Exchange 2013 federation

Similar Messages

• Exchange2010 migration to Exchange 2013 federation trust failed (Outlook Provider Failure)

  We are in a migration Exchange 2010 to Exchange 2013.
  On the 'old' Exchange 2010 we are using a Federation Trust to 2 order company's. The federation trust for mailbox's on the exchange 2013 wont work.
  We removed the federation trust on the old exchange 2010 server and create a new federation trust on the new Exchange 2013 server. We also changes the DNS TXT records. Creating the new federation trust without errors. But when the 2 order company's trying
  to connect (add our company name for trust) they get a error.
  A have trying to run a couple tests on the new Exchange 2013 server and found this error:
  [PS] C:\Windows\system32>Test-OutlookWebServices -debug -Identity [email protected] -MailboxCredential(Get-Credential
  cmdlet Get-Credential at command pipeline position 1
  Supply values for the following parameters:
  Credential
  Source                              ServiceEndpoint                    
  Scenario                       Result  Latency
  (MS)
  AM111.AM.LAN                        autodiscover.company.nl            Autodiscover: Outlook
  Provider Failure     144
  AM111.AM.LAN                        webmail.company.nl                
  Exchange Web Services          Success     134
  AM111.AM.LAN                        webmail.company.nl                
  Availability Service           Success     207
  AM111.AM.LAN                                                           
  Offline Address Book           Skipped       0

  Hi,
  Are you add primary SMTP domain as a federated domain? If not, please run below command to achieve this function:
  Add-FederatedDomain -DomainName contoso.com
  Configure federated sharing for the Exchange 2013 organization. Complete the steps in
  Configure federated sharing.
  Configure federated delegation (previous name for federated sharing) for the Exchange 2010 SP2 organization. Complete the steps in
  Configure federated delegation.
  Besides, I find an similar thread about Autodiscover service failed within federated trust, for your convenience:
  https://social.technet.microsoft.com/Forums/ie/en-US/ea192e0a-1363-4cb6-9fc4-2973f64afc23/the-response-from-the-autodiscover-service-at?forum=exchange2010
  Best Regards,
  Allen Wang

• Is there an Exchange 2013 DoD/Federal Message Clean/Spill Procedure?

  I have seen DoD/Federal procedures to clean a message from early versions of Exchange (i.e. leakage/spill), but these procedures would not work for Exchange 2013.
  I know that in the past Microsoft has worked with DISA & NSA to develop a message clean procedure for older versions of Exchange.
  Is there a published procedure or best practice to clean a message from Exchange 2013 that meets DoD/Federal standards?
  Thanks
  Tom
  Thomas Talley

  Hello,
  At present, there is no a published DoD/Federal procedure to clean a message from Exchange 2013. If there is any information about this, related technet article and exchange team blog will be published.
  If you want to delete messages from a mailbox, you can use Search-Mailbox cmdlet with the DeleteContent switch to search and delete messages.
  If you want to remove messages from mail queues, you can use Remove-Message cmdlet to delete a message from a queue on a Mailbox server or an Edge Transport server.
  If you have any feedback on our support, please click
  here
  Cara Chen
  TechNet Community Support

• Exchange 2013 OWA IM to federated users

  Hi I configured Exchange 2013 OWA IM for Lync server and everything is working fine except that I can't IM federated Lync users when the conversation is initiated from OWA. When I start an IM conversation from the federated user to my OWA, everything is
  working fine. Also the replies arrive then! So it must be something with initiating the session. I don't have issues with federated users form normal Lync desktop clients or mobile clients.
  In the lync logs I notice the following when starting the conversation from OWA:
  1027;reason="Cannot route this type of SIP request to or from federated partners";
  I also notice there's a KB2977259 (http://support.microsoft.com/kb/2977259) that discusses similar things but I'm not working with contacts like that and I guess they don't mean that you have to do this for every federated contact a Lync user has.
  Does somebody else also experience this issue?
  Update: following this KB I tried to add a new outlook contact in owa and add my sip address as "sip:[email protected]". When doing this it actually work to IM this federated user. But this is actually a workaround you can't expect your users
  to implement. I can't believe nobody else has issues with this.

