Wednesday, October 4, 2017

Issues with POP/IMAP Certificates with Exchange Online.



From time to time Microsoft will update the certificates that are installed on their services. Most applications are able to handle these changes by trusting the intermediate and root certificate issuers. There are some Java-based applications that aren't able to trust via this method and have to trust the issued certificate from the server.


You might not notice this right away due to how updates are rolled out in Office 365. You might see occasional connectivity issues and then it will increase as more and more systems are deployed with a new certificate.


The easy way to fix this is to use openssl to query for the certificate information and then add it to the trusted certificates.




Microsoft has released a list of their Office 365 certificate chains. You can download the Root and Intermediates all in one bundle


http://aka.ms/o365chains



Some examples to get the certificates across the different services that are typically used by these java based applications.


SMTP:
openssl s_client -connect  smtp.office365.com:25 -starttls smtp -showcerts


IMAP:
openssl s_client -connect outlook.office365.com:993 -showcerts


POP:
openssl s_client -connect outlook.office365.com:995 -showcerts


Here's an example of what you will get back. Just copy the text from -----BEGIN CERTIFICATE----- through to -----END CERTIFICATE-----

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
-----BEGIN CERTIFICATE-----
MIIG5jCCBc6gAwIBAgIQCEk1QQl15BPr8HS7dAzpQjANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSUwIwYDVQQDExxE
aWdpQ2VydCBDbG91ZCBTZXJ2aWNlcyBDQS0xMB4XDTE3MDQwMzAwMDAwMFoXDTE4
MDQwMzEyMDAwMFowajELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
bjEUMBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCjH9qOsRSguI4b7CbtHxKERlrP3FlKju/qX8MlKZ8binIUaTRa3xVx
I9KTHqSR/5HunBlL6yQzeu91zOBVbRcj/9U6bETb2v5VX/px8/mi3VxgKLpBAIAm
XqpUzc5DbUAQEaHHJRHGx/GuFUfLseFwRL18sltcZuDhIcy8WWWLuSvtOA0hE5ed
/1zjHDnYjQKZGY1X5oXl5DhzxQqjuyBUVccV7IsbDv8Sm9g3AGXrO5Kc5w9Ar8DL
y8slVqS8KTHCSzgyr5B6Z3+An1gqFBpv8OWOLJcz/h3+APARiTYOQs890M7/mhYU
JQ1yUBtkuQAk1OaEdMkBSWPohfs6D3Y5AgMBAAGjggOlMIIDoTAfBgNVHSMEGDAW
gBTdUdCiMXOpc66PtAF+XYxXy5/w9zAdBgNVHQ4EFgQUPhk/Xxb/e/Hr30D5gAWb
yHeaEvUwggHEBgNVHREEggG7MIIBt4IWKi5jbG8uZm9vdHByaW50ZG5zLmNvbYIN
Ki5ob3RtYWlsLmNvbYIWKi5pbnRlcm5hbC5vdXRsb29rLmNvbYIKKi5saXZlLmNv
bYIMKi5vZmZpY2UuY29tgg8qLm9mZmljZTM2NS5jb22CDSoub3V0bG9vay5jb22C
Fyoub3V0bG9vay5vZmZpY2UzNjUuY29tghthdHRhY2htZW50Lm91dGxvb2subGl2
ZS5uZXSCHWF0dGFjaG1lbnQub3V0bG9vay5vZmZpY2UubmV0giBhdHRhY2htZW50
Lm91dGxvb2sub2ZmaWNlcHBlLm5ldIIdY2NzLmxvZ2luLm1pY3Jvc29mdG9ubGlu
ZS5jb22CIWNjcy1zZGYubG9naW4ubWljcm9zb2Z0b25saW5lLmNvbYILaG90bWFp
bC5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CDW9mZmljZTM2NS5jb22CC291
dGxvb2suY29tghJvdXRsb29rLm9mZmljZS5jb22CFHN1YnN0cmF0ZS5vZmZpY2Uu
Y29tghhzdWJzdHJhdGUtc2RmLm9mZmljZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBjQYDVR0fBIGFMIGCMD+gPaA7
hjlodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRDbG91ZFNlcnZpY2Vz
Q0EtMS1nMS5jcmwwP6A9oDuGOWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydENsb3VkU2VydmljZXNDQS0xLWcxLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECAjB8BggrBgEFBQcBAQRwMG4wJQYIKwYBBQUHMAGGGWh0dHA6Ly9v
Y3NweC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6Ly9jYWNlcnRzLmRp
Z2ljZXJ0LmNvbS9EaWdpQ2VydENsb3VkU2VydmljZXNDQS0xLmNydDAMBgNVHRMB
Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAI0glV8gV9GzTnmybQngf5dhCrXPfD
