Exchange 2013 / 2010 / 2007 – How to configure OAB for offline Thumbnail photo

One of our customers wanted to have Thumbnail photo attribute configured for offline access.


  • Enhance AD schema of AD attribute ThumbnailPhoto (Done by default for Exchange 2010 SP2+)
  • Upload pictures via Powershell or Sharepoint
    Enable ThumbnailPhoto attribute in OAB (Done by default in Exchange 2010 SP2, but only indicator to fetch data from AD online)
  • Configure ThumbnailPhoto to true Offline access (change attribute Thumbnailphoto,indicator to ThumbnailPhoto,value)

The rough process is simple, but in my case there was a problem, because customer has coexistence scenario Exchange 2007 / Exchange 2010 in single AD site. In this scenario OAB has been first created in Exchange 2003 -> Then Exchange 2003 has been replaced by Exchange 2007 and after that Exchange 2007 left for business purpose (several mailboxes ) and it was extended by Exchange 2010 (Currently SP3). In this scenario OAB is missing ConfiguredAttributes (It is empty) So the process is as follows:

1. Get info about OAB

Command lists OAB and its empty attribute.

Get-OfflineAddressBook "Default Offline Address List" | fl

Default OAB

2. Create new OAB to see configured attributes

To be sure users will not be disrupted by the change I have created new OAB on Exchange 2010.

New-OfflineAddressBook -Name 'Default Offline Address Book + offline photo' -Server 'PF1' -AddressLists '\Default Global Address List' -PublicFolderDistributionEnabled $false -VirtualDirectories 'CH1\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH1\OAB (Default Web Site)'

3. List configured attributes

To display all attributes configured we need to use the following cmdlets:

$FormatEnumerationLimit = -1
Get-OfflineAddressBook "Default Offline Address Book*" | select name, Configuredattributes | fl

New OAB with attributes

4. Change attributes

To change attributes I first read attributes to variable and adjusted ThumbnailPhoto,Indicator to ThumbnailPhoto,Value. It will phycically store ThumbnailPhoto data to OAB. Caution. This might increase network load, since OAB will increase its size based on user counts.

$attr = (Get-OfflineAddressBook "Default Offline Address Book*").configuredattributes



Attribute updated in variable

5. Import to OAB

To import modified set of attributes to OAB use:

Set-OfflineAddressBook "Default Offline Address Book*" -ConfiguredAttributes $attr

OAB with edited attribute

6. Update OAB and Check OAB

To generate new OAB and distribute it accross WEB distribution points use:

Get-OfflineAddressBook "Default Offline Address Book*" | Update-OfflineAddressBook

Restart Microsoft Exchange File Distribution service on each previously configured distribution points

New OAB folder on DP

7. Set generation time

Set-OfflineAddressBook -Schedule 'Sun.5:00 AM-Sun.6:00 AM, Mon.5:00 AM-Mon.6:00 AM,Tue.5:00 AM-Tue.6:00 AM, Wed.5:00 AM-Wed.6:00 AM, Thu.5:00 AM-Thu.6:00 AM, Fri.5:00 AM-Fri.6:00 AM, Sat.5:00 AM-Sat.6:00 AM' -Identity '\Default Offline Address Book + offline photo'

8. Assign OAB to mailboxes


Assign OAB

I selected a method to assign OAB for each mailbox database. Each mailbox inside database, which doesnt have explicitly defined OfflineAddressBook parameter will get the one from database. Exchange Information Store is using cache so changes will be visible after up to 2 hours of actual setting of database. To perform changes immediately you shoud dismount / mount database, where change must be visible immediately. Command:

Get-DailboxDatabase MDB* | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book + offline photo"

9. Download new OAB to mailbox via Outlook

You should check autodiscover record if OAB URL changed from old one to new one.

10. Test offline access

After OAB is successfuly downloaded turn on Offline access and test if OAB can be opened and if Thumbnail photo is visible.

Before change:

OAB before

After change:

OAB after


Exchange blog article

Works for Exchange 2013 as well.

Comodo Antispam Gateway

I was looking for free Antispam GW for my lab and I came accross Comodo Antispam Gateway. It is free for 1 domain and 10 users.

Sign up for free license is here:

Why to use this GW?

  • Easy configuration
  • Access via Admin interface
  • Quarantine, blocklist, whitelist  – all accessible with free license
  • AD synchronization newly created also for free license!

