friends Exchange 2013 environment. After migration (from IMAP profile) some folders were not visible in his OWA while those were visible in Outlook.
After research I have found, that every folder is “Different in properties” as seen in result Picture below.

wrong properties

Hmm, what now? I dont wanna use MFCMapi, since my friend has many folders. EWS? OK, but how?

Solution

Theory

  • As far as I understand Exchange, there are several kind of permissions and properties and mailbox folder properties belong to MAPI and those can be edited via MFC Mapi (ExFolders) (http://mfcmapi.codeplex.com/) or via EWS Managed API (http://www.microsoft.com/en-us/download/details.aspx?id=30141)
  • Yes. Exchange Web Services Managed API allows you to write custom applications, but I am not a programmer. I have downloaded a script from (http://gsexdev.blogspot.cz/2012/02/ews-managed-api-and-powershell-how-to.html), which I want to say thanks for and made additions to it.
  • Behind the scenes I have found nice technet discussion about how to change folder class so, that it will be visible in OWA, because OWA doesnt show folders with IMAP items. The goal is to change IPF.Imap class to IPF.Note. After changing via EWS you will see the diference as in picture below and after refresh OWA will work as needed.

Correct properties

  • As administrator I am not keen in C# so I will use my domain. Powershell (3.0) as I do the script on Exchange 2013 server

Prerequisites

  • Before you even start to play with EWS, you need to install EWS Managed API fom the link: http://www.microsoft.com/en-us/download/details.aspx?id=30141 or newer version (Link is from Fall 2012)
  • After downloading install it to directory, from which you run the script. Note, that you will need to make reference for “Microsoft.Exchange.WebServices.dll” which is key component of EWS managed API. Example from my script is below:

$dllpath =“d:ExchangeScriptsEWSmanagedAPIMicrosoft.Exchange.WebServices.dll”  

  • Next step is to add your user name full access to mailbox, which will be checked and impersonate role, which will allow impersonation of mailbox under your user as you were owner of the mailbox. Commands are as follows:

New-ManagementRoleAssignment -Name Impersonation -User administrator -Role ApplicationImpersonation

Script

Script can be downloaded from Skydrive

 
$dllpath = "d:ExchangeScriptsEWSmanagedAPIMicrosoft.Exchange.WebServices.dll" #Define DLL Path

[void][Reflection.Assembly]::LoadFile($dllpath) #Load DLL

$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP2) #Define EWS Service and version

$service.Url = New-Object System.Uri("https://email.domain.cz/EWS/Exchange.asmx") #Define uri for EWS VDir

$MBXID = "mailbox.identity" #Define mailboxID

foreach ($MailboxIdentity in $MBXID) {

Write-Host "Searching for $MailboxIdentity"

$MailboxName = (Get-Mailbox -Identity $MailboxIdentity).PrimarySmtpAddress.ToString()

$MailboxDName = (Get-Mailbox -Identity $MailboxIdentity).DisplayName

$ImpersonatedUserId = New-Object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId -ArgumentList ([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress),$MailboxName #Define impersonation

$service.ImpersonatedUserId = $ImpersonatedUserId #Impersonate service under userID

$folderid = new-object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Root,$MailboxName) #MsgFolderRoot selection and creation of new root folder object

$f1 = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($service, $MailboxName) #Binding folder under mailbox identity

$fold = get-mailboxfolderstatistics $MailboxIdentity #Getting complete list of selected mailbox

foreach ($mbxfolder in $fold){

#Define Folder View Really only want to return one object

$fvFolderView = new-object Microsoft.Exchange.WebServices.Data.FolderView(100) #page size for displayed folders

$fvFolderView.Traversal = [Microsoft.Exchange.WebServices.Data.FolderTraversal]::Deep; #Search traversal selection Deep = recursively

#Define a Search folder that is going to do a search based on the DisplayName of the folder

$SfSearchFilter = new-object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.FolderSchema]::Displayname,$MBXFolder.name) #for each folder in mailbox define search

