2010 asterisk asterisknow exchange pbx voicemail voip

Building An Exchange Unified Messaging Lab (Part 4)

This blog post series is the steps to build a working unified messaging lab for Exchange Server. I thought I would write it all down as I found a lack of end to end documentation for the process and what I thought would be a days work turned into many as I worked at finding all the settings and configurations having no experience on the subject before this.

This part will look at taking the already installed AsteriskNOW server (in Part 2 and Part 3) and configuring a few telephone extensions and external calls. Part 5 will look at configuring unified messaging in Exchange Server 2010 and Part 6 the same for Exchange Server 2013. Later parts will look at connecting Asterisk to Exchange for voicemail.

Configuring Extensions

For this part you will either need to download a softphone (a SIP phone running as software on your PC) or have two physical SIP phones – EBay is a good source of SIP phones. I have two Draytek Vigor 350 phones which are a basic office phone that can connect to any SIP based IP PBX.

First we need to create two extensions based on your already determined dialplan (see Part 3 for more). In this lab 8xxx is the dialplan, so extension 1 will be 8001 and extension 2 will be 8002. Both extensions will have similar settings, just things like display name and extension number will change.

These changes can be made in FreePBX or directly in the config files. To do this in FreePBX click the Applications menu and select Generic SIP Device from the Device drop-down.

imageEnter the following as a minimum: Extension number, Display Name, a complex password for the secret (containing two letters and two numbers) and voicemail should be enabled and a voicemail password set (but the remaining voicemail settings can be ignored). Unless the phone will be used outside the firewall, set NAT to No-RFC3581. The secret will be the password the phone uses to register with the PBX. The user of the phone does not need this value and therefore make it very complex and you can copy and paste it into the phone’s configuration pages. If it is simple then you might find external connections being made to your PBX, logging in as your extension and making paid calls on your behalf and using up your credit with the SIP Trunk provider.

Repeat these steps for each extension you have and click Apply Config when finished. Remember that you made direct changes to sip.conf file (or the sip_general_custom.conf file) and the rtp.conf file and you have not yet applied these changes to Asterisk. Clicking Apply Config in FreePBX does all this for you. Use amportal restart from the Linux console if you made all the changes directly in the config files.

Connecting Telephones To Asterisk PBX

The exact steps for this will depend upon your actual phones, but you will need to have the IP address of the PBX, the SIP port, the extension number and the secret to hand. If your phone has a voicemail button then enter the pilot number as the number to call, as that is the number you chose for voicemail when looking at the dialplan.

The Draytek Vigor 350 phones that I am using have a web interface to them and the IP address can be determined from the phone menu button. From the phones web GUI I select SIP Account Settings and then select one of the available accounts, as this phone supports multiple SIP based IP PBX’s. The required information is then filled in:

imageIn my case I am using port 5065 for SIP (over UDP) so I needed to mention it on the Registration Server line. If I was using 5060 I would not have needed it for this phone. Notice that once the information has been entered the phone shows that the connection is registered.

I repeat the configuration for all the other phones I have, just using the correct secret, display name and extension and once registration is complete the phone displays the SIP account by its display name on the LCD panel. I need to select this account to make calls using it on this phone.

You should now be able to dial the other extensions in your telephone network.

Configuring Trunks

Trunks are the name given to connections to other telephone systems and we need to configure a trunk to the outside world to enable us to make and receive calls from other phone systems. We will also in a later part of the blog make a trunk to Exchange Server for unified messaging.

To configure a trunk to the internet for making and receiving SIP based calls or for a SIP based call to be placed onto the classic telephone network you need an account with a SIP Trunk provider. There are a number of providers that are approved by Microsoft for use with Lync Server, but for now any that you have used before or can find via a web search should do. For this blog I am going to use Voipfone in the UK. Once I registered I got an email and 5 minutes of free outbound calls. The email contains my account details, inbound telephone number (UK starting 0560 in this case). Instructions for configuring Asterisk with Voipfone are at and so I will not repeat them here apart from stating that you need to ensure that the settings go in the correct file.

imageIf you have FreePBX installed as we do in this blog then you need to put the register value in sip_general_custom.conf and the [voipfone] section in sip_additional.conf or use the FreePBX web GUI directly. This is what we have done in the screenshot to the right:

The SIP Trunk settings are configured in FreePBX by going to Connectivity menu > Trunks. Add SIP Trunk and entering the required details. In the screenshot 12345678 is the account number and XXXXXX is the secret/password for the SIP trunk (which may or may not be the password for your account depending upon the provider). Don’t reveal this information, as it will allow others to use your credit at the SIP provider.

The settings entered into the trunk configuration are a simple as the name of the trunk under General Settings and again under Outgoing Settings and the following for PEER Details:

secret=XXXXXX ;your voip password
username=12345678 ;your account number
fromuser=12345678 ;accont number again

And finally the following for the Register String:

PEER Details and Register String values are available from your SIP Provider. You do not need to set an Outbound CallerID as per the warning you get in FreePBX. In addition to the settings I was provided by the SIP Trunk provider, I added qualify=yes to the PEER settings. This allows me to monitor connections to this trunk with the “sip show peers” command from the Asterisk console.

Configuring Outbound Routes

Before you can make any calls you need to set an Outbound Route and before you can receive any calls you need to make an Inbound Route. For the Outbound Route (Connectivity menu > Outbound Routes) create a new route for your SIP provider. At the very least you can give a name for the route and select the trunk you just created for Trunk Sequence 0. It is possible to add dial patterns to improve the functionality of the route. For example in the UK it is possible to dial six or seven digits when ringing within the same town or city. For this call to be handled by a UK SIP provider we need to automatically add the area code and for a non-geographic SIP provider we would need to add the international code as well. In the below screenshot the Outbound Route contains entries for handling emergency calls (route 999 and others via this SIP provider) and if I dial a local Oxford number (01865 being the area code) then all I need do is dial six digits and Asterisk converts this to 00441865XXXXXX.


The (0044)+0|[XXXXXXXXXX]/ entry will match any eleven digit number starting with 0 (X=any digit), remove the 0 and add 0044 before sending down this route. This allows for UK wide national calling. Miss any valid route (or place the numbers against a non-existent route) and you stop calls being placed to those numbers. A simple way to bar calls to premium rate numbers or international numbers. The 00. route matches all numbers starting 00 of any length and routes them via the trunk – this is to allow international calls. The full-stop/period symbol indicates any number and any number of numbers.

Apply Config to make your changes and then check in the Asterisk console if the connection is working okay by typing asterisk -Rv to enter the console for Asterisk and then sip show peers to see who is online.

Whilst you have the Asterisk console open (asterisk -Rv entered) if you make an external call it will show you the connection and any errors should there be any. Use the screen command before you enter the Asterisk console to allow you to scroll back through any messages reported to the console. Use ! to exit the Asterisk console and CTRL+A then [ to allow you to access the screen mode and allow the use of the arrow keys to scroll up and down the console output.