Few screen shots:

Admin interface:


Quarantine settings: Quarantine_settings

Incoming spam detection settings: Spam_detection settings


SMTP certificate renewal and EDGE subscription

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate
To import certificate to local certification store run:

import-exchangecertificate -FileData ([byte[]]$(Get-Content -Path "D:\tempo\certificate_mx1_2013.cer" -Encoding Byte -ReadCount 0))

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

certutil -repairstore my "1268f7300044bc90ff426d5f515d3729"

Explanation can be found in my previous article:

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate  -services SMTP


[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP

Overwrite the existing default SMTP certificate?

Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32> 

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

New-EdgeSubscription -FileName d:\subscription_2013.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false


[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false

The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "D:\subscription_2013.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successfulm you receive error.

Test-EdgeSynchronization -FullCompareMode

Successful result:

[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode

RunspaceId                  : 4f4c61e7-1059-43fc-963b-877641087e2a
SyncStatus                  : Normal
UtcNow                      : 4/26/2013 6:43:50 AM
Name                        : EDGE
LeaseHolder                 : CN=HUB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=OR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=SALONOVI,DC=cz
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 4/26/2013 7:12:12 AM
LastSynchronizedUtc         : 4/26/2013 6:42:12 AM
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
RemoteDomainStatus          : NotSynchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 6
CookieRecords               : Number of cookies 2

9. Test mailflow

10. To start Edge synchronization manually



[PS] C:\Windows\system32>Start-EdgeSynchronization

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Configuration
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Recipients
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0


Exchange – Offline Address Book – OAB download methods, Cached vs Online


By default OAB is a point in time snapshot of global address list and it is used as cached source of information about Exchange recipients properties. OAB is stored on Exchange servers (see my previous article and downloaded to client once Outlook is configured in Cached mode. I would like to test modes of using address book,
while Outlook is in cached mode. There are several methods to download OAB. These methods depends on registry settings of Outlook (full article here:

If the following registry key is present (XX.0 means office version – 15.0 for Office 2013), Outlook behaves upon the DWORD value inside:


DownloadOAB DWORD supported values:
  0 = The Offline Address Book does not download automatically.
  1 = The Offline Address Book uses the Download Full Items download mode. This is the default setting.
  2 = Download the Offline Address Book in any download mode, but download a differential update in the Header only download mode.
  3 = Always download the Offline Address Book and a differential update in one of the following download modes:
Download Headers and then Full Items
Download Full Items
Download Headers

The goal of this article is to test differences in OAB behavior between modes 0 and 1. I want to see how it looks when:

1) Mode 1 – The Offline Address Book uses the Download Full Items download mode.
a)Download OAB and check
b)Change GAL and test downloading OAB instantly
c)Update OAB and check

2) Mode 0 – The Offline Address Book does not download automatically.
a) Test behavior once mode 0 is configured while old OAB files are still on the client
b) Test behavior once mode 0 is configured while old OAB files are removed from client

Test scenarios

1) Mode 1 – The Offline Address Book uses the Download Full Items download mode.

By default OAB is downloaded from server hosting Active mailbox database with Organizational mailbox. (or in 2010 from CAS server distribution point or in 2007 and 2010 from Public Folders)

a) Download OAB and check

I have opened OAB from my mailbox and result is in the Picture

1-Before change

b) Change GAL and test downloading OAB instantly

Creation of a mailbox doesn´t updtate OAB itsetf. To create mailbox use command

New-Mailbox OAB_Test_o1 -UserPrincipalName
WARNING: A script or application on the FRONTEND1.SALONOVI.CZ remote computer is sending a prompt request. When
prompted, enter sensitive information such as credentials or password only if you trust the remote computer and the
application or script requesting it.

cmdlet New-Mailbox at command pipeline position 1
Supply values for the following parameters:
Password: ********

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
OAB_Test_o1               OABTestO1            backend1         Unlimited

c) Update OAB and check

To update OAB use command

Get-OfflineAddressBook | Update-OfflineAddressBook

Now I have tested if OAB change is reflected in client computer (should not be)


And now I have downloaded new OAB to client and tested again

1-After change and download

2) Mode 0 – The Offline Address Book does not download automatically

One registry key setting and Outlook client will work online from Addres book point of view, BUT! This setting also requires to clean up OAB files from client computer to behave correctly. I will test both possibilities and try to find differneces in behavior.

