Exchange 2013: Correcting mailbox delegation - Full Access

Similar Messages

• Exchange 2013 Health Mailbox filling up security logs

  I'm doing security audits and having the Exchange 2013 Health Mailbox fill up my security logs.  I've read that if I delete the mailboxes and re-create them and restart the service the errors will go away.  My question is how do I delete them?
   I found the full mailbox name with this command.  
  get-mailbox -monitoring | select-object -expandproperty name
  Do I use this method?
  Remove-Mailbox -Identity contoso\johnor this one?Remove-Mailbox -Identity contoso\john -Permanent $trueOr something else?
  Thanks!
  Fernando

  I did help on the setup in Exchange server folder.  Looks like prepares Active Directory forest for Exchange Install.  /PrepareAD, /p  So this is what I'm supposed to run?
  C:\Program Files\Microsoft\Exchange Server\V15\Bin>setup /?
  Welcome to Microsoft Exchange Server 2013 Cumulative Update 3 Unattended Setup
  For detailed help, type one of the following options:
    Setup /help:Install         - Install Exchange server roles.
    Setup /help:Upgrade         - Upgrade an existing Exchange server.
    Setup /help:Uninstall       - Uninstall Exchange server roles.
    Setup /help:RecoverServer   - Recover an existing Exchange server.
    Setup /help:PrepareTopology - Prepare your topology for Exchange.
    Setup /help:Delegation      - Delegate server installations.
    Setup /help:UmLanguagePacks - Add or remove Unified Messaging
                                  language packs.
  C:\Program Files\Microsoft\Exchange Server\V15\Bin>Setup /help:PrepareTopology
  Welcome to Microsoft Exchange Server 2013 Cumulative Update 3 Unattended Setup
  Microsoft Exchange Server 2013 Setup Parameter Help
  Prepare Topology Usage:
      Setup /PrepareAD [<OptionalParameters>]
        /IAcceptExchangeServerLicenseTerms
      Setup /PrepareSchema [<OptionalParameters>]
        /IAcceptExchangeServerLicenseTerms
      Setup /PrepareDomain [<OptionalParameters>]
        /IAcceptExchangeServerLicenseTerms
      Setup /PrepareDomain:<domainA, domainB> [<OptionalParameters>]
        /IAcceptExchangeServerLicenseTerms
      Setup /PrepareAllDomains [<OptionalParameters>]
        /IAcceptExchangeServerLicenseTerms
  --Prepare Topology Required Parameters--
  /PrepareAD, /p
      Prepares the Active Directory forest for the Exchange
      installation.
  Fernando

• Exchange 2010 mailbox not able to access auto-mapped Exchange 2013 CU3 mailbox

  Hi,
  We are in co-existence with Exchange 2010 SP3 and Exchange 2013 CU3.
  Outlook Anywhere and Autodiscover pointed towards Exchange 2013 CAS servers.  Everything works fine irrespective where is mailbox is located Exchange 2010 or 2013.
  When I tried to access auto-mapped mailbox from Exchange 2010 as primary mailbox accessing auto-mapped Exchange 2013 mailbox "Cannot expand the folder. The set of folders cannot be opened. Microsoft Exchange is not available. Either there are network
  problems or the Exchange server is down for maintenance".
  Exchange 2013 OutlookAnywhere "Externalclientauthenticationmethod" is Basic and "Internalclientauthencitcationmethod" is NTLM.  Everything is setup as per the Tech-net recommendations.
  Checked both these articles but still it is not working:
  http://support.microsoft.com/kb/2839517
  http://support.microsoft.com/kb/2834139
  Please let me know if there are any other ideas.
  Raman