You should now be able to make outbound calls. Things like CallerID and so on are typically configured at your SIP provider, and in the case of Voipfone the default is to withhold them. It is also UK law to enter your physical address should you route an emergency call via a UK SIP Trunk from a UK address, and so if this applies to you then do this now – you don’t want to have to call an emergency and find you need to reconfigure your telephone first! Similar conditions will probably apply in your country too.

Configuring Inbound Routes

This blog will not go into the process of setting up an IVR (telephone answering menu) and will just route inbound calls to a single telephone extension. If you have a full telephone number per extension (DDI) then you can set up a number per physical device or you can create an IVR by adding that module to Asterisk.

To route all inbound calls to the primary extension (in this blog that is 8001) you need to enter the following config file entries:

imageOr use FreePBX and Connectivity menu > Inbound Routes and enter a name, your account number and a destination of going to a selected Extension.

Finally, dial the inbound number your VoIP provider has given you from another telephone system and see if your extension rings and that you can answer it and have audio going in both directions. One way audio typically means ports blocked on your firewall. If you extension does not ring then look on the Asterisk server console for any error messages. A common one is about context, and for this make sure that the Trunk configuration contains context=from-pstn and no other context values. Advanced configuration can change the context later, but this is outside of the scope of this blog.

So now we have a PBX that support IP (and specifically TCP) and you are able to make and receive telephone calls. Now its time to move to Part 5 to configure Exchange Server to provide your voicemail service and voice access to your email and calendar.

2010 2013 asterisk asterisknow exchange sip unified messaging

Building An Exchange Unified Messaging Lab (Part 2)

This series of blog posts started with Part 1 where we discussed the requirements of the lab and what you would need from any PBX that you might have to hand. Part 2 (and the next few parts) will look at installing AsteriskNOW to provide a software PBX to support the Exchange Server unified messaging environment.

Installing AsteriskNOW Software IP PBX

Start by downloading the latest version of AsteriskNOW from This is a easy to install version of the open source Asterisk IP PBX. AsteriskNOW installs the underlying Linux OS it needs with very little initial configuration and is especially easy for non Linux people like myself! This blog is based on AsteriskNOW 2.0.2

While AsteriskNOW is downloading create yourself a new virtual machine with the following configuration:

  • 512Mb RAM (dynamic memory not required)
  • 1 Processor
  • 1 Legacy Network Card (that is, remove the standard NIC that Hyper-V adds to new virtual machines and add a legacy network adapter). AsteriskNOW runs on CentOS and this does not have an easy to install Hyper-V Integration Services that would provide support for the standard network card.
  • Connect this network card to a physical network with internet access.
  • 1 new virtual hard disk, dynamically expanding is fine. 15GB should be plenty, though no harm is making its maximum size larger if you need to.
  • Once the AsteriskNOW iso is downloaded attach this to the virtual machine.

The settings for the virtual machine should similar to the below screenshot:


Start the virtual machine and then connect to it to see the installation proceed.

First, select option 1 to install Asterisk 1.8 and the FreePBX web interface for the PBX:


CentOS (a Linux distribution) will install automatically followed by an installation of AsteriskNOW and FreePBX. You will be asked to create the disk partition, wiping all data – and your answer will be Yes:


Then you will need to partition the hard disk. Choose the option to Use free space on selected drives and create default layout and click Next.


Select your timezone and check the box System clock uses UTC and click Next.


Enter the password that you want to use for the root account. Click Next and go and get a coffee. A long coffee! And come back in about 30 minutes.


Finally, and before you reboot the server at the end of the installation, change the virtual machine settings so that the ISO is not mounted as a DVD.

The Initial Configuration of AsteriskNOW

After the installation has completed and the new software PBX has been restarted you can complete the initial configuration of the server. This includes network and other settings such as NTP time sync and keyboard changes is you are not based in the US.

To make some of these changes you will need to either have experience of using Linux text editors or install WinSCP and use this to edit the config files from Windows. WinSCP can be downloaded from

First change is the network settings. The Setup Agent screen appears, and you can exit from this (or wait and it will disappear shortly). You will be presented with the login screen:


Enter root and the password you choose during setup. Make a note of the IP address that is currently assigned to the server. This is shown above the login prompt. If you forget the IP address you can type ifconfig at the prompt in the console to be reminded of it.

Type system-config-network to allow you to change the IP address and DNS on the server. Note that DNS changes will not work until after the network is restarted (or the server rebooted).


Tab until Edit Devices is selected and press Enter.

Your current network card will be highlighted. Press Enter to let you make changes. If this virtual server is clustered you will need to change the IP address and reboot, then switch the virtual server over to the other node(s) and configure an identical set of network settings and reboot on each node. If you don’t then the server will have different IP addresses per node that it runs on.



Tab to change fields, use space to deselect the * under Use DHCP and then enter a valid fixed IP for your network, and valid mask and gateway settings. Tab to OK and space to action this.

Tab to select Save and then select Edit DNS Configuration. This DNS configuration will only take effect after you restart the network upon changing the IP address (or use /etc/init.d/network restart to restart the network). So after reboot run system-config-network to make these changes. Do not set the primary DNS IP as as a DNS server is not installed on the AsteriskNOW box.


Reboot your server with shutdown –r now and upon restart connect to the server’s fixed IP address with WinSCP to do some other initial configuration.

Start WinSCP and click New to create a new session. Enter the IP address (or DNS name if you have made one) for the server. Enter root and your password where needed and set the File Protocol to SCP:


Click Save and then Login. Accept the prompt about the server’s key and then you will see the local file system and server’s file system:


Edit the file /etc/sysconfig/keyboard so that KEYTABLE=”xx” where xx is the name of the keytable file located in /lib/kbd/keymaps/i386 not including the .map.gz bit of the filename. For example my value would be uk.

Navigate to /usr/share/zoneinfo and find the folder names that match your timezone. Mine is Europe/London.

In the AsteriskNOW server console login and type the following where Europe/London matches the folder and filenames you located.

ln -sf ../usr/share/zoneinfo/Europe/London /etc/localtime

Then enter the following to see the time on the hardware clock and change it if needed. The last command set the hardware clock to the value of the system clock:

date mmddhhmm
/sbin/hwclock --systohc

Finally to set automatic updating of time to an NTP clock (port UDP 123 outbound is needed if going to the internet, or just enter the IP of a domain controller) you need to enter the following commands:

yum install ntp 
chkconfig ntpd on
/etc/init.d/ntpd start

Update CentOS to the latest updates

Get the latest updates for CentOS and Asterisk with the command yum update.

On completion of the updates reboot the server with:

shutdown –r now

After the reboot check that the DNS values have been set correctly. To avoid a reboot use:

/etc/init.d/network restart

Install the Hyper-V Integration Tools

To allow for time sync and other integration with Hyper-V download the Linux Integration Services Version 3.4 for Hyper-V from

This download is an ISO file. Attach the ISO to the Asterisk virtual machine.

In the Linux console type the following:

mount /dev/cdrom /media
cd /media/RHEL58

Allow the installation to complete and reboot with shutdown –r now.

