Exchage ActiveSync – HTTP 500 Internal Server Error for some users.

For some users Microsoft Connectivity Analyser is trowing error :

Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.

Tell me more about this issue and how to resolve it

Additional Details
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error). HTTP

Test-ActivesyncConnectivity for the same user is generation error :
Error : [System.Net.WebException]: Der Remoteserver hat einen Fehler zurückgegeben: (500)
Interner Serverfehler.
If you search for solution in Internet almost all solutions are to activate the Inheritance for the affected user. But this is not helping.
So after some more research I found that in the test-ActiveSyncConnectivity error with |FL we see that the ActiveSyncDevices are mentioned:

Für den Benutzergerätecontainer ‘CN=ExchangeActiveSyncDevices,CN=username,OU=Users,OU=OU1,OU=User,DC=domain,DC=com’ in Active Directory konnten keine Sicherheitseinstellungen übernommen werden. Löschen Sie den Container, sofern dieser leer ist.”

in English

Exception message: Security settings couldn’t be applied to the user device container ‘CN=ExchangeActiveSyncDevices,CN=username,OU=Users,OU=OU1,OU=User,DC=domain,DC=com’ in Active Directory. Delete the container if it’s empty.

The Solution was to delete the CN=ExchangeActiveSyncDevices from ADSI.edit for the affected user.

 

Advertisements

Exchange 2013/2016 – Outlook cannot connect to Exchange server with MAPI over HTTP only internal.

I had one very interesting Issue with Exchange 2013 server and MAPI over HTTP.

When creating profile internal Outlook is failing on the last step “logon to server” with the well known error:

The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

Capture1 - redone

When turned off MAPIoverHttp for the user, he connects without problem. In logs we see 401 unauthorized from mapi/nspi .

After testing with different internal URL vor MAPI Virtual directory. I found that the problem exists only with the name which was currently assigned as internal and external URL for mapi.

It was Remote.domain.com/mapi

It turns out that there is a Computer object in AD with name Remote. This is causing outlook to make connection attempts to this PC.

setspn -l remote

shows that there is HTTP spn for this record.

So the solution is to use another DNS entry for internal MAPI URL or remove the computer object.

Move Request is failing with “Microsoft.Exchange.MailboxReplicationService.ProxyService’ failed. Error details: A call to SSPI”

I got a situation where the move request from 2013 to 2016 Exchange server for all mailboxes all databases is failing with following error:

The call´to ‘net.tcp://<Exchange 2013 FQDN>/Microsoft.Exchange.MailboxReplicationService.ProxyService’ failed. Error details: A call to SSPI failed, see inner exception. –> A call to SSPI failed, see inner exception. –> The target principal name is incorrect.

After some troubleshooting i found that the MSExchangeMailboxReplication Service on 2013 is running with Administrator account and not as Local System which the default.

After changing the logon to Local System and restarting the service the issue got resolved.

Hope this will help other people with the same issue!

Out of Office for External Users not working.

There is two thinks that can be configured in order to allow OOF messages in Exchange:

Under Get-RemoteDomain

and Get-mailbox | fl *ExternalOofOptions*

For the first we should enable following:

Get-RemoteDomain Default | Set-RemoteDomain -AutoReplyEnabled $true -AutoForwardEnabled $true -AllowedOOFType External

For the Mailbox

Set-Mailbox usermailbox -ExternalOofOptions external

Event with all this in place sometimes the OOF messages are still not delivered. We have to use MessagerTracking in order to see why.

If we have something in front of the Exchange it is very likely that this device can block messages with ReturnPath <>  black.

This is often a case when you have Smarhost which is forwarding the messages. in this case we can see in Message tracking .

RecipientStatus         : {[{LRT=27.06.2017 07:25:27};{LED=554 5.7.1 <>: Sender address rejected: Access denied};{FQDN=host.fqdn.com};{IP=196.168.0.1}]}

554 5.7.1 meens -“relay access denied” .

You have to execute the tracking with | fl to get the hole information.

This bahavior for Out Of Office messages is by design since exchange 2013 and it is event in the standart RFC2298

https://www.ietf.org/rfc/rfc2298.txt

The envelope sender address (i.e., SMTP MAIL FROM) of the MDN MUST be null (<>), specifying that no Delivery Status Notification messages or other messages indicating successful or unsuccessful delivery are to be sent in response to an MDN.

Exchange 2013/2016 – Move request to specific server/database is failing with “Database doesn’t satisfy the constraint SecondCopy “

I had one very strange issue with multi DAG environment where move requests to only once specific server were failing. No matter of the Source Database, if the target database is on the affected server the move was is failing with :

Error: Mailbox changes failed to replicate.
Database doesn’t satisfy the constraint
SecondCopy because the commit time 19.09.2017 13:11:15 isn’t guaranteed by
replication time 31.12.9999 23:59:59.

In this article are you can wind more information regarding the Database contains.