First I will set up registry key and restart Outlook

In my lab I dont use any special GPO so yhe setting is done via registry key HKEY_CURRENT_USER\Software\Microsoft\Office\XX.0\Outlook

2-Registry change - Added

OAB files are left on the client

a) Test behavior once mode 0 is configured while old OAB files are still on the client

New mailbox should be immediately visible for client without need to download OAB since information should be available online.

b) Change GAL and test if it appears immediately to client

Change in OAB is not visible immediately, because we have OAB files on the client computer and Outlook use those!

New-Mailbox OAB_Test_o2 -UserPrincipalName

2-RAfter change - no download!

c) Update OAB automatically by restarting Outlook

If Outlook is restarted, OAB version is checked / downloaded from Exchange server.

2-RAfter change - after download!

AND NOW THE NAUGHTY stuff! OAB is not updated anymore even you download files successfully from Exchange. In this stage Outlook is stuck somewhere between mode 0 and 1 and updates are not received by client.

d) Update OAB and download change to client manually even mode 0 is used

In this scenario I would like to prove, that setting mode 0 is not the only thing to consider to have Outlook work correctly.

  • To update OAB use command
Get-OfflineAddressBook | Update-OfflineAddressBook
  • Download OAB to client and check if changes are displayed to client.

2 - OAB manual download result

 Changes are only reflected if I try to manually download full or incremental copy of address book. OAB is not downloaded during the client startup!

OAB files are removed from client

a) Test behavior once mode 0 is configured while old OAB files are removed from the client

I added new mailbox again, updated OAB, but for now I have removed all OAB-Related files from client. Changes should appear to client immediately.

To remove OAB files

  • locate:
    c:\Users\<USERNAME>\AppData\Local\Microsoft\Outlook\Offline Address Books\
  • Delete folders
    Example: (c:\Users\lelicek\AppData\Local\Microsoft\Outlook\Offline Address Books\6a285982-48d6-43ee-979b-f84dd5b7d989\)
  • Start Outlook
  • After Outlook startup, folders will be re-creaded, but will be empty. It proves we have mode 0 set to Outlook client.
  • open Offline Address Book
  • Newly created mailbox should be here

2 - OAB folders removed change present

 d) Do change in GAL and test if it appears immediately to client

  • Create new mailbox
New-Mailbox OAB_Test_o5 -UserPrincipalName
  • Open Offline Address Book and new mailbox should be again there

2 - OAB folders removed change present again

e) Download OAB manually and test if the changes made to GAL after OAB download will be imediatelly visible to client

2 - OAB manual download


Mode 1

  • Conclusion is , that mode 1 works fine and as it should and user will get updated OAB after regularOAB update schedule or after manual run of Update-OfflineAddressBook command.
  • Note that in Exchange 2010 you must restart File distribution service, to distribute updated OAB to WEB distribution points. In Exchange 2013 it is not needed anymore.

Mode 0

  • Use mode 0 only in case, that you do a lot of changes in GAL and you need clients to see changes immediatelly while taking advantages of Outlook Cached connection.
  • Once mode 0 is used, administrator has to make sure, that OAB files will be removed from client computer (for example by logon script / GPO), otherwise user must use manual OAB update via Send/Receive -> Send/receive groups / Download Address Book.
  • If user tries to manual download OAB while mode 0 is used, Online functionality will STOP working from that time until OAB files are deleted again!

Exchange 2013 CU1 setup problem – Install-RuleCollection error in Organization preparation step (protected until CU1 is officially out for public)

I have been upgrading my RTM Exchange 2013 to CU1.  I have 2 multirole servers in DAG. I have started to install CU1 on the node hosting only passive copies of databases. In step 1 of 18. Organization preparation from GUI setup it generated error as it can be seen in the following Picture.

install-rulecollection error

Recommended workaround from Microsoft is to delete the following object from AD configuration partition using AdsiEdit

CN=ClassificationDefinitions,CN=Rules,CN=Transport Settings,CN=<Your organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>i,DC=<com>

The object is also shown in the Picture

install-rulecollection object to delete

After deletion setup can be restarted. Object is then re-created and setup can continue.

Exchange 2010 complete certificate request problem

I was renewing Exchange certificate for my test domain I was doing it via EMC console but behind of GUI it is done via certificate request CMDlet. For Example this CMDlet:

New-ExchangeCertificate  -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName ','',...

I am using certificate from Startcom certification authority (however this happened to me also vith GeoTrust), because it is free, so I have passed the request to web browser and generated new certificate, downloaded it and tried to import the certificate to Exchange environment.