Initial Configuration of FreePBX

Login to http://your_IP and use admin and admin as the username and password.

If the webpage looks like it is broken and the following links don’t work (it keeps logging you out) then from the server console type the following command to fix the issue.

amportal restart

Once you are logged into the FreePBX console without issue, if there is a retrieve_conf error towards the top left the run the following commands from the console

rm -rf /etc/asterisk/logger.conf
ln -s /var/www/html/admin/modules/core/etc/logger.conf /etc/asterisk/logger.conf #ln to here is one entire line
amportal reload

Click Admin menu > Administrators and select admin user on the right. Change the admin user password and click Submit Changes button. Don’t click the Apply Config button that has just appeared on the toolbar. You have other changes to make first.

Click Admin menu > Module Admin > Check Online > Click the Upgrade All link to the right and the click Process > Confirm and finally the Return link once you scroll all the way down the update popup screen.

Click the red Apply Config and after the configuration has reloaded, logout and back in again with your new password.

Change the default ARI Admin password from Advanced Settings menu. To do this click Display Readonly Settings and Override Readonly Settings to True. Click the Green save icon and then Apply Changes. Find the User Portal Admin Password field and change it. Click Save and then Apply Config. Change the two Readonly settings back to False, Save and Apply Config.

The next part of this blog series will look at further configuration of Asterisk PBX to support Exchange Server (TCP needs to be enabled amongst other settings) and to configure the firewall to allow external calls to and from the PBX.

2010 draytek exchange firewall rtp sip unified messaging voicemail

Building An Exchange Unified Messaging Lab (Part 3)

This blog is part of a series on creating a unified messaging lab for Microsoft Exchange Server. Configuring Unified Messaging was not as easy as I thought it would be and there was a lack of information that brought all the settings into one place, and a lot of incorrect information! The series started with Part 1 for the requirements and Part 2 for the initial configuration of AsteriskNOW and FreePBX.

Up until now the changes you have made have been pretty much the same for everyone. Sure, you have set an IP, keyboard and timezone that are different but everything else has been pretty much standard. Now we need to change some Asterisk configuration files to support Exchange Server Unified Messaging.

Configuring Asterisk for Internal and External Calls

As we have chosen to install FreePBX as well, we will edit the configuration files that FreePBX does not control. If you are doing your configuration without FreePBX installed there will be different files to change.

Before we make the changes though, you need to decide a few things. Some of these will be determined by your current environment. The first thing you will need to know is the number of digits in your dialplan. A dialplan is the internal extension number configuration at your office. For example if you dial 1xxx to reach one office and 2xxx to reach another then you have a four digit dialplan and sequences starting 1 and 2 are already reserved. In my lab I am going to use a four digit dialplan where 8xxx is going to be allocated to physical telephone handsets (extensions) and 8000 is going to be the number I call to listen to my voicemail (the Pilot Number) when I am using Exchange 2010 and 8500 when I am using Exchange 2013. Two numbers for voicemail allows me to use two different Exchange labs from one set of SIP phones.

Once you have picked your dialplan you can start to configure the various components of your PBX for your telephone network. These changes include forwarding your pilot number (8000 and 8500 in this blog) to Exchange and configure your telephone extensions.

In Asterisk we need to do these configuration changes by editing the config files. We can do this in a few different ways. We can edit the config files directly in the Linux console (using text editors such as vi), use WinSCP from a Windows PC if you don’t want to edit the files in Linux directly or use FreePBX for some of the changes. You must use FreePBX to change any file that has the FreePBX banner at the top of the config file.

SIP.Conf Changes for NAT and Exchange Server

Firstly, if you have a NAT’ed network you need to tell Asterisk your external IP address. Edit /etc/asterisk/sip_general_custom.conf to contain:

;externip needs to be your public IP

You also need to add the following to the same file:

context = default
bindport = 5060
bindaddr =
tcpbindaddr =
tcpenable = yes
promiscredir = yes

Amongst these changes some of them tell Asterisk to listen on TCP, bind to all IP addresses and listen on port 5060 for UDP. Exchange Server and Lync Server require TCP support from the IP PBX that they connect to and without these settings Asterisk will only do UDP. Asterisk 1.8 will only listen on 5060 for TCP and there is no config setting to change this. The bindport setting controls the listening port for UDP.

Notice that we changed the sip_general_custom.conf file and not sip.conf. If you did not have FreePBX installed you would make all your changes to Asterisk in the config files and so could edit sip.conf directly. FreePBX overwrites some config files with its settings whenever you click Apply Config in the web GUI. To avoid having your settings overwritten you need to make them to files that are referenced by include statements in the master file.

For this example, if you open sif.conf (in /etc/asterisk) then in the [general] section (where the above edits are needed) you will see #include sip_general_custom.conf. This tells Asterisk to load sip_general_custom.conf as part of sip.conf, and we know that sip_general_custom.conf will not be overwritten by FreePBX because it does not tell us this at the top of the file.

To determine the file that you need to make the change in for other config files open the master file that you need to edit (i.e. sip.conf in this example) and see if there is a FreePBX banner at the top of the file. If not, then edit the file as required. If there is a banner telling you not to make changes then look for the section that your change will be inside (for example in sip.conf above we made our initial changes in the [general] section) and locate the #include statement that follows that section. This statement tells Asterisk the name of additional config files to load and to consider as part of the master file that you are currently reading. Some of these include files contain the FreePBX banner as well but others don’t for example to make changes to the [general] section of sip.conf we will edit sip_general_custom.conf, the custom config file for the general section in the sip.conf file.

RTP.Conf Changes For Your Network

SIP is the protocol that is used to manage connections between the parties involved in the call. RTP is the protocol used to transfer the voice data. You need to edit /etc/asterisk/rtp.conf so that the rtpstart and rtpend values are suitable for your network.

For each call connections will be made to 5060 and two additional ports. These two additional ports need to be sequential, and the odd numbered port will carry RTP data (voice traffic) into your PBX and the even numbered port carries RTCP packets (data about the connection). Outbound SIP/RTP traffic is determined by settings on the other parties PBX, so you typically need to allow all outbound ports from your PBX.

Therefore you need to configure Asterisk to have a start and end range for RTP that is a minimum of two ports (for one concurrent call) and a max of the number of concurrent calls you can make to through your PBX. Your external firewall will need to be configured to publish all these ports to your IP PBX so don’t make the range too big – but equally you need two ports per concurrent call so don’t make the range too small.

The range will always be the higher of the max number of calls your SIP Trunk provider allows and the number of physical handsets you have (plus some overhead to allow for parked calls). So if you have a five call SIP trunk, ten staff members, and 12 handsets you would need to support at least 12 concurrent calls. Therefore configure RTP to start at 10010 and finish at 10034 (two ports for each of the twelve concurrent calls you can support). Then increase it a bit for your sanity!