There is alos tome reuirements there :

If the DataMoveReplicationConstraint is set to SecondCopy, then for a given replicated database at least one passive database copy must: 1.Be healthy.
2.Have a replay queue within 10 minutes of replay lag time.
3.Have a copy queue length less than 10 logs.
4.Have an average copy queue length less than 10 logs. The average copy queue length is computed based on the number of times the application has queried the database status.

All this were of course OK im case.

I checked replication health with Test-ReplicationHealth and found that the HighAvailability component was trowing errors that it is inactive :

RunspaceId : ac1e9231381-123-132-123123123
Server : server
Check : DatabaseAvailability
CheckDescription : Verifies that databases have sufficient availability. If this check fails, it means that some
databases are at risk of losing service.
Result : *FAILED*
Error : Failures:

servername:
Server ‘server.domain.com’component (HighAvailability) state is offline. If you need
to activate databases copies on this server, you can use Set-ServerComponentState -Component
‘HighAvailability’ -State ‘Active’ and retry Move-ActiveMailboxDatabase.

But get-ServerComponentsState is showing everything active for all servers

Also there was and error in Aplication log:

Log Name: Application
Source: MSExchange Mid-Tier Storage
Date: 28.12.2017 10:27:19
Event ID: 10011
Task Category: (10)
Level: Error
Keywords: Classic
User: N/A
Computer: server.domain.com
Description:
Replication for database MDB1 is not flushed yet. Constraint: SecondCopy, number of copies: 2, minimum replay time: 31.12.9999 23:59:59, commit time: 28.12.2017 10:27:19. Failure reason: Database 828ffdad-2323-4e18-9e5e-123123123 doesn’t satisfy the constraint SecondCopy because the commit time 28.12.2017 10:27: isn’t guaranteed by replication time 31.12.9999 23:59:59.

Accounting to this article there is two places where the Component states are saved:

Local – in the server Registry and remote-in Active directory. configuration name context.

when I get the remote ServerComponent states i see that the serverwideoffilnecomponent is inactive!

$components =Get-ServerComponentState servername -Component serverwideoffline

[PS] C:\Windows\system32>$components.Localstates

Requester State Component
——— —– ———
Functional Active serverwideoffline
Maintenance Active serverwideoffline

[PS] C:\Windows\system32>$components.Remotestates

Requester State Component
——— —– ——— ———
Functional Active ServerWideOffline
Maintenance Inactive ServerWideOffline

After setting the components to active again the issue in the test-ReplicationHealth report got resolved and with this the move request are also not failing any more.

Also the date in the event 10011 is no more 31.12.9999 23:59:59. but something in the near future 🙂

 

 

Disable Out of Office Autoreplays for all external Recipients in Exchange Server

I spend some time trying to acheave this goal so I decided to share it with you.

Fists I tried to create a Transport rule following this article.

It does not helped.

So i made some research and found that I can disable Autoreply to recipients outside the organisation in Outlook and OWA with Set-mailbox command:

Set-Mailbox  username -ExternalOofOptions InternalOnly

What this does is that it make grayed out the option to set up autoreplay to external organisation in OWA or ECP. But if the Autoreplay is set by the time of this change, it will continue to send Autoreplay messages to external receipents. Autoreplay needs to eb turned off and one again, then the Field for external organisation will be greyed out.

This can be solved by setting the “AllowedOOFType None” for the  Default remote domain in EMS

Set-Remotedomain default –AllowedOOFType None

This is disabling the OOF to all external domains.

If you want to disable it only for specific domains, you have to add every domain to remote domains and then put the value to None for each of them

 

 

 

The source data is corrupted or not properly Base64 encoded when Importing Cetificate in exchange.

You can get error when importing wildcard certificate or certificate from Public certification Authority.

Import-ExchangeCertificate : The source data is corrupted or not properly Base64 encoded.
At line:1 char:27
+ Import-ExchangeCertificate <<<<  -Path “C:\cert\certs\www.mydomain.crt.csr”
+ CategoryInfo          : ReadError: (:) [Import-ExchangeCertificate], InvalidOperationException
+ FullyQualifiedErrorId : 76D5CB03,Microsoft.Exchange.Management.SystemConfigurationTasks.ImportExchangeCertificate

This is happening because the certificate is missing private key.

Import the certificate in Personal store and export it in cer format form mmc. Delete the certificate from mmc.

In Exchange Power shell run :

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path “<Path of the certificate>.cer” -Encoding Byte -ReadCount 0))

This imports the certificate in mmc but it will not be visible in ECP or IIS.

Run :

Certutil -repairstore my “xx xx xx 02 03 1b c9 fd c5 40 xx a6 55 0a 91 xx”

Where “xx xx xx 02 03 1b c9 fd c5 40 xx a6 55 0a 91 xx” is the Serial number of the newly certificate.

Now the certificate will be visible in ECP and IIS and you can assign services to it.