  Hi,
  I recommend you refer to the following articles to troubleshoot the issue:
  Troubleshooting Mailbox Auto-Mapping : Autodiscover
  Details about the shared mailbox that is to be accessed will be returned to the Outlook client by the autodiscover process. This is really handy to know if you are ever in the position where you need to troubleshoot why the auto-mapping feature isn’t working
  correctly
  Troubleshooting Mailbox Auto-Mapping : Permissions
  When you use either the Exchange Management Console or the Exchange Management Shell to grant a user with full access permission against another mailbox, permissions changes are made to allow this as you might expect. Certain Active Directory attributes
  are also updated to reflect both the Active Directory account of the mailbox being accessed as well as the Active Directory account of the accessing mailbox. Specifically, you can check the contents of the msExchDelegateListLink and msExchDelegateListBL Active
  Directory attributes to see these details and it is worth checking these if you have any suspicions that things aren’t working correctly.
  Hope this helps!
  Thanks.
  Niko Cheng
  TechNet Community Support

• Exchange 2013 - Shared Mailbox Permissions

  Here is what I am trying to do. I would like to create a shared mailbox in exchange 2013 for time off requests for my employees. I will have the mailbox to be something like
  [email protected] If an employee is sick or requesting time off, they can email this shared mailbox or send a meeting request.
  I would then like the ability for ALL employees to be able to have read access to the mailbox and Calendar associated with it, and I would like to have managers have Full access to it and to be able to approve calendar requests so that they are entered into
  the calendar.
  Is this possible? How can I set read only to the inbox and calendar for a shared mailbox? I would also like to be able to have the shared mailboxes automatically added to all user's Outlook.
  Thanks!

  Simply grant Full Access to the managers.  Then for everyone else you can grant read only access to just the Calendar.
  Here is an example on how to do this -
  http://exchangeshare.wordpress.com/2009/07/07/how-to-setup-read-only-mailbox-in-exchange-20032007/.
  Let me know if that works.
  JAUCG - Please remeber to mark replies as helpful if they were or as answered if I provided a solution.

• Exchange 2010 Unable to Assign Full Access Permissions using a Security Group

  I've been running into this issue lately.  I cannot seem to use groups to allow full access to mailboxes.  When I add them from the EMC, it will show up when you go to "Manage Full Access Permission...".  After waiting a day and even restarting
  the Information Store service, the permissions do not take effect.  When I view the msExchDelegateListLink attribute of the mailbox account, the group is not listed.
  When I grant a user full permission, it works and updates the attribute.  However, on occasion when I revoke the full access permission for a user is doesn't always remove that user from the msExchDelegateListLink attribute.  So the mailbox
  will still appear in Outlook, but the user isn't able to see new emails.
  Any ideas on what may be going wrong?
  Environment:
  Exchange Server 2010 SP1 Standard
  Windows Server 2008 R2 Standard
  Outlook 2010 SP1 (tried without SP1 as well)
  I was looking over Add-MailboxPermission on Technet (http://technet.microsoft.com/en-us/library/bb124097.aspx) and I noticed that it doesn't mention adding groups.  Is this not possible?