Edit /etc/asterisk/rtp.conf so:

rtpend=your calculated value


Make sure your firewall forwards these ports to this PBX server and if you have other PBX servers ensure that you do not use the same port range. The following shows an example firewall configuration for this PBX. In the picture and in my config files I am using 5065 for SIP as I have two PBX’s and the other is using 5060.




Once we test calls to the outside world, if you start getting “one way traffic” (that is you can be heard but you cannot hear the caller or the reverse) then you need to check your firewall rules.


In Part 4 the fun will start. In this part we will configure a few telephone extensions so that we can make internal calls and then configure a SIP Trunk provider so we can make external calls. Part 5 will look at configuring Exchange Server 2010 and Part 6 the same, but for Exchange Server 2013. Part 7 will look at connecting these calls to your Exchange Server when we want to record a voicemail message.

2010 exchange

Merge Exchange 2010 Personal Archive Back to Primary Mailbox

A feature of Exchange 2010 SP1 was to store “older” emails in a different database and to have that database on a cheaper storage subsystem. Given that Exchage primary mailboxes work very well on slower storage anyway you could well be in the position of needing to move archived content, that is content moved to the archive via a retention policy, back to the primary mailbox.

To do this you need to make use of the Export-Mailbox and Import-Mailbox cmdlets to export the contents of the archive to a PST file and them import the PST file back into the primary mailbox.

This process is broken into two parts. The preparation of the server to do the Export/Import processes and then the cmdlets to move the users.

Preparing the Environment

The account needed to run the Export-Mailbox and Import-Mailbox commands needs to be granted the “Mailbox Import Export” role assignment and you need to create a file share on one of your CAS servers that the Exchange Trusted Subsystem has permission to.

To create the File Share create a folder on one CAS server and share it with Advanced sharing. Ensure that “Exchange Trusted Subsystem” has read and write permissions on the file system and Everyone has full control to the share:

image  image

If you give your account modify permissions as well, then you will be able to delete the PST file that gets created at the end of this process when it is no longer needed.

Modify your Exchange account so that you have the Mailbox Import Export” role assignment

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User AD\Administrator

You will need to close and re-open any Exchange Management Shell windows you have open to pick up these permission changes. Then you are ready to begin the process of merging the archive out to PST and then the PST into the primary mailbox.

Merging Archives Back to Primary Mailboxes

This process in brief is to ensure Retention Hold is enabled for the mailbox in question and then to run the cmdlets to do the export followed by the import.

These can all be done from the Exchange Management Shell using the following cmdlets. This will prompt for the username and then turn off Retention Hold, export the mailbox (you will need to change the share to match your environment) and then import the mailbox.

The steps to export the mailbox are as follows:

  1. $UserToMerge = Read-Host -Prompt “Username of user to merge archive back to primary mailbox?”
  2. New-MailboxExportRequest -Mailbox $UserToMerge -FilePath “\\CAS-SERVER\ExportImport\$UserToMerge.pst” -IsArchive $True
  3. Get-MailboxStatistics $UserToMerge -Archive | ft DisplayName,TotalItemSize
  4. Get-MailboxExportRequestStatistics

The above steps will prompt for the username and then start the export of this users archive folder to the given file share. Exports will take time, and this is dependant upon the size of the archive. Therefore this script will finish with an output of the size of the archive (Get-MailboxStatistics –Archive) and the current status of the export. You can repeat the last command on a regular basis to see when the export is complete or use the following to see the percentage complete status:

Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

Once the export is complete the export request can be removed:

Get-MailboxExportRequest | Remove-MailboxExportRequest

You now have a PST file that is a copy of the data found in the users archive. To import this data back into the primary mailbox you need to run the following command:

  1. New-MailboxImportRequest –Mailbox $UserToMerge -FilePath \\CAS-SERVER\ExportImport\$UserToMerge.pst
  2. Get-MailboxImportRequest | Get-MailboxImportRequestStatistics

As with the export, the last line allows for you to view the current status of the import.

Once the import is finished the following command will clean up the import requests:

Get-MailboxImportRequest | Remove-MailboxImportRequest

And don’t forget to delete the PST files and remove the archive for the user as well – as the PST is extra to requirements now, and the archive contains content that is replicated to the primary mailbox. If you ever turn the archive back on again then you need to have a new archive rather than using the old one.

To remove a users archive and delete the PST (remembering to change the path shown here) run the following:

  1. Disable-Mailbox $UserToMerge -Archive -Confirm:$false
  2. Del \\CAS-SERVER\ExportImport\$UserToMerge.pst

Finally, its possible to save all these commands to two PS1 files (one for the export commands and one for the import ones) to make the repeating of this for other users easier. Or, take a look at Steve Goodman’s blog on Exporting Mailboxes to assist you in writing a script to do this process in bulk.

2010 exchange hyper-v

Building an Exchange Unified Messaging Lab

This is a project I have been meaning to do for some time, and when I got around to doing it found it to be harder than I expected it to be. So this blog series covers the steps needed to build a Unified Messaging lab utilising Exchange Server 2010 and Microsoft Lync Server along with the steps to build a software PBX using AsteriskNOW and a SIP Trunk provider to give me inbound and outbound telephone calls.

Posts In This Blog Series


Initial Requirements

We will start with a list of the requirements to build this lab:

  1. A virtualization server. This blog will reference Hyper-V but any will do.
  2. Purchase a domain name for the lab. For the blog we will use
  3. A domain controller. For this blog the domain is mcmemail.local
  4. An Exchange Server 2010 or 2013 installation.
    1. For Exchange 2010 you need to install the Mailbox, CAS, Transport and Unified Messaging roles onto one or more servers
    2. For Exchange 2013 you need to install the Mailbox and Client Access Front End role on either the same or two machines.
  5. A PBX. For this blog series we will download and install two different software PBX’s. First we will look at AsteriskNOW and then 3CX’s software PBX. The first is free of charge, but requires work to make it work and the second is a paid product (but has a 2 line fully functioning demo version) that has options to work with Exchange without a lot of configuration.
  6. A SIP Trunk Provider. For this blog we are using Voipfone who provide free SIP trunks and a free UK incoming number. You will want to pick a provider in your country and there are plenty to choose from. Voipfone were selected for the lab because they appeared on an “free sip trunk uk” search and no other reason.
  7. The ability to configure the firewall between the lab and the internet. Fixed IP’s preferred, but NATed IP’s are possible (and will be covered here).
  8. You will need some trusted digital certificates if you want to utilise Lync towards the end of the blog series. I am using Start SSL as they provide unlimited UC digital certificates (subject alternative name containing certificates) for a low fee.

So lets start. We will not cover the detail of the Hyper-V installation or the creation and configuration of virtual machines to host the domain controller and Exchange Servers. So if you are starting from scratch go an build yourself a working Exchange environment now and come back here as we prepare to do the Unified Communications bit.