2/v0DwcTYN89EJw7u6JQEif5FxMhxUwpnZs+K7qhloeb2qb3f8UcOGStWfas+YT1
Rs6UuGa33Oyd+MXtondOwM48AKp40zh8BL0u6JZR0Yoc4S66+pqlAAc+a6K7Mchh
nrjRF0UNzIE4O+xywYsMPtxltQeXyMA0/y4ISlPMWMhhpyoloRz2m5uXv8DxTYao
xAYnKgZy7kKDfzl4T3TSkcCMqyQlRhsAwcj+RWZ92PaYbkR2FcgNPEzmMTWONGup
2YvvNHQEmJtETFtUtthCm6MM0CdDTYBzdOmWO9QkfJN/t+Rg1hxqYpog
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQAZ7Bxr0/WXuyDDM45VHYdzANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNTA4MDQxMjAwMDBaFw0zMDA4MDQxMjAwMDBaMEsxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJTAjBgNVBAMTHERpZ2lDZXJ0IENsb3Vk
IFNlcnZpY2VzIENBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR
rfaHFHlUJ1fHLwVoPJs8zWfsRRAshPKkR8TZU0JFCbvk/jPB17xGL9GL5re1Z3h8
anC+/bjltlTPTF6suCJ0c1UpCHPIZPfQlQkOeYNQv1/11MybQmGOgAS5QarOThKZ
m6zWxb5bAnO1FqSrcWLUmOpAOYWm9rsv6OeHwov2nDLN7Pg+v4nndCOCS9rqv3Om
JTz9v6nlaP/4MKJgxzsuo/PFfzs7/Q8xoXx0D9C/FMS9aPGl52un35sAfkYlTubo
E/P2BsfUbwsnIEJdYbw/YNJ8lnLJfLCL//lIBVME+iKvt81RXW3dkHQD8DNP9MfA
PlZGR69zIIvcej6j8l3/AgMBAAGjggFaMIIBVjASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8v
Y3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMDegNaAz
hjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0Eu
Y3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3
dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBTdUdCiMXOpc66PtAF+XYxXy5/w
9zAfBgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTANBgkqhkiG9w0BAQsF
AAOCAQEACCnEyKb+tDgo96MZZ4zqBTsOS0BiYh48FMYF3DanTzJxRgVegB1ca/Bt
bdkhdgu9RsS5ZpdN/4AUeodphLLW/8kWcL6jzIshre5cjSStwo+Z4MyeigkDuA+a
tVuQKyr316UvSmWoxOTFx3GplkZPq21LKhbL8ak79h8hObTrrWAEgpsSv96r0kYd
DA07dgL5C9XOU4VCeylNRtGLzWTsIRZPLwFDWNFl7Vyl+0Sg0lDo3mbEtjGehzMD
sMnGSxLnWzWU2UbOMeu/uPaeC4SFgiJWxCOEVOdSMwwlyxrsRFUPY5Zys80ZXn4O
J4XVpOqw4qXcBiklkOjOLOnp0Hzvzg==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3487 bytes and written 487 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 250E00000330A8580D7594629C0C7C9C73D0B0CE5FA52F343076FAB57287DBAA
    Session-ID-ctx:
    Master-Key: C92EBAA17285AB6D42D920AE69F2A96210BCAD1C08580951DD26E726150A60F8A0C568211E53C62B645944E016A51E87
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1507156597
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK The Microsoft Exchange POP3 service is ready. [QgBOADYAUABSADEANgBDAEEAMAAwADIAMgAuAG4AYQBtAHAAcgBkADEANgAuAHAAcgBvAGQALgBvAHUAdABsAG8AbwBrAC4AYwBvAG0A]

Friday, September 13, 2013

Quick Ways To Assign Retention Policies in Exchange 2010

In life there are things that we would rather not retain... like this


I've had several instances where people wanted to apply Retention Policies to their mailboxes in Exchange 2010 to a massive amounts of mailboxes. I've come up with several different methods

  1. Apply the Retention Policy through your identity management software (not an original idea)
  2. Apply the Retention Policy to all mailboxes that do not have one via Scheduled Task
  3. Apply the Retention Policy to members of a specific AD Group
  4. Use Cmdlet Extension Agents for Exchange 2010

Option 1

Work with your Identity Management provider, they probably have the ability to modify the provisioning scripts

Option 2

Create a PowerShell script file and create a Scheduled Task
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010Set-ADServerSettings -ViewEntireForest $true #Apply Retention Policy - to Mailboxes that do not have one$policy = "DefaultPolicy"get-mailbox -filter {RetentionPolicy -eq $null} -resultsize unlimited | Set-Mailbox -RetentionPolicy $policy 