  I never got a proper fix.
  I worked around it by creating a script which gets the members of an AD Mail Enabled security group, and updates the full access based on the groups members.
  Here's a script I'm running every hour which updates permissions. It's probably not the most efficient script ever, but it works. It has several benefits
  1. Managers of the distribution group can add/remove mailbox members using OWA or through the address list
  2. New members of groups are added to FULL Access Permissions
  3. Members removed from the groups are removed from FULL access permissions
  4. Automapping works :)
  5. Maintains a log of access added / removed / time taken etc.
  Obviously I have had to remove domain related information, replace with whatever your domain requirements are, and PLEASE debug it properly in your environent first, don't complain to me if it wipes out a load of access for you or something like that!
  It takes about 5 minutes to run in my environement. Some formatting seems to have got messed up on here, sorry. I hope it is of use!
  # Mailbox Permissions Setter for Exchange #
  # v1.1 #
  # This script will loop through all mailboxes in Exchange and find any where #
  # the type is 'SHARED'. These should be determined to be a GROUP/SHARED mailbox #
  # and access to these mailboxes are controlled by a single ACL, e.g. 'ACL_Shared_Mailbox'. #
  # This script will add any members of these ACLs directly to the Full Access Permissions #
  # of the mailbox and also remove them if they no longer need the access. #
  # Script created by Jon Read, Technical Administration
  # Recent Changes
  # 15/11/2012
  # 1.1 Added exclusions for ACLs that we don't want automapping to happen for
  # 12/11/2012
  # 1.0 Initial script
  #Do not change these values
  Add-PSSnapin *Ex*
  $starttime = Get-Date
  $logfile = "C:\accesslog.txt"
  $logfile2 = "C:\accesslog2.txt"
  $totaladditionstomailboxes = 0
  $totalremovalsfrommailboxes = 0
  $totalmailboxesprocessed = 0
  $totalmailboxesskipped = 0
  # Exclude any ACLs that shouldn't be processed here if they are used for a non-standard purpose and
  # we don't want FULL access mapping to happen. Seperate array values with commas
  $ExcludedACLArray = "DOMAIN\ACL_ExcludedExample"
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output "# Mailbox Permissions Setter for Exchange #" >> $logfile
  Write-Output "# v1.1 #" >> $logfile
  Write-Output "#----------------------------------------------------------------#" >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-output "Start time $starttime ">> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  # Set preferred DCs and GCs
  $preferredDC = "preferredDC.domain"
  $preferredGC = "preferredGC.domain"
  Write-Output " PreferredDC = $preferredDC ">> $logfile
  Write-Output " PreferredGC = $preferredGC " >> $logfile
  Set-ADServerSettings -PreferredGlobalCatalog $preferredGC -SetPreferredDomainControllers $preferredDC
  # The first part of this will ADD permissions to the mailbox, reading from an associated ACL.
  # Check for all mailboxes where the type is SHARED. These are the only ones we would
  # want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  $totalmailboxesprocessed = $totalmailboxesprocessed + 1
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX ADDITIONS: $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  # For each of them, get the distribution list applied to the mailbox (Starting DOMAIN\ACL_)
  # We then need it to be turned into a string to use later.
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $skipACL = 0
  #Get the distribution group and put the name in a useable format
  $distributiongroup=$distributiongroup.user.tostring()
  Write-Output "Found ACL $distributiongroup" >> $logfile
  # Check if this distribution group needs to be excluded and if it shouldn't be processed
  # then move onto the next ACL. This will stop FULL access being granted if the mailbox is
  # used for a non-standard purpose. See the start of this script
  # for where these are excluded (ExcludedACLArray)
  foreach ($ACL in $ExcludedACLArray )
  if ($distributiongroup -eq $ACL)
  $skipACL = 1
  Write-Output "ACL $distributiongroup is excluded so skipping mailbox " >> $logfile
  $totalmailboxesskipped = $totalmailboxesskipped + 1
  if ($skipACL -eq 0)
  # Get each user in this group and for each of them, add try to add them to full access permissions.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $user="DOMAIN\" + $user.alias.ToString()
  # Check to see if the user we have chosen from the ACL group already exists in the full access
  # permissions. If they do, set $userexists to 1, if they do not, leave $userexists set to 0.
  # Set $userexists to 0 as the default
  $userexists = 0
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission)