All You Need To Know About PBX’s

The PBX (or Private Branch Exchange) is the hardware or software needed to make your traditional office telephone system work. This connected your physical telephone lines and your office telephones and allowed for internal calls, external calls, voicemail and lots more (at typically incremental cost for each feature). For your lab, if you want to connect Exchange and or Lync to your existing PBX then you will need either an IP PBX or an IP Gateway to connect your non-IP PBX to the IP based software that is Exchange or Lync.
Or you could install a software based IP PBX just for the lab. This is what we are going to do in Part 2, and once installed we will connect it to Exchange Server to provide voicemail and later “replace it” with Lync Server as that is a full IP PBX in its own right.

2003 2007 2010 cloud DNS domain door exchange exchange online load balancer loadbalancer mcm microsoft MX Office 365 smarthost

Highly Available Geo Redundancy with Outbound Send Connectors in Exchange 2003 and Later

This is something I’ve been meaning to write down for a while. I wrote an answer for this question to LinkedIn about a week ago and I’ve just emailed a MCM Exchange consultant with this – so here we go…

If you configure a Send Connector (Exchange 2007 and 2010) or Exchange 2003 SMTP Connector with multiple smarthosts for delivery to, then Exchange will round-robin across them all equally. This gives high availability, as if a smarthost is unavailable then Exchange will pick the next one and mail will get delivered, but it does not give redundancy across sites. If you add a smarthost in a remote site to the send connector Exchange will use it in turn equally.

So how can get get geographical redundancy with outbound smarthosts? Quite easily it appears, and it all uses a feature of Exchange that’s been around for a while. But first these important points:

  • This works for smarthost delivery and not MX (i.e. DNS) delivery.
  • This is only useful for companies with multiple sites, internet connections in these sites and smarthosts in those sites.
  • This is typically done on your internet send connectors, the ones using the * address space.

You do this by creating a fake domain in DNS. Lets say smarthost.local and then creating A records in this zone for each SMTP smarthost (i.e. mail.oxford.smarthost.local). Then create an MX record for your first site (oxford.smarthost.local MX 10 mail.oxford.smarthost.local). Repeat for each site, where oxford is the site name of the first site in this example.

Then you create second MX records, lower priority, in any site but use the A record of a smarthost in a different site (oxford.smarthost.local MX 20 mail.cambridge.smarthost.local).

Then add oxford.smarthost.local as the target smarthost in the send connector. Exchange will look up the address in DNS as MX first, A record second, IP address last), so it will find the MX record and resolve the A records for the highest priority for the domain and then round-robin across these A records.

If you have more than one smarthost in a site, add more than one MX 10 record, one per smarthost. Exchange will round-robin across the 10’s. When all the 10’s are offline then Exchange will automatically route to mail.cambridge.smarthost.local (MX priority 20 for the oxford site) without needing to disable the connector and retry the queues.

If you used servernames and not MX’s then it would round-robin amongst all entries, and so equally sent email to Cambridge for delivery. The MX option keeps mail in site for delivery until it cannot and then sends it automatically to the failover site.

2010 active directory domain exchange windows 2003 windows 2008

Starting Exchange When You Have Active Directory Issues

I had a call the other day from a company who had Exchange issues. One investigation it turned out they had a very suspect Active Directory and no-one would admit to what they had actually done to get it in such a state!

One server (DC1) would not talk to the other DC’s (Kerberos issues and replication issues) and the other DC’s where missing the Microsoft Exchange Security Groups OU and contained groups as well as other Exchange related stuff – though the schema and configuration was present!

DC1’s event logs where full of errors going back about six days (to when the issue started, though I only got a call a day before we had it fixed). But if I looked back in the log more than six days the event log showed only stuff from almost a year ago. I suspect a snapshot of the server was restored – but as I said, the only thing anyone claimed to have done was attempted to restore a user from a backup!

So the first step was to see if we could isolate DC1 from Exchange and do a setup /PrepareAD to replace the missing items in the domain naming context.

This requires limiting Exchange to DC2 with Set-ExchangeServer Exchange Management Shell cmdlet, but the shell would not start due to AD errors, so out with the registry editor.

To hard code Exchange to selected DC’s you need to visit HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ MSExchange ADAccess and create a new key called Instance0. Inside \Instance0 create a String called ConfigDCHostName that has a value of the FQDN of DC to use.

Then create a Profiles key under HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ services\ MSExchange ADAccess\, which is the same location as before. Under Profiles create a subkey called Default. For Exchange 2010 create a DWORD called MinUserDC and a value of 1 and under Default key create two more keys called UserDC1 and UserGC1. MinUserDN is in a different location for Exchange 2007.

Inside UserDC1 key add a string called HostName (the value being the FQDN of the domain controller server to use) and a DWORD called IsGC with a value of 0.

Inside UserGC1 key add a string called HostName (the value being the FQDN of the global catalog server to use) and a DWORD called IsGC with a value of 1.

An example is shown in the picture for clarity:


Restart the Microsoft Exchange ADTopology Service to see if it can now connect to the correct server (the MinUserDC value stops Exchange attempting to connect to the PDC emulator as well as the listed domain controllers). In my clients issues, the PDC Emulator was DC1 that was effectively unreachable.

If you can get Exchange online now, great! Time to fix the issues with DC1. But if you can’t (and in my example I could not) then time for more troubleshooting – its sort of just like the MCM Qual Lab, just with real customer data!

To cut a long story short, in my example I decided that DC1 was the more accurate DC and that an authoritative restore of it to the last available AD backup (one month old!) might fix up the issues that had crept in since the abortive work done by the client earlier in the week. In this clients case, I used ntdsutil on DC2 to remove DC1 and then used dcpromo to demote all the DC’s so that they returned to member servers and standalone machines. Then I used ntdsutil to remove DC2 etc from the copy of AD on DC1 so that I was left with an almost up to date copy of AD on DC1. Then I rejoined DC2 etc. to the DC1 replica so I was back where the client thought they were with a number of DC’s but all replicating and Exchange objects all present. I needed to rejoin the servers to the domain, but once that was done I had a working Exchange environment. It was only six and a half days since the outage, and the clients email cloud filtering company held email for seven days – so no loss of email! Just about!

All in a days work for a Microsoft Certified Master | Exchange Server 2010.

2007 2010 exchange mcm windows 2008

Restricting Message Sizes in Exchange Server to Low Bandwidth Sites

Exchange Server has a series of different settings for controlling the maximum message size into and around an Exchange organization, but what about when parts of your organization have a considerably lower bandwidth than other parts, for example offices with servers in rural or hard to reach locations and require satellite WAN links or ships that are at sea.

For these and other examples it has been possible to limit the message size sent and from these limited bandwidth sites since Exchange Server 2007 SP1 by setting the MaxMessageSize property in Set-AdSiteLink

Set-AdSiteLink TitanicSiteLink -MaxMessageSize 2MB

Once an email is sent to a recipient in the target site Exchange Server (as part of the Categorizer component) determines the least cost route and sends the email. If the least cost route includes the site link on which you have limited your bandwidth then the email will be returned to the sender as an NDR if it exceeds the MaxMessageSize limit. If you only have one AD Site Link to your linited bandwidth site then Exchange routing will have to use that link. If you have more than one AD Site Link make sure they are all set to the limited size to that whatever the calculated least cost route is, the size limit will be enforced.

