Robert

After migrating to Exchange 2010 and deleting the last Exchange 2003 or 2007 Server, it’s possible that you’ll get event warnings coming from MSExchange ADAccess with event ID 2937. In that case you’ll see something like that:

Process w3wp.exe () (PID=5884). Object [CN=User1,OU=!Users,DC=dc,DC=test,DC=com]. Property [HomeMTA]
is set to value [dc.test.com/Configuration/Deleted Objects/Microsoft MTA
DEL:e5d442f7-b37a-4b80-84e2-4212b78db7bf], it is pointing to the Deleted Objects container in Active Directory.
This property should be fixed as soon as possible.

This occurs for users that actively use Exchange and exist in the Directory. To resolve the issue you just execute

Get-Mailbox [user] | Update-Recipient

This way the HomeMTA Attribute of the User is being checked and updated with the new right value.
Of course you can also do it for all users, that encounter the issue:

Get-QADUser -IncludeAllProperties | where {$_.homemta -match "del"} | Get-mailbox | Update-Recipient

Do you want reset the Out Of Office state for your Users so that the OOF message is not send only once to the sender while the OOF is active? Here is a small script that I’ve created for this. You can add this script to the task scheduler and run it each night. That way the OOF message will be send to each sender every day.

foreach ($obj in (Get-Mailbox  | Get-MailboxAutoReplyConfiguration |`
where {($_.autoreplystate -eq "enabled")`
-or ($_.autoreplystate -eq "scheduled" -and $_.starttime -le ([DateTime]::Now) -and $_.endtime -ge ([DateTime]::Now))}))
{      if ($obj.autoreplystate -match "Enabled")`
           {Set-MailboxAutoReplyConfiguration $obj.identity -AutoReplyState "disabled"
           ;Set-MailboxAutoReplyConfiguration $obj.identity -AutoReplyState "enabled"}
       elseif ($obj.autoreplystate -match "Scheduled")`
           {Set-MailboxAutoReplyConfiguration $obj.identity -AutoReplyState "disabled";
           Set-MailboxAutoReplyConfiguration $obj.identity -AutoReplyState "scheduled";}
}

It’s not difficult to add a user right to send as another user. You can achieve that using Exchange Management Console and  a task “Manage Send As permission”. This easy task gets more complicated if the user wants to send an E-mail as a distribution group instead sending as another user. The permission to send as DG cannot be added with Exchange GUI tolls, unfortunately. You can though, accomplish that task using Powershell. Here is how to do it:

Set-DistributionGroup test_dg -GrantSendOnBehalfTo "new_user"

And if you have already some users being able to send as the group, you can add new ones using following PS script

$dl = Get-DistributionGroup (Read-Host "DL Name")
$dl.grantsendonbehalfto += read-host "new email"
Set-DistributionGroup $dl -GrantSendOnBehalfTo $dl.grantsendonbehalfto

Did you have a request to find all mailboxes not being used for an extended period of time? For example 180 days? You could look for Users that haven’t logged in in AD using dsquery or maybe adfind. But what if you have mailboxes that are assigned to multiple users and the mailbox owner never logs in? In Exchange 2010 there is an easier way to find such mailboxes. Just use powershell…

get-mailbox -IgnoreDefaultScope | Get-MailboxStatistics |` 
where {$_.lastlogontime -le ((Get-Date).Adddays(-180))} |` 
ft displayname,lastlogontime,totalitemsize -AutoSize

In example above you’ll find all mailboxes not being used for at least 180 days, despite of, which user ever logged in to them.

Below is an easy script showing how to export a user Mailbox to a .pst file and subsequently how to send an E-mail to specified user with the information of successful (or not) export.