  # See if the user exists in the mailbox access list.
  # Change $fullaccessuser to a useable string (matching $user)
  $fullaccessuser=$fullaccessuser.user.tostring()
  if ($fullaccessuser -eq $user)
  $userexists=1
  # Break out of foreach if the user exists so we don't unnecessarily loop
  break
  # Now we know if the user needs to be added or not, so run code (if needed) to add
  # the user to full access permissions
  if ($userexists -eq 0)
  Add-MailboxPermission $mailbox –user $user –accessrights "FullAccess"
  Write-Output "Added $user " >> $logfile
  $changes = 1
  $totaladditionstomailboxes = $totaladditionstomailboxes + 1
  #Now repeat for other users in the ACL
  #if changes were 0, then log that no changes were made
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " FINISHED ADDING PERMISSIONS" >> $logfile
  Write-Output "---------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile
  # The second part of this will REMOVE permissions from the mailbox, reading from an associated ACL.
  ## Check for all mailboxes where the type is SHARED. These are the only ones we would
  ## want to apply group mailbox permissions to.
  foreach ($mailbox in get-mailbox -resultsize "unlimited" | where-object {$_.RecipientTypeDetails -eq "SharedMailbox"})
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  Write-Output "| MAILBOX REMOVALS : $mailbox " >> $logfile
  Write-Output "|-------------------------------------------------------" >> $logfile
  $mailbox=$mailbox.ExchangeGuid.ToString()
  #Declared $changes as 0. if this is set to 0 at the end of the mailbox job, we know no changes were made.
  $changes = 0
  # For the current mailbox, get a list of all users with FULLACCESS, and then for each of them
  # check if they exist in the ACL
  foreach ($fullaccessuser in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.Accessrights -like "FullAccess" })
  # Get the security identifier (SSID) of the FULLACCESS user to store for later.
  $fullaccessuserSSID=$fullaccessuser.user.SecurityIdentifier.ToString()
  $fullaccessuser=$fullaccessuser.User.ToString()
  #If user needs to be excluded then skip this bit
  #Users added or removed will only start with 07 (07$, 07T, so only run if the user starts with this.
  #This stops it trying to remove NT AUTHORITY\SELF and other System entries
  if ($fullaccessuser -like "DOMAIN\07*")
  # Set $userexists to be 0. if we find the use user needs to remain, then change it to 1.
  $userexists=0
  # Check if this user exists in the ACL, if not, remove.
  foreach ($distributiongroup in get-mailbox $mailbox | Get-MailboxPermission | Where-Object {$_.User -like "DOMAIN\ACL_*" })
  $distributiongroup=$distributiongroup.user.tostring()
  #Write-Output "Found associated distribution group $distributiongroup" >> $logfile
  # Get each user in this group and for each of them, See if it matches the user in the mailbox.
  foreach ($user in Get-DistributionGroupMember -identity $distributiongroup)
  # Get the user to try, convert to DOMAIN\USER to use shortly
  $userguid = $user.Guid.ToString()
  $user="DOMAIN\" + $user.alias.ToString()
  if ($fullaccessuser -eq $user)
  $userexists=1
  #we have found the user exists so no need to continue
  break
  # If userexists = 0, then they are NOT in the ACL, and should be removed from
  # the full access permissions. Run the code to remove them from full access.
  #CONVERT FULLACCESSUSER TO GUID AND REMOVE $FULLACCESSUSERGUID NOT $USERGUID
  if ($userexists -eq 0)
  Remove-MailboxPermission -Identity $mailbox –user $fullaccessuserSSID –accessrights "FullAccess" -Confirm:$false
  Write-Output "Removed $fullaccessuser " >> $logfile
  $changes = 1
  $totalremovalsfrommailboxes = $totalremovalsfrommailboxes + 1
  # if changes = 0, no changes were made to this mailbox, so log this fact.
  if ($changes -eq 0)
  Write-Output "No changes were made." >> $logfile
  #Put the time in a displayable format
  $endtime = Get-Date
  $runtime = $endtime - $starttime
  $runtime = $runtime.ToString()
  $runtime1 = $runtime.split(".")
  $totaltime = $runtime1[0]
  Write-Output " " >> $logfile
  Write-Output " " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| SCRIPT COMPLETE : STATS " >> $logfile
  Write-Output "|-------------------------------------------------------------------------------------- " >> $logfile
  Write-Output "| Total Mailboxes Processed : $totalmailboxesprocessed " >> $logfile
  Write-Output "| Total Additions : $totaladditionstomailboxes " >> $logfile
  Write-Output "| Total Removals : $totalremovalsfrommailboxes " >> $logfile
  Write-Output "| Total Mailboxes Skipped due to ACL : $totalmailboxesskipped " >> $logfile
  Write-output "| Start time : $starttime ">> $logfile
  Write-output "| End time : $endtime ">> $logfile
  Write-Output "| **END OF RUN** - Elapsed time : $totaltime " >> $logfile
  Write-Output "|---------------------------------------------------------------------------------------" >> $logfile
  Write-Output " " >> $logfile