The only problem with this is that Exchange does not have the correct permissions within the Active Directory to be able to configure this setting. Therefore if you try the above Exchange Management Shell cmdlet it will fail with the following error:

Active Directory operation failed on dc-name. This error is not retriable. Additional information: Insufficient access rights to perform the operation.

Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

    + CategoryInfo          : NotSpecified: (0:Int32) [Set-AdSiteLink], ADOperationException

    + FullyQualifiedErrorId : ADC691A4,Microsoft.Exchange.Management.SystemConfigurationTasks.SetAdSiteLink

The issue comes down to the fact that the Exchange Trusted Subsystem user account does not have permissions to the delivContLength attribute on the AD site link that you are trying to change. Therefore to make this setting in Exchange you need first to set the correct permissions in AD.

To set the correct permissions open Active Directory Sites and Services (if running Windows 2008 R2 or later) or ADSIEdit if using an earlier version of Windows. Expand Sites and Services to find Sites > Inter-Site Transports and right-click the IP container and choose Properties and change to the Security tab:


In ADSIEdit connect to the Configuration well known Naming Context and expand to CN=Configuration… > CN=Sites > CN=Inter-Site Transports and right-click CN=IP. Again select Properties and change to the Security tab:


Once in the Security tab click Advanced, click Add and type Exchange Trusted Subsystem. In the Permission Entry for IP dialog that appears once you click OK select the Properties tab and then select Descendant Site Link Objects in the Apply To box:


In this dialog find the Write delivContLength permission and click Allow.

Click OK enough times to close all the dialog boxes and windows and you have now granted Exchange the permission to set the MaxMessageSize property on any (and all future) AD site links that you have or may create.

2010 exchange exchange online federation

Fix Federation Trust Issues After Exchange Server Recovery

I had a need to recover an Exchange Server following a blue screen after patching that I could not undo. I had the databases intact, and of course Active Directory was installed on a different server so I installed a new server and ran setup /m:recoverserver (after installing all the updates and hotfixes that is).

Upon completion and remounting of the databases everything worked fine apart from some errors in the event log about federation trust certificates being missing. And of course, I did not have these in my certificate backup!

In Exchange 2010 RTM federation trust certificates needed to be publically issued certs, but from SP1 and onwards they can be self created by your Exchange Server and here is where the problem lies – because the certificates are self issued I never went through the process of ensuring I had an independent backup of them. Therefore I could not remove them or change them in Exchange Server.

First I was getting the following event log error:

Federation Certificate Not Found: thumbprint_value. Unable to find the certificate in the local or neighboring sites. Confirm that the certificate is available in your topology and if necessary, reset the certificate on the Federation Trust to a valid certificate using Set-FederationTrust.  The certificate may take time to propagate to the local or neighboring sites.

Attempts to Get-FederationTrust or Set-FederationTrust failed, presumable becuase I do not have the correct certificate installed.

Remove-FederationTrust fails because it is in use by some listed organizations, so I tried various other options. In summary it was impossible to remove the federation trust nor was it possible to create a new federation certifcate and move over to it. If I had multiple Exchange Servers in this organization then the certificate would have been retrieved from another server – but this is a single server organization.

So I resorted to removing the federation trust directly from ADSI Edit with the intention of creating a new one immediately and then removing and recreating that one straight away to attempt to clean it all up correctly.

The object to remove is CN=Microsoft Federation Gateway,CN=Federation Trusts,CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=domain

This allowed me to create a new federation trust, though I did need to go through the domain proof steps again.

2007 2010 active directory adsiedit domain exchange hosting hybrid policy

Hosting Exchange 2010 and Issues With Duplicate Contacts

When you are creating a hosted Exchange system using the Exchange 2010 On Premises product (not the /hosting version of the product) it is likely that if two or more of your customers create a mail contact in the global address list (GAL) for the same external email recipient they will see some issues with email addressing.

For example, you are hosting Exchange for and within one Exchange organization. Both these companies have a professional relationship with and so want to create a contact for him in the GAL. The first of your clients to create the contact will be successful, but any future client receives the following error when they attempt to create the contact:

New-MailContact -Name “Greg (Fabrikam)” -ExternalEmailAddress -OrganizationalUnit FineArtSchool
The proxy address “” is already being used by “isp.corp/Hosted/Northwind/Greg (Fabrikam)”. Please choose another proxy address.
    + CategoryInfo          : NotSpecified: (…) :ADObjectId) [New-MailContact], ProxyAddressExistsException
    + FullyQualifiedErrorId : B333D21C,Microsoft.Exchange.Management.Recipient

The work around is to specify a unique proxy address, as the default proxy address (the contacts actual email address) is already being used:

New-MailContact -Name “Greg (Fabrikam)” -ExternalEmailAddress -OrganizationalUnit FineArtSchool -PrimarySmtpAddress

Of course Greg’s email address is (his external email address) and not (his proxy or primary SMTP address so far as Fine Art School have configured) and if this client sends an email to Greg and they select Greg from the GAL it will go to his external email address but will look like it has gone to his proxy address. That is, Greg will receive the email but if he looks at the address it was sent to it will say

Send an email to two people in external organizations, one being, and hit Reply All and Greg will appear as greg@proxyaddress and not Emails in reply will go to Greg via the hosting company and not direct to Greg. This also has the side affect of showing presence (from Microsoft Lync) as being unavailable as the email is using the wrong email address.

The underlying problem is that though the email is being delivered to the external address (targetAddress attribute in Active Directory) it is being stamped with the primary SMTP address (proxyAddresses in Active Directory) in the P2 header. The P2 header is used to generate the Reply address.

So how do you fix this? The obvious way at first glance is to modify active directory and change the proxyAddresses value back to the correct value – but this does not work (as two objects cannot have the same proxy address). Regardless of the fact that the two mail contacts both have the same targetAddress and proxyAddresses, Exchange Transport detects a problem and reports the error “More than one Active Directory object is configured with the recipient address Messages to this recipient will be deferred until the configuration is corrected in Active Directory” in the event log on the first Hub Transport server that sees the message.

So without writing your own transport agent, you need to route all outbound email via an Edge Transport server and configure the Address Rewriting agent. You need to create an address rewrite rule for every contact that is created within your hosted organization once the second contact is created. So in your mail contact provisioning application you need to trap the duplicate proxy address error above, reissue the mail contact creation step, this time with a unique primary SMTP address in the hosted clients domain and then at the same time make an address rewrite rule on your Edge Transport server.

New-AddressRewriteEntry -Name “Greg – Fabrikam – HosterFineArtSchool” -InternalAddress -ExternalAddress -OutboundOnly $true

Note that rewrite rules are cached for four hours, so unless you restart the MSExchangeTransport service your rewrite rules will not take effect until four hours have gone by.