  Hi DS_Kevin,
  Please post a little more log information. It seems that IM from OWA can’t locate the federated user’s SIP address without the sip prefix.
  Best Regards,
  Lisa Zheng
  Lisa Zheng
  TechNet Community Support

• Exchange 2013 Untrusted Cross-Forest Availability Intermittently Working

  Goal:
  I’m attempting to configure cross-forest availability for Exchange 2013 using the instructions here:
  http://technet.microsoft.com/en-us/library/bb125182%28v=exchg.150%29.aspx
  At the very bottom of the page are three different methods.  I have tried the first (per-user) and the third (untrusted) methods, with identical results.  For various unfortunate reasons, I am unable to use the Microsoft Federated Gateway for availability
  information (although that is configured in the production domain and I would use it if it were possible). 
  Situation:
  When attempting to view availability information in either OWA or Outlook, the free/busy information typically isn’t visible.  If you open and close Outlook a few times, creating meetings with the users in other domains, sometimes the other user’s information
  will be visible, and sometimes it will not.  When it is not, the area is filled with diagonal lines and hovering over it says “No Information”.  The situation is the same in both Adatum trying to access Contoso, and in Contoso trying to access either
  Adatum or Fabrikam.
  I’m currently close to finishing up my third week with Microsoft Support on this issue, and am starting over with a third first level support person.  They are quickly eroding what little confidence I had in them already.  I’m posting here because
  I’m desperate, and web searches for my errors turn up zero results.  I fear this method of availability sharing doesn’t actually work correctly in Exchange 2013 as Microsoft is pushing organizations to use the Microsoft Federated Gateway, but I’d love
  to heave about anyone getting this to work, or not.
  Setup:
  There are three separate domains I am working with (names changed to protect the innocent).  Contoso.local is the production domain, containing Exchange 2007 and Exchange 2013 SP1 servers.  Adatum.local is a test domain set up fresh with Exchange
  2013 SP1.  Fabrikam.com is a remote Exchange system that I others are connecting to without issue using Exchange 2010.
  The Contoso and Adatum domain controllers are running Windows Server 2008 R2 SP1 and are running at a 2008 R2 functional levels.  The Exchange 2013 servers are all at SP1 (results were the same prior to SP1), and the OS is Windows Server 2012. 
  Contoso has two sites, connected via 10Gbps links, and ~10ms latency, with Exchange 2013 CAS and mailbox servers in both sites.  Adatum has a single site, and has two CAS and two mailbox servers.  Fabrikam has one internet facing server to connect
  to.  A handful of contacts have been created in both Contoso and Adatum for the other domains, to select to view availability.
  Contoso and Adatum domains sit on different subnets, but there is no firewall or filtering between their subnets.  Routing between them is completely unimpeded.  The Fabrikam server sits on another network across the internet, but firewalls have
  been configured and I can browse the availability website from the Contoso CAS servers.
  The CAS servers were originally set up to be load balanced, but working with Microsoft they’ve had me specify a single CAS server for autodiscover/EWS/ECP/OWA/etc in both Contoso and Adatum.  The number of actual users on Exchange 2013 in Contoso is
  ~10.  In Adatum, there are only a handful of mailboxes configured.  The Exchange 2007 servers in Contoso are using Public Folders for free/busy replication for other domains right now, and we don’t care at the moment if they can use the 2013 availability. 
  None of our testing/configurations have involved the Exchange 2007 servers.  There are no SPNs configured for the other domains in AD.
  Errors:
  There are three basic errors that are returned in Outlook diagnostics.  The first is the timeout error.  For a given mailbox server, the first time it is queried for availability information for a remote domain (after some amount of time of being
  idle) it might not respond for 70 seconds (actually somewhere between 69 and 70 seconds each time when viewing the IIS logs), and eventually fails with the timeout error.  If it doesn’t timeout, then it will respond with the Correct Response.
  Once a particular mailbox server has timed out, it will typically immediately return the first Availability Error for all subsequent calls.  Less frequently, it will return Availability Error 2.  If a mailbox server returns the first Availability
  Error, then it will continue to return that error until it times out again or starts working.  Similarly, if a mailbox server returns the second Availability Error, then it will continue to return that error until it times out again or starts working.
  If an IISRESET is performed on a mailbox server, then it will either timeout at the next cross-forest availability request, or work.  There is never an issue accessing availability information for users in the same domain as the request.
  If the remote Exchange is in an errored state, then the response includes the error.  For example, if the mailbox servers in the remote domain are turned off, and the local mailbox server that you are querying happens to be responding correctly
  for the remote domain, then it will return an error about how no mailbox servers are available in adatum.local to service the request.
  There are no Event Log errors that correspond to failed requests of any type.  IIS logs don’t show anything beyond what is shown in the Outlook diagnostics.  There are no DNS or Active Directory Replication errors in the Event Logs.
  Timeout error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorTimeoutExpired
  ErrorMessage         : Microsoft.Exchange.InfoWorker.Common.Availability.TimeoutExpiredException: Request could not be processed in time. Timeout occurred during 'LookupRecipientsBatchBegin'.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AutoDiscoverFailedException:
  AvailabilityAddressSpace 'adatum.local' couldn't be used because the Autodiscover endpoint couldn't be discovered.
                         . Name of the server where exception originated: Mailbox01
  ErrorDetails         : {}
  ErrorProperties      : {}
  Availability Error 2:
  CalendarEvents       : {}
  ViewType             : None
  MergedFreeBusyStatus : {}
  WorkingHours         :
  Result               : Error
  ErrorCode            : ErrorProxyRequestProcessingFailed
  ErrorMessage         : Unable to send cross-forest request for mailbox <Free BusyTest>SMTP:[email protected] because of invalid configuration., inner exception: Microsoft.Exchange.InfoWorker.Common.Availability.AddressSpaceNotFoundException:
  Configuration information for forest/domain swelab.wayad.corp.wayport.net could not be found in Active Directory.
                            at Microsoft.Exchange.InfoWorker.Common.Availability.TargetForestConfigurationCache.FindByDomain(OrganizationId
  organizationId, String domainName)
                            at Microsoft.Exchange.InfoWorker.Common.Availability.QueryGenerator.GetTargetForestConfiguration(EmailAddress
  emailAddress)
                         . Name of the server where exception originated: Mailbox02
  ErrorDetails         : {}
  ErrorProperties      : {}
  Working:
  CalendarEvents       : {Microsoft.Exchange.WebServices.Data.CalendarEvent}
  ViewType             : FreeBusyMerged
  MergedFreeBusyStatus : {Free, Free, Free, Free...}
  WorkingHours         : Microsoft.Exchange.WebServices.Data.WorkingHours
  Result               : Success
  ErrorCode            : NoError
  ErrorMessage         :
  ErrorDetails         : {}
  ErrorProperties      : {}
  Start : 04/09/2014 00:00:00
  End : 04/12/2014 00:00:00
  Subject :
  Location :
  Testing Methodologies:
  While it is possible to dig through Outlook diagnostics and OWA, we ended up scripting out these requests to save time.  Microsoft support refuses to use the scripts, but they produce the same output that it takes them days to find in the logs, so I’ll
  post them here to help anyone in the future.
  Through reading the documentation and experimenting, it appears that the Exchange 2013 CAS servers really do just proxy availability requests from the client to the mailbox servers.  At least by default, it seems to pick a mailbox server in the same
  site, but which mailbox server in the site appears to be random.  It will typically pick the same one repeatedly for a while.