$findFolderResults = $service.FindFolders($folderid,$SfSearchFilter,$fvFolderView) #for each folder in mailbox define folder view (this is online task for store.exe) and perform search

if ($findFolderResults.TotalCount -eq 0){ "Folder Doesn't Exist" } #Info if folder still exist

else {"Folder Exist"

ForEach ($Folder in $findFolderResults.Folders) { #for each folder in folder results perform check of folder class

$folder.folderclass #Info about folder class

if ($Folder.folderclass -eq "IPF.Imap"){ #If folder class is target type, do change and update

$Folder.folderclass = "IPF.Note" #Folder class change in variable

Write-Host "Updating folder $folder.name to correct type IPF.Note. Folder will start to be visible in OWA"

$Folder.update() #Folder class update in mailbox via EWS

}

}

}

}

}

The script will generate some output to host:

converting via script

Reference

How to connect to shared / additional mailbox via POP3 (Exchange 2010/2013)

This article is analogical to my previous article for IMAP. http://exkb.wordpress.com/2013/01/10/how-to-connect-to-shared-additional-mailbox-via-imap-exchange-20102013/

Test via Telnet:

  • Prerequisite here is to have Plain text login set on Exchange servers (POP3). Use the following commands to set plaintext login. POP3 services must be restarted before change takes effect.
Set-POPSettings -Server <SERVERNAME> -LoginType PlaintextLogin
Get-Service *pop* | Restart-Service
  • type the following command into the command line. I use Windows Server 2008 R2 and there is no Telnet client feature installed by default, so if you dont have it, please install it via Server manager MMC.
telnet <name of your pop3 server> pop3 (where pop3 is key word of protocol used by telnet client)
  • You will get OK answer from your setver if everything is OK
user SALONOVI\Anatolij.Stokurev\Shared.Mailbox1 (According to POP3 protocol you have to insert valid username / password combination to logon to mailbox)
PASS Minus30* (Enter password)
LIST (list messages from the mailbox)
RETR 1 (retrieve first message from the list)
QUIT (End session)
  • Result is in the following Picture

result

Test via Outlook

  • Add POP3 connection to your existing profile or create new profile (File -> Account Settings -> New -> Manual Configuration -> POP/IMAP)
  • Open Settings
  • Change settings according the Picture:

outlook settings

  • Our admin user doesnt have e-mail address. Fill in e-mail address of the shared account instead
  • Into the username use the same syntax as before “DOMAIN\USER\MAILBOXALIAS”
  • In More settings TAB use working configuration of your SMTP server
  • Hit NEXT and you will get the test window. After test is OK you are ready touse new profile with POP3 connected to shared mailbox

How to connect to shared / additional mailbox via IMAP (Exchange 2010/2013)

I was solving the issue for one of our customers. They have application, which needs to log on to mailbox via IMAP, but administrator user doesn´t have mailbox. Here is the solution:

  • Administrator user “Anatolij.Stokurev” doesn´t have a mailbox
  • Anatolij.Stokurev needs to access mailbox “Shared.mailbox1”
  • Syntax to log on to additional / shared mailbox via IMAP is to use: DOMAIN\USERNAME\MAILBOXALIAS in username field and password in your application,
  • NOTE: get-credential command doesn´t accept syntax from point above (double in username) so you shoud enter credentials directly

Example:

  • I have created shared mailbox in Exchange 2013 and user in AD

shared creation1

I granted full access to user, who doesnt have mailbox Anatolij.Stokurev by command

Add-MailboxPermission Shared.Mailbox1 -user Anatolij.Stokurev -AccessRights FullAccess

permissions1

Note: You cannot add permissions for user without mailbox in EAC / ECP. Powershell is the only option here.