2010 citrix exchange https load balancer loadbalancer Netscaler networking owa update upgrade

HTTPS Load Balancer Issues with Exchange 2010 SP2

When you install Service Pack 2 (and maybe SP1 too) on Exchange 2010 it resets the SSL flag on the root directory of the IIS website. You might have removed this setting for a number of reasons, mainly to do with having a HTTP to HTTPS redirect, but it can also be removed if you are doing SSL Offloading to a load balancer and that load balancer checks the state of the client access server by doing HTTP requests for the root home page. The Citrix Netscaler is one such load balancer that has this as a default setting.

The configuration documentation for the Citrix Netscaler (found here) does not discuss changing the load balancer to use a different directory on IIS to monitor the availability of the site, so when you install SP2 for Exchange 2010 and that update resets the root directory to require SSL, your load balancer thinks the site is offline and does not pass through any traffic!



To fix this issue in the short term, just uncheck the Require SSL option on the root of the Default Web Site on each of your Client Access Servers. Your load balancer should notice within a few seconds and service will resume, for example the Citrix Netscaler checks the root directory via the monitor properties every five seconds for a HTTP success code (and not a HTTPS success code!).

To fix this issue in the long term you should make a new virtual directory on each server covered by the load balancer and get the load balancer to look at this directory to determine if the service is up or down rather than looking at the root directory. Your virtual directory will not be reconfigured by future Exchange service packs (or indeed any other application that you are load balancing that might reset the SSL option on the root directory).

To complete these steps do the following:

1. Create a folder in the inetpub directory called “monitor” or similar (in the examples below the folder is called “netscaler_monitor”).

2. Place an index.htm file in this folder that is a very simple webpage that when browsed returns the page. If you want to make the page more complex to include code (so that issues with the code are picked up by the load balancer then this is fine). A simple page would look like the following:

<title>Netscaler Monitor for Exchange 2010title>
<p>This page returns a success code to the netscalers if IIS is running. This page must always work over HTTP and never require an SSL connection.p>

3. In IIS require SSL and then uncheck require SSL – this forces a setting into the IIS config file (applicationHost.config) that says that this folder must always be over HTTP and not require SSL. If you do not do this then this folder will take the setting from the parent folder, and as we have already seen, this will cause the monitor folder to require SSL when you apply the service pack.

This SSL change will result in the following configuration at the bottom of applicationHost.config, which can be added directly to the config file rather than in IIS Manager.

    <location path="Default Web Site/netscaler_monitor">
<access sslFlags="None" />

4. Update your load balancer so that it has a new monitor for checking the service state on the managed machine. This monitor would be something like the following for a Citrix Netscaler, each load balancer being different. This monitor checks HEAD /netscaler_monitor/ and expects to get back a 200 status code. You need to change the folder name to match, but ensure the / is before and after the folder name.


5. Change the configuration for each client access server in the load balancer so that it uses the new monitor rather than the default HTTP monitor.


6. Save your changes to the load balancer. The next time you service pack Exchange 2010 the resetting of the SSL flag on the root directory will not cause you any issues.

2010 exchange update upgrade

Shadow Redundancy Promotion Disabled After Exchange Server 2010 Service Pack 2

One of the new features added in Exchange Server 2010 Service Pack 1 was called Shadow Redundancy Promotion.

Service Pack 1 creates a setting in EdgeTransport.exe.config to control the behaviour of this setting, and it defaults to a value of “False”, so that the feature is turned off.
Enabling Shadow Redundancy Promotion is done by setting the ShadowRedundancyPromotionEnabled setting to “True” in EdgeTransport.exe.config (found in c:\program files\microsoft\exchange server\v14\bin) and restarting the MSExchangeTransport service.

When you install Service Pack 2 for Exchange Server 2010 it resets this value to false and therefore disables this setting. This is not documented (at the time of writing) in the read me for the service pack.

This does mean of course that if you have chosen to enable Shadow Redundancy within your SP1 Exchange 2010 organization, this will get turned off again when you apply the service pack. Note that other settings in EdgeTransport.exe.config are not reset on applying the service pack.
When the service pack resets the value, it does make a comment in the config file to sort of indicate what it has done. It notes the following text above the line that disables Shadow Redundancy.

<!–Exchange task Set-AppConfigValue updated value for dictionary key ShadowRedundancyPromotionEnabled from True to False at 12/5/2011 5:09:54 AM—>

It does not say it has turned your configuration off again, but that is the effect of the change that the service pack installation makes.

2010 exchange

Exchange 2010 SP2 Prerequisites

To upgrade Exchange 2010 SP1 to SP2 requires the addition of an additional Windows server role that was not listed on the RTM and SP1 requirements.

Therefore if you try an upgrade you will get errors about “IIS 6 WMI Compatibility” not being installed.

To install this feature quickly on Windows Server 2008 R2, bring up PowerShell and enter the following commands:

Import-Module ServerManager
Add-WindowsFeature Web-WMI

You can then proceed with the SP2 installation. This role feature is required for Mailbox and CAS roles and specifically for the new OWA Mini feature that Service Pack 2 introduces.

If you are running Exchange 2010 on Windows 2008 (not the R2 version) then the above PowerShell command does not work. Instead you need to install the prerequisites with the following (from an administrative command prompt):

ServerManagerCmd -install Web-WMI

But is this really the only new prerequisite? If you take a look in the exchange-typical.xml file found in the service pack download (in the scripts folder) then you will see a long list of prerequisites, and more than just Web-WMI is new since Service Pack 1. The full list of prerequisites are:

NET-Framework, RSAT-ADDS, Web-Server, Web-Basic-Auth, Web-Windows-Auth, Web-Metabase, Web-Net-Ext, Web-Lgcy-Mgmt-Console, WAS-Process-Model, RSAT-Web-Server, Web-ISAPI-Ext, Web-Digest-Auth, Web-Dyn-Compression, NET-HTTP-Activation, RPC-Over-HTTP-Proxy, Web-WMI

But are they all needed? Only having Web-WMI missing from an SP1 install stops the service pack from being installed, but I suppose that for your own sanity you would install all the prerequisites even if they appear not to be!

Therefore if you run Windows 2008 R2 it is best to run (from PowerShell):

Import-Module ServerManager
Add-WindowsFeature NET-Framework, RSAT-ADDS, Web-Server, Web-Basic-Auth, Web-Windows-Auth, Web-Metabase, Web-Net-Ext, Web-Lgcy-Mgmt-Console, WAS-Process-Model, RSAT-Web-Server, Web-ISAPI-Ext, Web-Digest-Auth, Web-Dyn-Compression, NET-HTTP-Activation, RPC-Over-HTTP-Proxy, Web-WMI

And if you run Windows 2008 then execute as an administrator:

ServerManagerCmd -install NET-Framework RSAT-ADDS Web-Server Web-Basic-Auth Web-Windows-Auth Web-Metabase Web-Net-Ext Web-Lgcy-Mgmt-Console WAS-Process-Model RSAT-Web-Server Web-ISAPI-Ext Web-Digest-Auth Web-Dyn-Compression NET-HTTP-Activation RPC-Over-HTTP-Proxy Web-WMI

Or, skip all this and just install the service pack from the command line (administrative rights of course) with the following command to install all the required updates and prerequisites:

setup /m:upgrade /InstallWindowsComponents

Blog updated 6th Dec to cover the installation on Windows 2008 and to point out the difference for Windows 2008 R2

2010 backup domain exchange networking windows 2008 x64

Exchange Log Truncation Failure in a DAG

Today I visited a client who had noticed that no log files had ever been removed after any backup within Exchange 2010 SP1. It was fortuitous that they had enough log disk space for about eight months of log generations. The disadvantage was that we were four months into this time period, so it was a ticking clock, and that the nightly incremental backups were taking longer and longer.