  The first script uses the Microsoft Exchange Web Services Managed API 2.1.
  http://www.microsoft.com/en-us/download/details.aspx?id=42022
  You specify a source email address, and a target address in the remote domain, and it creates a SOAP request that it sends to a CAS server of the source email address.  The CAS proxies the request to the mailbox server which either responds with a failure
  or the free/busy data.
  The second script takes the XML SOAP request generated by the first script, and uses that to query a mailbox server directly.  That allows you to test specific mailbox servers that are working or failing, instead of randomly using whichever mailbox
  server the CAS happens to select.  I generated a SOAP request with the first script that I knew had some data, and then copy/pasted it into the second script to verify if data was being returned.
  I’ve deleted and recreated the availability address spaces in Contoso and Adatum for each other and Fabrikam multiple times.  I’ve reset the password in the OrgWideAccount in both Adatum and Contoso, and viewed the lastBadPassword attribute in both
  ADs to verify it wasn’t failing authentication.  (A failed authentication also generates a 401 error that is returned to the client.)  I can access the availability site of the other domain using the credentials of the OrgWideAccount without any
  errors ever.
  First Script:
  # Import the Exchange Web Services module
  Import-Module -Name "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
  # Create the services object used to connect to Exchange
  # You can specify a specific Exchange version, which I had to do to connect to 2007
  # Exchange2007_SP1
  # Exchange2010
  # Exchange2010_SP1
  # Exchange2010_SP2
  # Exchange2013
  # $ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2007_SP1
  # $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
  $Service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService
  $Service.UseDefaultCredentials = $true
  # Specify an SMTP address. The autodiscover URL from the associated mailbox will be used to connect to Exchange
  # This is used to distinguish resolving from the 2007 server versus 2013
  #$Service.AutodiscoverUrl("[email protected]") # For Exchange 2007
  $Service.AutodiscoverUrl("[email protected]") # For Exchange 2013
  # Increase the amount output at the end to include the SOAP commands
  $Service.TraceEnabled = $true
  # Specify time frame to get free/busy for
  $StartTime = [DateTime]::Parse([DateTime]::Now.ToString("yyyy-MM-dd 0:00"))
  $EndTime = $StartTime.AddDays(7)
  # Create the various objects needed to perform the EWS request
  $drDuration = new-object Microsoft.Exchange.WebServices.Data.TimeWindow($StartTime,$EndTime)
  $AvailabilityOptions = new-object Microsoft.Exchange.WebServices.Data.AvailabilityOptions
  $AvailabilityOptions.RequestedFreeBusyView = [Microsoft.Exchange.WebServices.Data.FreeBusyViewType]::DetailedMerged
  $Attendeesbatch = New-Object "System.Collections.Generic.List[Microsoft.Exchange.WebServices.Data.AttendeeInfo]"
  $attendee = New-Object Microsoft.Exchange.WebServices.Data.AttendeeInfo($userSMTPAddress)
  # Specify SMTP addresses of accounts to request availability for
  #$Attendeesbatch.Add("[email protected]")
  $Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  #$Attendeesbatch.Add("[email protected]")
  # Clear out old results so that a failed request doesn't show information still
  $availresponse = ""
  # Request the availability information from Exchange
  $availresponse = $service.GetUserAvailability($Attendeesbatch,$drDuration,[Microsoft.Exchange.WebServices.Data.AvailabilityData]::FreeBusy,$AvailabilityOptions)
  # Show summary information that would include errors
  $availresponse.AttendeesAvailability
  # Show all of the appointments in the requested time period
  foreach($avail in $availresponse.AttendeesAvailability){
  foreach($cvtEnt in $avail.CalendarEvents){
  "Start : " + $cvtEnt.StartTime
  "End : " + $cvtEnt.EndTime
  "Subject : " + $cvtEnt.Details.Subject
  "Location : " + $cvtEnt.Details.Location
  Second Script:
  # Change the server in this URL to specify which mailbox server to access
  $url = 'https://mailbox01.contoso.local:444/EWS/Exchange.asmx'
  # Uncomment the below lines if you want to query EWS using credentials other than
  # the ones used to run the script.
  #If(!(Test-Path variable:global:cred))
  # $cred = Get-Credential
  function Execute-SOAPRequest
  [Xml] $SOAPRequest,
  [String] $URL
  write-host "Sending SOAP Request To Server: $URL"
  $soapWebRequest = [System.Net.WebRequest]::Create($URL)
  # These appear to be the only things needed in the headers when making the request
  $soapWebRequest.ContentType = 'text/xml;charset="utf-8"'
  $soapWebRequest.Accept = "text/xml"
  $soapWebRequest.Method = "POST"
  If(Test-Path variable:global:cred)
  $soapWebRequest.Credentials = $cred
  Else
  $soapWebRequest.UseDefaultCredentials = $true
  write-host "Initiating Send."
  $requestStream = $soapWebRequest.GetRequestStream()
  $SOAPRequest.Save($requestStream)
  $requestStream.Close()
  write-host "Send Complete, Waiting For Response."
  $resp = $soapWebRequest.GetResponse()
  $responseStream = $resp.GetResponseStream()
  $soapReader = [System.IO.StreamReader]($responseStream)
  $ReturnXml = [Xml] $soapReader.ReadToEnd()
  $responseStream.Close()
  write-host "Response Received."
  return $ReturnXml
  # The specing and line returns in the below variable are important for some reason
  # For example, there must be a line return after the @' on the first line, or it's invalid...
  # Change the line with this:
  # <t:Address>[email protected]</t:Address>
  # to the email address in the domain you want to query
  $soap = [xml]@'
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
  <t:RequestServerVersion Version="Exchange2013_SP1" />
  <t:TimeZoneContext>
  <t:TimeZoneDefinition Name="(UTC-06:00) Central Time (US &amp; Canada)" Id="Central Standard Time">
  <t:Periods>
  <t:Period Bias="P0DT6H0M0.0S" Name="Standard" Id="Std" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/1" />
  <t:Period Bias="P0DT5H0M0.0S" Name="Daylight" Id="Dlt/2007" />
  </t:Periods>
  <t:TransitionsGroups>
  <t:TransitionsGroup Id="0">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/1</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>4</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>10</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>-1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  <t:TransitionsGroup Id="1">
  <t:RecurringDayTransition>
  <t:To Kind="Period">Dlt/2007</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>3</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>2</t:Occurrence>
  </t:RecurringDayTransition>
  <t:RecurringDayTransition>
  <t:To Kind="Period">Std</t:To>
  <t:TimeOffset>P0DT2H0M0.0S</t:TimeOffset>
  <t:Month>11</t:Month>
  <t:DayOfWeek>Sunday</t:DayOfWeek>
  <t:Occurrence>1</t:Occurrence>
  </t:RecurringDayTransition>
  </t:TransitionsGroup>
  </t:TransitionsGroups>
  <t:Transitions>
  <t:Transition>
  <t:To Kind="Group">0</t:To>
  </t:Transition>
  <t:AbsoluteDateTransition>
  <t:To Kind="Group">1</t:To>
  <t:DateTime>2007-01-01T06:00:00.000Z</t:DateTime>
  </t:AbsoluteDateTransition>
  </t:Transitions>
  </t:TimeZoneDefinition>
  </t:TimeZoneContext>
  </soap:Header>
  <soap:Body>
  <m:GetUserAvailabilityRequest>
  <m:MailboxDataArray>
  <t:MailboxData>
  <t:Email>
  <t:Address>[email protected]</t:Address>
  </t:Email>
  <t:AttendeeType>Required</t:AttendeeType>
  <t:ExcludeConflicts>false</t:ExcludeConflicts>
  </t:MailboxData>
  </m:MailboxDataArray>
  <t:FreeBusyViewOptions>
  <t:TimeWindow>
  <t:StartTime>2014-04-03T00:00:00</t:StartTime>
  <t:EndTime>2014-04-10T00:00:00</t:EndTime>
  </t:TimeWindow>
  <t:MergedFreeBusyIntervalInMinutes>30</t:MergedFreeBusyIntervalInMinutes>
  <t:RequestedView>DetailedMerged</t:RequestedView>
  </t:FreeBusyViewOptions>
  </m:GetUserAvailabilityRequest>
  </soap:Body>
  </soap:Envelope>
  $ret = Execute-SOAPRequest $soap $url
  # Uncomment out one of the below two lines to get output in different alternative formats
  #$ret | Export-Clixml c:\temp\1.xml;Get-Content c:\temp\1.xml
  #$ret.InnerXml
  # If the request is successful, show the appointments, otherwise show the failure message
  If ($ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage.ResponseClass -eq 'Success')
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.FreeBusyView.CalendarEventArray.CalendarEvent
  Else
  $ret.Envelope.Body.GetUserAvailabilityResponse.FreeBusyResponseArray.FreeBusyResponse.ResponseMessage