• Outlook 2013 / Exchange 2013 : Shared mailboxes - Mail stuck in outbox (non-cached), Mail sends but doesn't get received (cached).

  Hello,
  We are currently experiencing some weird behaviour in Outlook 2013 since we added Shared Mailboxes.
  When we run Outlook 2013 with cached mode
  enabled:
  - I create a new e-mail and send it.
  - The e-mail goes to the outbox, and get's 'send'.
  - None of the recipients receives the e-mail.
  When we run Outlook 2013 with cached mode
  disabled:
  - I create a new e-mail and send it.
  - The e-mail goes to the outbox, but remains there.
  Now to make things even more bizarre:
  When I switch from 'cached'-mode to 'non cached'-mode, I see all the e-mail that were 'send' in cached-mode stuck in the outbox.
  Note: The DNS server configuration in Exchange is correct.

  Hi,
  How about sending on OWA? Does the issue exist?
  To troubleshoot the issue, let's run Outlook in Safe Mode to determine if 3rd-party add-ins are related:
  Press Win + R and type “outlook.exe /safe” in the blank box, then press Enter.
  If there’s no problem sending emails in Safe Mode, disable the suspicious add-ins to verify which add-ins caused this issue.
  Please also disable the firewall and anti-virus program to send the emails again, in many scenarios the protection may cause the issue.
  Please also keep Exchange and Outlook patched to the latest.
  Regards,
  Melon Chen
  TechNet Community Support

• Exchange 2013 Sp1 some users cant access owa

  After I install new exchange 2013 with sp1 on windows 2012 R2 server one for mail boxes and the second Client Access, i move all mail boxes to it, then i uninstall  the old server (exchange 213 with cu3).
  All may exchange server’s virtual machines on hyper-v 2012R2
  I install certificate and configure virtual directories
  I notice some users can’t open there mail boxes from OWA they get a blank page after the enter username and password (from internal and external) (the same users can open outlook anywhere) at the same times many users can access owa.
  After many restarts they can access OWA.
  After some days some other users can’t access owa.
  I remove ECP and OWA virtual directories, Then Recreate and configure it.
  But the same problem some users cant access owa 
  I install a new client access server, configure it
  But the same problem

  HI 
  YOu can check below things to resolve the problem
  Disable SSL from Default Web Site if you have enabled them
  Check if you have set any redirection in the Default Website if so remove redirection and see the results
  Ensure that you have a valid certificate for owa VD
  check correctly the authentication type - windows authentication is enabled or if you have form based authentication enabled
  Below is an example for enabling WA
  set-Owavirtualdirectory -identity "servername\owa (Exchange Back End)" -WindowsAuthentication $True -Basicauthentication $false -Formsauthentication $false
  Set-EcpVirtualDirectory -Identity "servername\ecp (Exchange Back End)" -WindowsAuthentication $true -FormsAuthentication $false 
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you

• Exchange 2013 Health mailbox and Journaling

  Hi All,
  We have recently build green field Exchange 2013 environment with standard journaling. Now we are seen that as per journal capture process it captures health mailboxes emails as well.
  As we all know we will use options ignore/disable health mailboxes emails
  Method 1 : Dynamic DL
  Method 2 : Use global override  
  http://support.microsoft.com/kb/2823959/en-us
  My questions
  if go for Method 2
  1. What will be the challenge will face in environment
  2. Is Microsoft recommendation is go with Method 2 ( I am still looking for clarification even though I mentioned in MS KB)  
  Thanks
  Vishal Saxena

  Hi Vishal,
  1. As it says in KB some server monitoring applications may not correctly monitor transport server components if you have any. Basically you will lose the ability to detect any condition when server stop accepting mails automatically.
  2. You can definitely go with method 2 considering you have another way to monitor transport components and this failure detection.
  Blog |
  Get Your Exchange Powershell Tip of the Day from here

