Exchange 2013 / 2010 / 2007 – How to configure OAB for offline Thumbnail photo

One of our customers wanted to have Thumbnail photo attribute configured for offline access.


  • Enhance AD schema of AD attribute ThumbnailPhoto (Done by default for Exchange 2010 SP2+)
  • Upload pictures via Powershell or Sharepoint
    Enable ThumbnailPhoto attribute in OAB (Done by default in Exchange 2010 SP2, but only indicator to fetch data from AD online)
  • Configure ThumbnailPhoto to true Offline access (change attribute Thumbnailphoto,indicator to ThumbnailPhoto,value)

The rough process is simple, but in my case there was a problem, because customer has coexistence scenario Exchange 2007 / Exchange 2010 in single AD site. In this scenario OAB has been first created in Exchange 2003 -> Then Exchange 2003 has been replaced by Exchange 2007 and after that Exchange 2007 left for business purpose (several mailboxes ) and it was extended by Exchange 2010 (Currently SP3). In this scenario OAB is missing ConfiguredAttributes (It is empty) So the process is as follows:

1. Get info about OAB

Command lists OAB and its empty attribute.

Get-OfflineAddressBook "Default Offline Address List" | fl

Default OAB

2. Create new OAB to see configured attributes

To be sure users will not be disrupted by the change I have created new OAB on Exchange 2010.

New-OfflineAddressBook -Name 'Default Offline Address Book + offline photo' -Server 'PF1' -AddressLists '\Default Global Address List' -PublicFolderDistributionEnabled $false -VirtualDirectories 'CH1\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH1\OAB (Default Web Site)'

3. List configured attributes

To display all attributes configured we need to use the following cmdlets:

$FormatEnumerationLimit = -1
Get-OfflineAddressBook "Default Offline Address Book*" | select name, Configuredattributes | fl

New OAB with attributes

4. Change attributes

To change attributes I first read attributes to variable and adjusted ThumbnailPhoto,Indicator to ThumbnailPhoto,Value. It will phycically store ThumbnailPhoto data to OAB. Caution. This might increase network load, since OAB will increase its size based on user counts.

$attr = (Get-OfflineAddressBook "Default Offline Address Book*").configuredattributes



Attribute updated in variable

5. Import to OAB

To import modified set of attributes to OAB use:

Set-OfflineAddressBook "Default Offline Address Book*" -ConfiguredAttributes $attr

OAB with edited attribute

6. Update OAB and Check OAB

To generate new OAB and distribute it accross WEB distribution points use:

Get-OfflineAddressBook "Default Offline Address Book*" | Update-OfflineAddressBook

Restart Microsoft Exchange File Distribution service on each previously configured distribution points

New OAB folder on DP

7. Set generation time

Set-OfflineAddressBook -Schedule 'Sun.5:00 AM-Sun.6:00 AM, Mon.5:00 AM-Mon.6:00 AM,Tue.5:00 AM-Tue.6:00 AM, Wed.5:00 AM-Wed.6:00 AM, Thu.5:00 AM-Thu.6:00 AM, Fri.5:00 AM-Fri.6:00 AM, Sat.5:00 AM-Sat.6:00 AM' -Identity '\Default Offline Address Book + offline photo'

8. Assign OAB to mailboxes


Assign OAB

I selected a method to assign OAB for each mailbox database. Each mailbox inside database, which doesnt have explicitly defined OfflineAddressBook parameter will get the one from database. Exchange Information Store is using cache so changes will be visible after up to 2 hours of actual setting of database. To perform changes immediately you shoud dismount / mount database, where change must be visible immediately. Command:

Get-DailboxDatabase MDB* | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book + offline photo"

9. Download new OAB to mailbox via Outlook

You should check autodiscover record if OAB URL changed from old one to new one.

10. Test offline access

After OAB is successfuly downloaded turn on Offline access and test if OAB can be opened and if Thumbnail photo is visible.

Before change:

OAB before

After change:

OAB after


Exchange blog article

Works for Exchange 2013 as well.

Comodo Antispam Gateway

I was looking for free Antispam GW for my lab and I came accross Comodo Antispam Gateway. It is free for 1 domain and 10 users.

Sign up for free license is here:

Why to use this GW?

  • Easy configuration
  • Access via Admin interface
  • Quarantine, blocklist, whitelist  – all accessible with free license
  • AD synchronization newly created also for free license!

Few screen shots:

Admin interface:


Quarantine settings: Quarantine_settings

Incoming spam detection settings: Spam_detection settings


Exchange 2013 RTM CU1 – released

Exchange team released Exchange 2013 RTM CU1.



Enjoy coexistence with Exchange 2010 SP3 and Exchange 2007 SP3 RU10!