  In this case, the SMTP domain is the same as the AD domain.  If the wrong domain were configured then the connection would never work, as opposed to sometimes work.
  RunspaceId            : abb30c12-c578-4770-987f-41fe6206a463
  ForestName            : adatum.local
  UserName              : adatum\availtest
  UseServiceAccount     : False
  AccessMethod          : OrgWideFB
  ProxyUrl              :
  TargetAutodiscoverEpr :
  ParentPathId          : CN=Availability Configuration
  AdminDisplayName      :
  ExchangeVersion       : 0.1 (8.0.535.0)
  Name                  : adatum.local
  DistinguishedName     : CN=adatum.local,CN=Availability Configuration,CN=Wayport,CN=Microsoft
                          Exchange,CN=Services,CN=Configuration,DC=contoso,DC=local
  Identity              : adatum.local
  Guid                  : 3e0ebc2c-0ebc-4be8-83d2-077746180d66
  ObjectCategory        : contoso.local/Configuration/Schema/ms-Exch-Availability-Address-Space
  ObjectClass           : {top, msExchAvailabilityAddressSpace}
  WhenChanged           : 4/15/2014 12:33:53 PM
  WhenCreated           : 4/15/2014 12:33:35 PM
  WhenChangedUTC        : 4/15/2014 5:33:53 PM
  WhenCreatedUTC        : 4/15/2014 5:33:35 PM
  OrganizationId        :
  OriginatingServer     : dc01.contoso.local
  IsValid               : True
  ObjectState           : Unchanged