• Exchange 2013 Monitoring Mailboxes

  I'm running exchange 2013 and it seems to have problems with health mailboxes (monitoring mailboxes). I have 5 mailbox databases on this server, DB1, DB2, DB3, DB4 and DB5.
  I know there are 2 health mailboxes per mailbox database.
  The command `Get-Mailbox -monitoring | Get-MailBoxStatistics` shows that several of these have not been accessed since December, even though they are in mounted Databases and powershell shows they are healthy.
  There is also 2 health mailboxes that are missing from the below output because I got warninings saying these mailboxes have not been logged into yet.
  [PS] C:\windows\system32> Get-Mailbox -monitoring | Get-MailBoxStatistics
  DisplayName   : HealthMailbox98fb2dc7692341ad8a3325ea2b14bbcc
  ItemCount     : 17426
  LastLogonTime : 12/8/2012 3:28:04 PM
  Database      :  DB1
  DisplayName   : HealthMailboxe27d88df28ae4d53af620604a83aca4d
  ItemCount     : 12386
  LastLogonTime : 2/4/2013 3:29:46 PM
  Database      : DB1
  DisplayName   : HealthMailbox815f0ff077a342f7889a53ef38e40256
  ItemCount     : 291
  LastLogonTime : 12/8/2012 3:26:43 PM
  Database      : DB3
  DisplayName   : HealthMailboxbca2f3409f1d4ae99098f48b574fc36d
  ItemCount     : 579
  LastLogonTime : 12/8/2012 3:26:05 PM
  Database      : DB2
  DisplayName   : HealthMailbox2412e1a0e5d9415b8328f653b2e42efe
  ItemCount     : 209
  LastLogonTime : 2/3/2013 6:08:41 PM
  Database      : DB3
  DisplayName   : HealthMailbox594b739a129941e688eafee6bbdfece6
  ItemCount     : 209
  LastLogonTime : 2/3/2013 6:09:52 PM
  Database      : DB2
  DisplayName   : HealthMailboxc401cae2a70d4d659f5758908582406e
  ItemCount     : 210
  LastLogonTime : 2/4/2013 3:28:59 PM
  Database      : DB4
  DisplayName   : HealthMailbox4b81211d555c4accad1f61a98700382e
  ItemCount     : 212
  LastLogonTime : 2/3/2013 6:09:46 PM
  Database      : DB5
  Warning: The user hasn't logged onto mailbox `<AD Domain>/users/HealthMailbox2c62876ca1bb45849c0daf2ecee6d715`, so there is no data to return. After the user logs on, this warning will no longer appear.
  Warning: The user hasn't logged onto mailbox `<AD Domain>/users/HealthMailbox4399c592609a464d95c993ecee46f671`, so there is no data to return. After the user logs on, this warning will no longer appear.
  I am also getting a lot of queued messages in the inboundproxy.com queue that have the subject line "Undelieverable: Inbound Proxy Probe". I dont know how to get these to stop. I just have to clean out the queue once a day to prevent it from getting
  to large.
  The last thing I notice is that I get a lot of audit errors in the event log when the system is trying to login to these mailboxes. That might be what is causing the issue. Here is one of the messages:
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  <computer name here>$
  Account Domain:
  <AD DOMAIN>
  Logon ID:
  0x3E7
  Logon Type: 8
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  HealthMailboxbca2f3409f1d4ae99098f48b574fc36d@<domain.tld>
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC0000064
  Process Information:
  Caller Process ID:
  0x1265c
  Caller Process Name:
  C:\Windows\System32\inetsrv\w3wp.exe
  Network Information:
  Workstation Name:
  <computer name here>
  Source Network Address:
  ::1
  Source Port:
  34602
  Detailed Authentication Information:
  Logon Process:
  Advapi  
  Authentication Package:
  Negotiate
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  As you can see, the system can not login to to this health mailbox account. The one in my example one of the mailboxes that has not been logged into since december.
  Is there anywhere to troubleshoot these? or possibly rebuild them? The is a huge lack of documentation on these mailboxes from microsoft, I  can not find any commands to interact with these other then 'get-mailbox -monitoring'