They were getting the following error in their backup datacentre:


Unable to communicate with the Microsoft Exchange Information Store service to coordinate log truncation for database ‘name’ due to an RPC communication failure. Error 3355379671 Extended Error: 0 and Event ID 2136 for the MSExchangeRepl service in the Application event log.

What the error does not clearly say is that the Microsoft Exchange Replication service (MSExchangeRepl) on the server in the DR site (a passive node in the DAG) needs to communicate via RPC to the Microsoft Exchange Information Store service on the server holding the active node of the database.

In the case of my client, the Exchange team is not the same people as the network team or indeed the firewall team, and these teams are in different countries. In the case of the network for this client, the Replication network for the DAG had been opened to allow RPC traffic, but the MAPI (Client) network had not.

When Exchange in the DR site needed to check which logs it could truncate (a process it performs every 15 minutes), it needs to talk to the Microsoft Exchange Information Store service on the server holding the active copy of the database, and name resolution was returning (as expected) the IP address of the server on the MAPI/Client network. This network blocked RPC between servers and so (as one of the many issues they now attribute to this problem) logs could not be truncated and Event ID 2136 was posted once per database on the passive node in the DR site. The two servers in the primary site could RPC each other, so this log is not repeated in the primary site.

To solve this log growth problem without waiting for a response from the firewall team, we added a record to the hosts file on the passive server to override DNS name resolution, and within 15 minutes 2TB of log files instantly disappeared on all servers. Name resolution was reverted to DNS and the firewall team contacted.

2010 bpos exchange exchange online hybrid Office 365

Office 365 Hybrid Coexistence and Edge Server

One of the delights in my job is when Microsoft give me a call and ask me how something works in one of their products! Such a call came today and it involved get Office 365 hybrid coexistence working with an Edge Server.

Exchange Server Deployment Assistant does not have the answer to this issue; it always refers to a Hub Transport server within the organization. But it was an interesting challenge, as the last time I tried to get this working I got a “a local loop detected” error.

In brief, its is possible to use Edge Server as the coexistence server between your organization and your Office 365 tenant, you just need to make sure that everything you would create on the Hub Transport is either configured on the Edge Server (receive connectors and certificates) or created within the organization and replicated to the Edge Server via EdgeSync (send connectors, remote domains, accepted domains).

The reason for “a local loop detected” error was down to having the service domain for the Office 365 tenant configured as Internal Relay (as it needs to be) and not having a Send Connector on the Edge Server that pointed to the Office 365 infrastructure.

Update 26 Oct 2011

In the above I wrote that the Office 365 tenant domain as configured on-premises needs to be internal relay. This is only required if your on-premises org contains Exchange 2003. If the minimum version of Exchange installed on-premises is 2007 then the domain can be Authoritative. This is because with 2007+ you can forward emails to an authoritative domain using contact or remote-mailbox objects and a send connector for the domain.

2010 exchange transport

Shadow Redundancy and Server Outages

Exchange Server 2010 has a feature that tries to ensure that emails in transport cannot be lost. This feature is called Shadow Redundancy and lots of information on how it works can be found on the Internet.

But what happens if a mailbox server or site is unavailable? Items will queue in a single location, and now this location is a single point of failure. So whilst you have an outage (planned or otherwise), you increase the risk of loss of mail due to a second outage in transport that causes mail.que database corruption.

Let us examine the details by considering one type of outage – other types of problems can occur and generate the same potential results. If I dismount a database in an Active Directory site and then send an email to an Exchange 2010 mailbox on that site the email will queue on an Exchange 2010 Hub Transport server in that site. The queue will be visible with Get-Queue and the queue will go into Retry state. Here is a picture showing the Exchange Management Shell output for one such site:

The first cmdlet shows one email queuing for a mailbox database (the one that is offline), the DeliveryType is MapiDelivery and the NextHopDomain (the next target) is the offline database.


The second cmdlet in the above picture shows the effect of a second email being sent. The items in the queue are at 2, and both of these are on FAB-RED-HUB1. Should FAB-RED-HUB1 fail at this point and the mail.que database become corrupt due to this failure, these emails would be lost.

What you cannot see from the screenshot is the effect of Delayed Acknowledgement. Delayed Acknowledgement is the process whereby if a Hub Transport server receives an email from an SMTP server that does not support Shadow Redundancy then it will delay acknowledgement to the message long enough to ensure the message exists on two servers – that is, it has a shadow for the message. In the above example this is not possible as the inbound email is from the internet and is directly into this Active Directory site, so there is nowhere else to send the email. Delayed Acknowledgement is set to 30 seconds by default and so on the arrival of the first message the sending server has their acknowledgement delayed by the full 30 seconds. On the arrival of the second message, as the delivery queue is in retry the Delayed Acknowledgement is not implemented as DelayedAckSkippingEnabled is set to True by default (so if it would take over 30 seconds to deliver or the target queue is in retry then don’t implement a delay as it is likely to be present even after 30 seconds. The problem here is that protection of the first message was 30 seconds, and if the mailbox database (or other failure) was resolved in 30 seconds then you would have delayed the acknowledgement and so protected the message by having not told the previous hop that it was queued. The second message (and all subsequent messages) are immediately added to the outbound queue and are a single point of failure.

Service Pack 1 for Exchange 2010 adds Shadow Redundancy Promotion. This will ensure that the message lives on two transport servers within a site if the NextHopDomain is unavailable. But this is disabled by default.

To enable Shadow Redundancy Promotion, edit the EdgeTransport.exe.config file on all hub transport servers to read True for the ShadowRedundancyPromotionEnabled setting. Once the EdgeTransport.exe.config file is saved then restart the Microsoft Exchange Transport service on all servers. EdgeTransport.exe.config is found in \Program Files\Microsoft\Exchange Server\V14\bin.

This second screenshot shows the effect of enabling Shadow Redundancy Promotion on all my hub transport servers and restarting the transport service on each machine. The screenshot follows on immediately from the above example.


In the above you can now see that the queue that did contain the message to the mailbox database (FAB-RED-HUB1\216) is now empty and that their is a shadow queue containing the two messages on FAB-RED-HUB1 instead. FAB-RED-HUB2 (also in the same site) now hold the queue to the offline database. In the event of a transport server failure whilst the database is offline, there will not be a loss of email as the email can be redelivered from the other transport server.