• Exchange 2013 does not show AD people pictures

  Hello,
  Exchange 2013 is configured in hybrid mode with exchange online. Majority of the mailboxes are located in Office 365. Also we have exchange 2007.
  When I open mailbox located on exchange 2013 and searching for people- I don't see their pictures.
  All pictures are uploaded to AD, also office 365 mailbox owners can see them.
  When I check logs on exchange 2013 server, I get 4002 even id:
  Process 10556: ProxyWebRequest FederatedCrossForest from S-1-5-21-2000478354-2111687655-1801674531-222614 to
  https://outlook.office365.com:443/EWS/Gsiedes..contoso.mail.onmicrosoft.com/Exchange.asmx/WSSecurity failed. Caller SIDs: WSSecurity. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: Proxy web
  request failed.  ---> System.Net.WebException: The request failed with HTTP status 404: Not Found.
     at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
     at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
     at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserPhoto(IAsyncResult asyncResult)
     at Microsoft.Exchange.InfoWorker.Common.UserPhotos.UserPhotoApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, IService service, IAsyncResult asyncResult)
     at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)
     at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling()
     --- End of inner exception stack trace ---
  . Name of the server where exception originated: server. Make sure that the Active Directory site/forest that contain the user's mailbox has at least one local Exchange 2010 server running the Availability service. Turn up logging for the Availability service
  and test basic network connectivity.
  Somehow, instead of querying user settings from AD, exchange contacting with Office 365?
  My additional configuration:
  1) EWS virtual directory has external URL and Internal URL which is client load balancer. External URL is a URL for Office 365 federation configuration.
  2)Autodoscover external DNS records points to the sane URL for EWS (same hostname). Internal dns a record points to exchange 2007 CAS server.
  Any ideas?