  Because I KNOW it can lead to problems and do NOT know whether it can ever help me or not.
  Here is one example of why I don't want it enabled:
  http://social.technet.microsoft.com/Forums/exchange/en-US/7ed96489-92dd-441a-93e0-3d805b807dc3/maildeliveryprobemaildeliveryprobecom-and-inboundproxyinboundproxycom-in-the-logs
  In my opinion there's one more strangeness about Managed Availability in Exchange 2013:
  http://blogs.technet.com/b/exchange/archive/2012/09/21/lessons-from-the-datacenter-managed-availability.aspx
  "When something is unhealthy its first action is to attempt to recover that component. Managed Availability provides multi-stage recovery actions – the first attempt might be to restart the application pool, the second attempt might
  be to restart service, the third attempt might be to restart the server, and
  the final attempt may be to offline the server so that it no longer accepts traffic.
  If these attempts fail, managed availability
  then escalates the issue to a human through event log notification."
  ...am I getting it right that Managed Availability is not going to alert an administrator BEFORE restarting/taking the server offline...just AFTER and in case it was unable to fix the issue??????!!!!!

• Exchange 2013 shell mailbox move requests showing up on 2010 hub server

  We're in the process of migrating from exchange 2010 to 2013. All servers are patched and up to date. We have two 2010 CASs (one for external OWA use only) and a mailbox cluster. Our exchange 2013 setup is almost a mirror with the exceptions of how the exchange
  server roles have changed.
  Any new-moverequest commands entered from the either of our exchange 2013 CAS servers fail to show up in the EAC/recipients/migration page.
  If the local move request is done in the EAC the batch(es) show up just fine.
  The more perplexing part is: while I was going through a 2010 hub (looking for a different issue) I noticed ALL the batches/mailbox moves that weren't showing up in the 2013 EAC were listed in the 2010 move request section.
  I can't get any info on the moves in the 2010 console (because they're 2013 jobs) but i can get statistics and such from a 2013 shell.
  any ideas?

  Are you running ex2013SP1 CU6? Can you try to update n check?
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Exchange 2013 SP1 mailbox role on 2012 R2 and 2012

  Hi,
  We have a client who were running the following setup:
  2 x Exchange 2013 CU2 CAS servers / Win Srv 2012
  2 x Exchange 2013 CU2 MBX servers / Win Srv 2012
  Active Directory etc, basically everything else, runs on Win Server 2012.
  Due to upgrading etc, one of the mailbox servers has been removed. It is to be installed with Ex2013 SP1 with 2012 R2 from scratch, and eventually also upgrade the remaining CAS and MBX srvers with SP1 and 2012 R2.
  So my question is..will this present a problem? Is it possible to have one MBX running 2013 CU2 on Server 2012 and one MBX running 2013 SP1 on Server 2012 R2?
  I've read that failover clustering service is not possible between 2012 and 2012 R2, but i'm not sure how this effects Exchange.
  Thanks for your time.

  Hi,
  Each member of the DAG should be running the same operating system. It is not supported to run a DAG member on Windows Server 2012 R2 and run another member on  Windows Server 2012.
  What's more, upgrading the OS is not supported on Exchange server.
  Here are some helpful threads for your reference.
  Planning for High Availability and Site Resilience
  http://technet.microsoft.com/en-us/library/dd638104(v=exchg.150).aspx
  Exchange 2013 CU2 and Upgrading from Server 2012 to Server 2012 R2 issues
  http://social.technet.microsoft.com/Forums/exchange/en-US/afba40de-efb6-4916-ae42-b09cff35e5d7/exchange-2013-cu2-and-upgrading-from-server-2012-to-server-2012-r2-issues
  Hope it helps.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support

• Outlook 2007 - single profile connecting to Exchange 2013 / 2007 mailboxes

  Hi,
  I am in the early part of a migration from Exchange 2007 to Exchange 2013. So far I have 2013 installed and running in a DAG and just moved my own mailbox to the new server.
  I set up a new profile in Outlook 2007 which connects to my mailbox on Exchange 2013. The problem is that I need to add additional mailboxes to my profile which are still hosted on Exchange 2007, however this is not working.
  I thought at one stage I tested this and was able to get it work with a test mailbox also hosted on Exchange 2013.. but maybe I never did.
  Does anyone know if this is possible at all (single Outlook profile, primary mailbox hosted on Exchange 2013 and other mailboxes on Exchange 2007). Most of our users have an additional mailbox mapped in their profile so I hope there is some way around this.
  Thank you!