OAB Differences between Exchange 2010 and Exchange 2013 in brief

I wanted to summarize OAB differences (and what have not been changed) between Exchange 2010 and Exchange 2013 for my next article about OAB update problems, so here it is:

Server side OAB defaults:

In Exchange 2010

  • OAB is generated daily on specified mailbox server at 5AM. To gather current config use
Get-OfflineAddressBook | select identity,server,schedule
  • OAB is generated by MS Exchange System Attendant service and then distributed to CAS servers virtual directories by File Distribution Service
  • PF distribution is also enabled in Exchange 2010 and Exchange 2007 Clients are getting OAB URL from autodiscover service and upon URL clients download OAB from one of the distribution points (CAS servers)

In Exchange 2013

  • New OAB must be generated for Exchange 2013 in coexistence scenario (either Exchange 2007 or 2010)
  • OAB is generated daily in special mailbox “Organization Mailbox” set with persistent capabilities “OrganizationCapabilityOABGen
Get-OfflineAddressBook | select identity,server,schedule (Server attribute is empty in Exchange 2013)
  • The information about Organization mailboxes can be gathered by the following command
get-mailbox -arbitration | select identity,persistedcapabilities | fl

Identity              :{1f05a927-1445-4b2f-9d3c-f5a07705c8cc} PersistedCapabilities : {}
Identity              :{e0dc1c29-89c3-4034-b678-e6c29d823ed9} PersistedCapabilities : {OrganizationCapabilityUMDataStorage}
Identity              : PersistedCapabilities : {}
Identity              :{bb558c35-97f1-4cb9-8ff7-d53741dc928c} PersistedCapabilities : {51, OrganizationCapabilityUMGrammarReady, OrganizationCapabilityMailRouting, 
                        OrganizationCapabilityClientExtensions, OrganizationCapabilityGMGen
,                         OrganizationCapabilityOABGen, OrganizationCapabilityUMGrammar}
Identity              : PersistedCapabilities : {OrganizationCapabilityManagement}
  • OAB is generated by OABGeneratorAssistant assistant running under Microsoft Exchange Mailbox Assistant service and stored to Organizational mailbox first and then copied to %ExchangeInstallPath%\ClientAccess\OAB\ on the mailbox server, where database hosting Organization mailbox is active
  • OAB generation process is under workload policy management. It is stopped / lowered its priority / increased its priority based on load on the server hosting active mailbox database with Organization mailbox
  • Current configuration of the workload policies can be gathered by the command below
Get-WorkloadPolicy *OAB*
Get-WorkloadPolicy OABGeneratorAssistant | fl

RunspaceId               : a0640926-b38f-42ca-b0ec-793f101c8c30 
WorkloadClassification   : InternalMaintenance 
WorkloadType             : OABGeneratorAssistant 
Name                     : OABGeneratorAssistant 
WorkloadManagementPolicy : DefaultWorkloadManagementPolicy_15.0.505.0
  • Thresholds for the particular level of the workload management can be gathered by
Get-ResourcePolicy | select Identity,InternalMaintenance*

Result is in the Picture:

workload management

Client defaults:

For both Exchange versions are settings for clients similar. Upon result of Autodiscover service client contacts the server hosting the copy of OAB and downloads it.

On Exchange 2010

  • Client contacts load balanced address, which is then redirected to some CAS server

On Exchange 2013

  • Client contacts load balanced address, which is then redirected to mailbox server hosting active database with Organization mailbox
  • If there is recent failover and database with Organization mailbox become active on another mailbox server, OAB files are not present in %ExchangeInstallPath%\ClientAccess\OAB\ and must be extracted from Org. mailbox prior client can download it.
  • If DB stays active on another node during next scheduled generation time, node with active database generates OAB again into organization mailbox

Offline accessible properties:

Default properties included in OAB are same for Exchange 2010 SP3 and Exchange 2013. Properties are up to 1 day old, byt can be accessed even client is offline.

Properties gathered online by default:

It means that these properties are always up to date, but cannot be accessed when client is offline.

  • Custom properties in Active Directory that an administrator has added (for example, the Employee ID of each employee)
  • Organization hierarchy information
  • Group membership information

Exchange 2010 complete certificate request problem

I was renewing Exchange certificate for my test domain I was doing it via EMC console but behind of GUI it is done via certificate request CMDlet. For Example this CMDlet:

New-ExchangeCertificate  -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName ','',...

I am using certificate from Startcom certification authority (however this happened to me also vith GeoTrust), because it is free, so I have passed the request to web browser and generated new certificate, downloaded it and tried to import the certificate to Exchange environment.

First import went OK, but I havent seen pending certificate request to be completed

Second try of import generated an error:

CSR problems

I have checked local certificate store for the computer account and the certificate was there, but didn´t have private key attached to it.


Solution is simple. Run the command bellow, where red text is the serial number of your certificate

certutil -repairstore my "SerialNumber"

After running the command certificate with serial number “SerialNumber” will be connected to its private key and pending certificate request will be completed, and you can continue as usual.


MS KB on




iOS 6.1.2 released! – Exchange problems solved?

Apple claims, that iOS 6.1.2 solves problems with Exchange sync. Good luck with update:  and hopefully no more