  Hi,
  According to your description, I understand that cannot see account picture for hybrid environment with Office 365 when search people.
  If I misunderstand your concern, please do not hesitate to let me know.
  Do you have configure the Availability service for cross-forest topologies?
  If not, please refer to below link to configure:
  https://technet.microsoft.com/en-us/library/bb125182(v=exchg.150).aspx
  Besides, we have to change the thumbnailPhoto attribute for OAB so that OAB can update with photo.
  More details about GAL Photos in Exchange 2010 and Outlook 2010, for your reference:
  http://blogs.technet.com/b/exchange/archive/2010/03/10/3409495.aspx
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• Exchange 2013 Office 365 Hybrid Cloud On-Premise Outlook Connection Problem

  Hi Everyone,
     We are required to migrate FROM the cloud TO an on-premise Exchange 2013 server.  We set up a trial of Office365 and linked our test domain to that account.  The test domain mimics our current domain, but ends in .net instead of .org.
   We set up a test Exchange 2013 server with a few database servers.  Internally, we can connect without issue (Outlook).  We mapped our test CAS to face the Internet, and can access what we need without issue.  We also set up the Hybrid
  configuration on both the Exchange 2013 and Office365 servers.  We have validated that DirSync works, and migration can occur up to the cloud and back down to the on-premise server.
  Now, here is the issue:
  We have our DNS records still pointing to Office365, so when we add an Office365 mailbox to Outlook (internal to the network or outside the network) we see absolutely no issues.  We migrated a mailbox today to our on-premise server, but upon doing so,
  can no longer connect to, or add, that mailbox to Outlook.  When we put this integration in to effect for production, we want to be able to migrate mailboxes on-premise from the cloud, and we want to make sure users can still access their mailboxes.  This
  also goes for distribution groups, conference rooms, etc.
  I see that most suggestions say to change your DNS record to point to the on-premise Exchange server, which is great, but after doing so Office365 accounts experience the same issue as above.  We NEED to make sure that when we batch migrate, the users
  DO NOT lose connectivity to their accounts.  We need both Office365 accounts and Exchange on-premise accounts are accessible internally and externally.  As an extra tid-bit, we HAVE configured Outlook Anywhere on Exchange 2013, but see no difference.
  Any thoughts on this?  Office365 and Exchange 2013 see eachother and recognize that the hybrid environment is set up good, but it appears we are missing some configurations.  Currently, we have a CNAME record points our autodiscover to autodiscover.outlook.com.
  Any help would be MUCH appreciated.  Thanks!
  Dan

  Hi,
  Here is an article on Move mailboxes between on-premises and Exchange Online organizations in 2013 hybrid deployments, for your reference:
  http://technet.microsoft.com/en-us/library/jj906432(v=exchg.150).aspx
  I want to make sure OWA works well with the moved mailbox.
  To use CNAME based autodiscover method, we need to have all domain names present in a SAN certificate.
  With Exchange 2013 CU1, we now have the option of adding multiple SMTP domains to Exchange Federation/Hybrid configuration and we can specify which of these domains should act the "autodiscover" domain.
  To configure an SMTP domain as the autodiscover domain, you can run following command:
  Set-HybridConfiguration -Domains "domain1.com, domain2.com, domain3.com", "autod:domain.com"
  More details, please refer following blogs:
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-2013-hybrid-deployment-and-migrating-office-365-exchange-online-part11.html
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-2013-hybrid-deployment-and-migrating-office-365-exchange-online-part12.html
  Disclaimer:
  Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure
  that you completely understand the risk before retrieving any suggestions from the above links.
  Thanks
  Mavis Huang
  TechNet Community Support

• What is the best practices to apply two factor authentication on on-premise Exchange 2013 Environment ?