  Hi,
  It is possible to open a shared mailboxes on a legacy server.
  Your problem could be caused by:
  Not having one of the later CU installed (read CU4 or CU5)
  Incorrect authentication methods configured (see link below)
  Outlook is not at the latest patch level
  Users of Exchange Server 2013 can't open public folders or shared mailboxes on an Exchange 2010 or Exchange 2007 server
  http://support.microsoft.com/kb/2834139
  Martina Miskovic

• Migrating Exchange 2013 public mailboxes to a new server

  We have a client that is leaving their current Hosting company and wants to move to our hosting facility. We have recreated their DC,an Exchange Hub, and Exchange Store. We have exported and imported all of their recipient mailboxes and flipped the switch
  and all mail flow is now going through our hosting facility. The problem lies in that I can not figure out how to move the public mailboxes out of the old exchange server and import it into the new server. Both are Exchange 2013 and running on windows server
  2012. Any help would be greatly appreciated. 

  You're looking at a third-party product.  MigrationWiz does public folders.  There are other cloud-based migration solutions, but I don't know whether they support public folder migrations.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2013 Archive mailbox best practise

  Current senario:
  Migrating to Exchange 2013 CU3 from lotus Domino
  in lotus domino the customer is having huge archive files(nfs file size is around 30 GB, like wise users are having multiple archive file with same size.)
  Requirement is all these file need to migrated to exchange 2013 CU3. whcih we are taking care by using thrid party tool.
  My concern is exchang e2013 support for huge mailbox size. if so what maximum size supported for online mailbox and archive mailbox.
  can I assign multiple archive mailbox to users.
  we have got separate Exchange 2013 archive server in place
  We would like know the best practise/guide line for archive mailbox/live mailbox size.
  refered below link:
  http://blogs.technet.com/b/ashwinexchange/archive/2012/12/16/major-changes-with-exchange-server-2013-part-1.aspx

  The key decision is that the content in the primary mailbox is synchronized with the client when in cached mode, while the content in the archive is not.  So I'd want to keep the primary mailbox populated with the content the user needs on a daily basis,
  and put the rest in the archive.  Unfortunately, that answer is not a number, and it isn't the same for all users.
  Each user can have zero or one archive mailboxes, not multiple.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2013 linked mailbox

  I am administering Exchange 2013 in organization where we have two separate forests witch two separate Exchange 2013 servers. There is AD trust between forests. Each user has two mailboxes connected in Outlook, one from forest A and one from forest B. Let's
  say [email protected] and [email protected] There is a plan that users from forest A will use and have only one mailbox connected in Outlook and get all emails data on Exchange server within forest A. What is a best approach
  to do it smoothly? We do not want to remove the email addresses from forest B because a lot of people outside the company know only this email address as a contact point.
  I am thinking about creating linked mailboxes. Any other ideas or advice's?

  Hi ,
  just remove the email address (i.e
  [email protected])
  from the mailbox in forest B and add it as an secondary smtp address on the mailbox residing on the mailbox in forest A.
  In case if you don want the mailbox for user 1 in forest B you can simply delete it instead of removing the email address.
  Note : Simply you cannot remove the email address (i.e
  [email protected])
  from the Mailbox of the user 1 in forest B is set as primary smtp address. So on such case just make some dummy email address as primary smtp address and simply remove
  the address [email protected]
  and add as an secondary smtp address on user 1 mailbox in forest A .
  Please feel free to reply me if you have any queries.
  Thanks & Regards S.Nithyanandham