First import went OK, but I havent seen pending certificate request to be completed

Second try of import generated an error:

CSR problems

I have checked local certificate store for the computer account and the certificate was there, but didn´t have private key attached to it.


Solution is simple. Run the command bellow, where red text is the serial number of your certificate

certutil -repairstore my "SerialNumber"

After running the command certificate with serial number “SerialNumber” will be connected to its private key and pending certificate request will be completed, and you can continue as usual.


MS KB on




iOS 6.1.2 released! – Exchange problems solved?

Apple claims, that iOS 6.1.2 solves problems with Exchange sync. Good luck with update:  and hopefully no more

iOS 6.1 and iOS 6.1.1 Exchange problems

As you probably know. Last week´s release of iOS 6.1 causes the problems to Exchange environments and fresh update from Monday 12.2.2013 (iOS 6.1.1) doesn´t make it better, so here is the workaround, which is also presented in MS KB:

I prefer to use method 2. Throttling policy. The advantage is, that users still can use their cell phones, but with reduced affect of iOS to Exchange.


Increasing of log size 3GB/hour/database, Increased Store usage statistics for selected users, icreased CPU/ memory usage on affected mailbox servers.


On affected database you can check which user is causing highest load by issuing the following command (with export to text file). The top consumer is on top of the list.

Get-StoreUsageStatistics -Database <DBIdentity> | select displayname, timeinserver,digestcategory,logrecordcount,logrecordbytes | sort logrecordbytes -descending > d:\MDB1.txt

And inside the file you will see result similar to this one, where LogRecordBytes and tiTimeInServer are most important for you. From example below it is real value of 450MB written to logs by SINGLE user in past 10 minutes.

DisplayName    : Inbox - Unreal name
TimeInServer   : 42558
DigestCategory : LogBytes
LogRecordCount : 261793
LogRecordBytes : 448328508
  1. Gather the list of users having iOS devices by the following command:
    $x = Get-ActiveSyncDevice | where {$_.DeviceOS -like "iOS 6.1 *" -or $_.DeviceOS -like "iOS 6.1.1 *"}
  2. Export  to CSV
    $x |export-csv .\iOS61.csv -encoding unicode
  3. Create new throttling policy for temporary purpose
  4. Make sure that setting of your temporary policy reflects your Exchange and user needs (the best way to do is to take settings of your mostly used default or custom throttling policy and edit EAS* parameters according to Microsoft recommendation. In my case it is:
    New-ThrottlingPolicy -Name "iOS 6.1 temp" -EASPercentTimeInAD 10 -EASPercentTimeInCAS 10 -EASPercentTimeInMailboxRPC 10 -AnonymousMaxConcurrency 1 -EASMaxConcurrency 10 -EASMaxDevices 10 -EWSMaxConcurrency 10 -EWSPercentTimeInAD 50 -EWSPercentTimeInCAS 90 -EWSPercentTimeInMailboxRPC 60 -EWSMaxSubscriptions 5000 -EWSFastSearchTimeoutInSeconds 60 -EWSFindCountLimit 1000 -OWAMaxConcurrency 5 -OWAPercentTimeInAD  30 -OWAPercentTimeInCAS  150 -OWAPercentTimeInMailboxRPC 150 -POPMaxConcurrency 20 -PowerShellMaxConcurrency 18 -RCAMaxConcurrency 20 -RCAPercentTimeInAD 5 -RCAPercentTimeInCAS 205 -RCAPercentTimeInMailboxRPC 200 -CPAMaxConcurrency 20 -CPAPercentTimeInCAS 205 -CPAPercentTimeInMailboxRPC 200 -CPUStartPercent 75
  5. Apply Throttling policy
    Import-Csv .\iOS61.csv | foreach {Set-ThrottlingPolicyAssociation -Identity "$($_.UserDisplayName)" -ThrottlingPolicy "iOS 6.1 temp"}
    or (with limitation to only mailboxes 🙂 )
    Import-Csv .\iOS61.csv | foreach {Set-Mailbox -Identity "$($_.UserDisplayName)" -ThrottlingPolicy  "iOS 6.1 temp"}
  6. Check if correct throttling policy association is in place

Reverting back

And after device is upgraded, you can assign user the default policy by command:

get-mailbox <identity> | Set-ThrottlingPolicyAssociation -ThrottlingPolicy $null
get-mailbox <identity> | Get-ThrottlingPolicyAssociation