  Hi, Everyone
  i want to know what is the requirements to apply two factor authentication in Exchange 2013, Through Mobile or SMS.
  what is the third party solutions of Microsoft solutions

  Hi,
  If we can deploy Active Directory Federation Services (AD FS) 2.0, it means that Outlook Web App and EAC in Exchange 2013 SP1 can support multifactor authentication methods, such as certificate-based authentication, authentication or security tokens, and
  fingerprint authentication.
  Additional, we can use TMG or Microsoft UAG to deploy MFA, please refer to:
  https://social.technet.microsoft.com/Forums/exchange/en-US/f355ffbd-7d03-45d8-b4b1-987b2db5eadf/is-there-a-way-to-do-two-factor-authentication-with-outlook-web-app-2010?forum=exchangesvrgenerallegacy
  Best Regards,
  Allen Wang

• Exchange 2013 Hybrid Deployment, on-premise to multiple Office 365 tenants

  Hello, we are in the early stages of planning an Exchange 2013 hybrid deployment for a federation of education organisations.
  We are planning to use a single on-premise Exchange organisation for staff mailboxes across all member organisations, each member already has it's own Office 365 tenancy for students, which we would like to maintain if possible.
  My question is, is it possible (and supported) for an Exchange hybrid deployment with a single on-premise organisation with multiple Office 365 tenants, my understanding is that only a 1:1 deployment is supported, can somebody confirm or clarify this ?
  Thanks

  I think if you have different AD sites then you can install the DirSync or ADFS for each of them and have one way replication. I 'd aks this question to Office365 Forum and support.
  Where Technology Meets Talent

• Calendar sharing and editing between 2 exchange 2013 organisations

  Not sure then.. wait for other spiceheads to reply...

  Hi Guys
  I recently had a client that was forced to split into 2 separate organisations each with their own exchange 2013 setup. However they will be sharing vehicles and conference rooms etc and previously they had calendars setup to manage this. I want to be able to have a calendar setup that both exchange organisations can access and edit.
  I setup federated trust between the exchange servers however all I can do is view information and no one can actually make any changes etc.
  Anyone know how this can be done easily?
  Thanks
  This topic first appeared in the Spiceworks Community

• Installation of Exchange 2013 Failed on Mailbox Role Transport Service

  Hi All,
  Getting this error when trying to install a new exchange 2013 server. Thanks in advance
  Error:
  The following error was generated when "$error.Clear();
            if ( ($server -eq $null) -and ($RoleIsDatacenter -ne $true) )
              Update-RmsSharedIdentity -ServerName $RoleNetBIOSName
          " was run: "Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.
     at Microsoft.Exchange.Data.Directory.ADDataSession.Save(ADObject instanceToSave, IEnumerable`1 properties, Boolean bypassValidation)
     at Microsoft.Exchange.Data.Directory.Recipient.ADRecipientObjectSession.Save(ADRecipient instanceToSave)
     at Microsoft.Exchange.Management.Deployment.UpdateRmsSharedIdentity.Link()
     at Microsoft.Exchange.Management.Deployment.UpdateRmsSharedIdentity.InternalProcessRecord()
     at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
     at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

  Hi,
  This problem occurs because the federated built-in e-mail account that links to the computer account no longer exists. Or, the federated built-in e-mail account in the AD
   directory service is corrupted.
  Please try to follow these steps to solve this problem.
      1. Remove the FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 e-mail account by using the ADSIEDIT tool. To do this, follow these steps:
  Click Start, click Run, type adsiedit.msc, and then click
  OK.
  Locate the Default Naming Context node, and then locate to the
  CN=Users container.
  Locate and then right-click the CN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 container. Then, click
  Delete.
      2. Rerun the Exchange Server 2013 Mailbox role setup application.
      3. Create a new federated e-mail account by using the following command:
  New-Mailbox -Arbitration -Name FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 -UserPrincipalName FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@<Default_Accepted_Domain>
  If this issue persistes, please let me know.
  Best Regards.

• Cannot send email from Exchange 2007 to Exchange 2013

  Hello Anyone,
  Anyone can help? I've prepare MS Exchange 2013 already, for Migration MS Exchange 2007 and I got the issue.
  My issue is I can't send email from Exchange 2007 to Exchagen 2013, but for Exchange 2013 can send email to Exchange 2007,
  is my issue only internal email for external email both Exchange server is working fine.
  Regards,
  Eakkasak

  Thanks for your reply, when I send email from Exchange 2007 to Exchange 2013 I'm get the error message below.
  Delivery is delayed to these recipients or distribution lists:
  Eakkasak Buajan
  Subject:
  This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf.
  Delivery of this message will be attempted until 8/29/2014 8:30:29 PM (GMT+07:00) Bangkok, Hanoi, Jakarta. Microsoft Exchange will notify you if the message can't be delivered by that time."
  I'm already tick  "Exchange server Authentication" in the Default Receive connector properties of Exchange 2013"
  I'm restart services and restart all Exchange Server but doesn't work.
  Thanks,
  Eakkasak
  Sent by Microsoft Exchange Server 2007