#Create export task and save the pst file to a network share
New-MailboxExportRequest -Mailbox "User1" -BadItemLimit '20' -FilePath "\\mailboxserver\pstexport$\"
 
#Create a loop which is checking if the task has been finished with 100%
$exstat = Get-MailboxExportRequest | Get-MailboxExportRequestStatistics | where {$_.sourceAlias -eq 'User1'}
 
do {Start-Sleep -Seconds 5; $exstat = Get-MailboxExportRequest | Get-MailboxExportRequestStatistics | `
where {$_.sourceAlias -eq 'User1'}}
until ($exstat.percentcomplete -eq '100')
 
#Send a mail to an Administrator with the information that the export has been finished.
Send-MailMessage -To Admin@company.com `
-From pstexport@company.com `
-Subject "PstExport for $exstat finished" `
-Body 'Hello, <BR> The Export for user User1 has been finished and is saved under \\mailboxserver\pstexport$ <BR> Cheers, <BR> Powershell Script' `
-SmtpServer mx.company.com `
-BodyAsHtml

I recognized, that many people do have problems with configuring Exchange with wildcard certificates. The reason for this is probably that it’s not possible to configure all services the same way and each need a special configuration that the administrator have to think of. I’ll try to give you a comprehensive guide how to configure the whole Exchange with wildcard certificates.

Let’s start with SMTP and IIS, to see what certificates are activated for what services you can use Powershell cmdlet get-exchangecertificate. You should use this command on Exchange Server itself, running it from remote Powershell session will not show you the services being activated for the particular certificate.

[PS] C:\Users\administrator.IN\Desktop>Get-ExchangeCertificate
 
Thumbprint                                Services   Subject
----------                                --------   -------
BC413FCE3830A0D4CDF793BDD4E9F5AC1348E93A  ......     CN=Ex2010.contoso.com
95C280E27ADF33C6A0D726C622DCDCCCA4A10272  ...WS.     CN=*.contoso.com, OU=Home, O=Home, L=MUC, S=BY, C=DE</span>

Above you see a result from such a command, you see that on the server are installed two certificates, of which one is activated for IIS (W) and for SMTP Service (S). The certificate enabled for these services is a wildcard certificate. You enable a certificate with the command enable-exchangecertificate -services -thumbprint, where you use the thumbprint of the certificate which is installed on the Exchange Server.

Normally you would use this command also for enabling the certificate for other services like POP3 and IMAP4, this is not possible with wildcard certificates. In that case you have to use set-imapsettings -X509CertificateName and set-popsettings -X509CertificateName respectively to enable a wildcard certificate on Exchange Server

[PS] C:\Users\administrator.IN\Desktop>Get-PopSettings
UnencryptedOrTLSBindings  SSLBindings                       LoginType                         X509CertificateName
------------------------  -----------                       ---------                         -------------------
{:::110, 0.0.0.0:110}     {:::995, 0.0.0.0:995}             SecureLogin                       mail.contoso.com

Above you can see my pop settings and enabled certificate. While setting this command you shouldn’t use *.contoso.com as the certifcate name, instead you need to put the right FQDN name, your users will use to connect to Exchange.

Also for federation trust you shouldn’t use enable-exchangecertificate cmdlet with wildcard certificate. For that you can use new-federationtrust or set-federationtrust cmdlets.

Now as we set the Exchange Certificate we need to do some adjustments to be able to successfully connect to the exchange with our clients. Of course I assume the used certificate is a 3rd party one and is fully trusted by the clients, so we don’t need to add the certification authority certificate to Trusted Root Certification Authorities on each and every client device. So how we can connect with outlook anywhere using our new certificate. Firstly we need to enable Outlook Anywhere on our Exchange Server, secondly  we need to tell Exchange to use our wildcard certificate for outlook anywhere connections. We can do that with the Powershell command

Set-OutlookProvider EXPR -CertPrincipalName msstd:*.contoso.com

We should also set the Outlook client with the same settings, although outlook 2010 using Autodiscover should automatically set the correct settings in the user profile, the good idea is to check if everything is correct.

This way we configured Exchange to support wildcard certificate. Now we can connect to OWA, POP3, IMAP3 or even Outlook Anywhere, using secure connections.

Here is a script I made to get a tracking log from Exchange hub transport server for last 30 minutes.

get-messagetrackinglog -EventID "RECEIVE" -Server hub2 -Start (((get-date -UFormat "%m-%d-%Y")`
+ " " + ((Get-Date).Addminutes(-30)).ToLongTimeString())) | ft Sender, recipients, MessageSubject, Timestamp

I’m using -UFormat for the date as it’s most comfortable for me, but you can change it to .Net FrameWork time format. You can also adjust the time back which the logs will be searched for – just change the parameter .Addminutes to something else.