Test via Telnet:

  • Prerequisite here is to have Plain text login set on Exchange servers (IMAP). Use the following commands to set plaintext login. IMAP services must be restarted before change takes effect.
Set-IMAPSettings -Server <SERVERNAME> -LoginType PlaintextLogin
Get-Service *ima* | Restart-Service
  • type the following command into the command line. I use Windows Server 2008 R2 and there is no Telnet client feature installed by default, so if you dont have it, please install it via Server manager MMC.
telnet <name of your imap server> imap (where imap is key word of protocol used by telnet client)
  • You will get OK answer from your setver if everything is OK
a1 LOGIN SALONOVI\Anatolij.Stokurev\Shared.Mailbox1 Minus30*  (According to IMAP protocol you have to insert valid username / password combination to logon to mailbox)
a2 LIST "" "*" (list folders from the mailbox)
a5 LOGOUT (End session)
  • Result is in the following Picture

result

Test via Outlook

  • Add IMAP connection to your existing profile or create new profile (File -> Account Settings -> New -> Manual Configuration -> POP/IMAP)
  • Open Settings
  • Change settings according the Picture:

outlook settings

  • Our admin user doesnt have e-mail address. Fill in e-mail address of the shared account instead
  • Into the username use the same syntax as before “DOMAIN\USER\MAILBOXALIAS”
  • In More settings TAB use working configuration of your SMTP server
  • Hit NEXT and you will get the test window. After test is OK you are ready touse new profile with IMAP connected to shared mailbox

How to configure Calendar Repair Assistant in Exchange 2010/2013

What is Calendar Repair Assistant

 

Difference between Exchange 2010 and Exchange 2013

  • CRA in Exchange 2010 is not enabled by default
  • CRA in Exchange 2013 and Exchange 2010 SP3 has new configurable parameter  for CRA repair mode (ValidateOnly, RepairAndValidate)
  • Lower record is default from Exchange 2013, Higher is default from Exchange 2010 SP3 (not yet available)

CRA_Difference

Configuration in Exchange 2010

  • Setting mailbox servers
Get-MailboxServer | Set-MailboxServer -CalendarRepairWorkCycle 7.00:00:00 -CalendarRepairWorkCycleCheckpoint 1.00:00:00 -CalendarRepairLogFileAgeLimit 30.00:00:00 -CalendarRepairLogPath E:LogsCalendarRepairAssistant -CalendarRepairLogDirectorySizeLimit unlimited -CalendarRepairLogSubjectLoggingEnabled $true -CalendarRepairLogEnabled $true -CalendarRepairIntervalEndWindow 60 -CalendarRepairSchedule Mon.20:00-Mon.23:59,Tue.20:00-Tue.23:59,Wed.20:00-Wed.23:59,Thu.20:00-Thu.23:59,Fri.20:00-Fri.23:59,Sat.20:00-Sat.23:59,Sun.20:00-Sun.23:59
  • Setting user mailboxes
Get-Mailbox -ResultSize unlimited -Filter {CalendarRepairDisabled -eq $True} | Set-Mailbox -CalendarRepairDisabled $false
  • Disabling CRA if needed
Get-MailboxServer | Set-MailboxServer -CalendarRepairWorkCycle $null -CalendarRepairWorkCycleCheckpoint $null -CalendarRepairSchedule $null

Configuration in Exchange 2013 RTM

  • Changing configuration

Changing in configuration is done the same way as it was in Exchange 2010.

  • Setting CRA repair mode
Get-MailboxServer | Set-MailboxServer -CalendarRepairMode ValidateOnly
  • Setting user mailboxes
Get-Mailbox -ResultSize unlimited -Filter {CalendarRepairDisabled -eq $True} | Set-Mailbox -CalendarRepairDisabled $false

Important parameters

  • CalendarRepairWorkCycle 7.00:00:00 -Defines time range within what all mailboxes must be checked
  • CalendarRepairWorkCycleCheckpoint 1.00:00:00 – Defines within what time mailbox will be repaired if error is found
  • CalendarRepairLogEnabled $true – Enables / disables logging of CRA
  • CalendarRepairIntervalEndWindow 60 – How many days in the future calendars will be checked
  • CalendarRepairSchedule Mon.20:00-Mon.23:59 – schedules CRA

Log example

CRA_Log_Example