• Cannot send email from Exchange 2007 to Exchange 2013 - Coexistence

  Existing Exchange 2007 SP3 1 MBX, 2 CAS/HT, 2 ET servers.
  I have added an Exchange 2013 server with MBX/CAS role.
  Email will flow from Ex2013 server no problem.  Mail from Ex2007 systems cannot deliver to Ex2013 boxes, it dies in queue with a 4.4.7 expired message after issuing a delay message.
  I can telnet to ports 25, 587,717,465,475, and 2525 from Ex2007 HT role to new Exchange 2013 server.  I can send email from Ex2007 HT role server to new Exchange 2013 server using telnet to port 25.
  A ‘get-mailbox’ from the Ex2007 HT role server returns the server and database properly on the test users on Exchange 2013 server.
  The only strange thing I am seeing is from the Ex2007 systems, a ‘get-exchange server’ command shows the new Ex2013 server as role ‘16439’ which looks to perhaps be normal.
  Why is email not flowing to the new users on Exchange 2013?

  You should have exchange server authentication ticked in Default Receive connector in Exchange2007.
  Exchange 2007 and Exchange 2013 in the same subnet/network. if not please check any spam agent running between the networks. Are you running antispam on Exchange2013 ?
  MAS

• Exchange 2013 SP1 displaying users that no longer exist

  I'm currently in the process of migrating my Exchange 2010 SP3 environment over to 2013 SP1 and am hoping someone can give me a hand with an issue I'm having in Exchange 2013.  After installation of 2013 with no errors returned, when I log in to the
  admin console I'm seeing users that have been deleted from my AD for quite some time with a mailbox type of "Legacy".  I've searched high and low to find these accounts and cannot find them anywhere.  I've searched through ADSI Edit and
  LDP and nothing.  If I click on any of these users and choose to edit I get this error message:
  The operation couldn't be performed because object 'GUID' couldn't be found on 'domain controller'.
  The odd thing to me is that these "Legacy" users are nowhere to be found on my Exchange 2010 server.
  Anyone have any other ideas of how and where I may be able to find these users?

  Below powershell script can help you find out the lingering objects in your AD.
  $myForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
  $dclist = $myforest.Sites | % { $_.Servers } |% { $_.Name }
  $dcs_guid = get-qadobject -searchroot 'CN=Sites,CN=Configuration,DC=domain,DC=root' -Type nTDSDSA -IncludedProperties guid,dn -DontUseDefaultIncludedProperties | % {@{GUID=$_.guid;DN=$_.dn}}
  foreach ($dcforestname in $dclist){
      foreach ($dc_src_guid in $dcs_guid){
          $hostname = ((($dc_src_guid.DN).split(',')[1]).split('=')[1]).tostring()
          $dcfqdn = $dclist -like "$hostname*" | Out-String -Stream
          $dclist_arr = ($dcfqdn).split(".")
          $dcname = $dclist_arr[0]
          $dcdomain = $dclist_arr[1 .. ($dclist_arr.count-1)]
          $domain_dn = ""
          for ($x = 0; $x -lt $dcdomain.Length ; $x++){
              if ($x -eq ($dcdomain.Length - 1)){$Separator = ""}else{$Separator =","}
              [string]$domain_dn += "DC=" + $dcdomain[$x] + $Separator
          write-Host "repadmin /removelingeringobjects $dcforestname" $dc_src_guid.GUID $domain_dn "/advisory_mode >> lingering_debug.log"
  Regards, Riaz Javed Butt Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365

• Creation of a second Exchange 2013 server on a different site (with the roles of MBX and CAS) fails on prepare active directory and prepare schema.

  Hello everyone
  I have a network infrastructure  consisting of 3 sites, site A, site B, and site C. i have 2 domain controllers on every site, and the AD roles are on the primary domain controller on site A. On site A I have an Exchange 2013sp1 CU6.
  I want to create a second Exchange on Site B, with the roles of mailbox (the exchange on Site A will be first DAG member and the Exchange on Site B will be the second member of the DAG) and CAS.
  First question: Is my  thought correct about installaing on the same server mailbox and CAS server?
  Second question: how many DAG witnesses I need for the DAG? One per site, or one in general (for example located on site A)
  Third question: When I am trying to perform “Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms”  I receive the error
  “ Setup encountered a problem while validating the state of Active Directory:
   The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema can't be executed.  See the Exchange setup log for more information on this error. For more information, visit:
  http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
  I tried  to run the PrepareSchema from  the ISO of Exchange 2013 SP1 and form the extracted content of Exchange 2013SP1 CU6 archive, but still receive the same error. Any ideas?
  Thanks in advance.

  Thank you for your answer,
  I have tried to run "Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms”  from
  Exchange 2013 CU6 media, but I still receive  the error:
  The Active Directory schema version (15303) is higher than Setup's version (15292). Therefore, PrepareSchema
  can't be executed.  See the Exchange setup log for more information on this error. For more information, visit:http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx “
  any ideas?