Option 3


Create a PowerShell script and change the $policy and $GroupName variables
#########################################################Apply Retention Policy to members of an AD GroupAdd-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010Set-ADServerSettings -ViewEntireForest $true $policy = "LegalPolicy"$GroupName="LegalUsers"$groupidentity = $(Get-Group $GroupName ).Identity.DistinguishedNameGet-Mailbox -Filter{(memberofgroup -eq $groupidentity)} -ResultSize Unlimited | Set-Mailbox -RetentionPolicy $policy 

Option 4

Learn how Cmdlet Extension Agents work and have at it.
http://technet.microsoft.com/en-us/library/dd335067(v=exchg.141).aspx

Friday, May 17, 2013

Pulling Enhanced Recipient Information from Exchange


Who is your daddy and what does he do?

I don’t like having to do inefficient repetitive tasks. There are situations where I want to pull specific information about a mailbox or a distribution group but I don’t want to have to look it up 5 different places in the GUI or type out the commands over and over again. This could be the user’s mailbox statistics, the ManagedBy list for distribution groups, a user’s ActiveSync device statistics, the mailbox features they have enabled, etc…

My solution 
A script that will grab a standard set of information regardless of the recipient type and the ability to supply additional parameters to grab additional information.

The basics of my script


  • Grabs the recipient object (Mailbox, Distribution Group, MailUser, Contact, etc…)
  • Mailbox
    • Name
    • Alias
    • Primary SMTP Address
    • Organizational Unit
    • City
    • Country or Region
    • Office
    • Company
    • Recipient Type Details (UserMailbox, RoomMailbox, LinkedMailbox, etc…)
    • Database
    • Hidden From Address Lists Enabled (Hidden from the GAL/OAB)
    • Mailbox Features
      • ActiveSync Enabled
      •  OWA Enabled
      • ECP Enabled
      • Emws Enabled
      •  POP Enabled
      •  Imap Enabled
      • MAPI Enabled
      • EWS Enabled
    • Any ActiveSync Device Statistics
    • Optional
      • Logon Statistics
      • Mailbox Statistics
      • Mailbox Quota Information
      • Mailbox Folder Statistics
      • Out of Office Configuration
      • Junk Email Configuration
  • Distribution Group (Dynamic or Regular)
    •  Primary SMTP Address
    • Recipient Type Details
    • Organizational Unit
    • When Created (UTC)
    • When Changed (UTC)
    • Managed By
    • Accept Messages Only From (“Allowed Senders”)
  • Mail User
    •  Name
    • Alias
    • Primary SMTP Address
    • Organizational Unit
    • City
    • Country or Region
    • Office
    • Company
    • Recipient Type Details (UserMailbox, RoomMailbox, LinkedMailbox, etc…)
    • Database
    • Hidden From Address Lists Enabled (Hidden from the GAL/OAB)
    •  External Email Address
  • Contact
    •  Name
    • Alias
    • Primary SMTP Address
    • Organizational Unit
    • City
    • Country or Region
    • Office
    • Company
    • Recipient Type Details (UserMailbox, RoomMailbox, LinkedMailbox, etc…)
    • Database
    • Hidden From Address Lists Enabled (Hidden from the GAL/OAB)
    • Windows Email Address

Here’s the script (Get-RecipientInformation

Example Usage

Variables      
·         Name 
    • The recipient alias, SamAccountName, or GUID. This should be as unique as possible.
·         Statistics [switch]
    • This will pull Mailbox, Logon and Folder Statistics for mailboxes
·        OOF [switch]
    • This will pull the Out of Office configuration for mailboxes
  • JunkEmail [switch]
    • This will pull the Junk Email configuration for mailboxes

 Mailbox

Get-RecipientInformation Han.Solo
-----------------------------------------
Recipient Information
-----------------------------------------

Name                          : Han Solo
Alias                         : Han.Solo
PrimarySmtpAddress            : LeiaIsMine@righthandedexchange.com
OrganizationalUnit            : righthandedexchange.com/Users
City                          : Hoth
CountryOrRegion               : Rebel Base
Office                        : Hanger Bay
Company                       : Rebel Alliance
RecipientTypeDetails          : UserMailbox
Database                      : Database-1138
HiddenFromAddressListsEnabled : False



-----------------------------------------
Mailbox Features
-----------------------------------------

ActiveSyncEnabled : False
OWAEnabled        : True
ECPEnabled        : True
EmwsEnabled       : False
PopEnabled        : True
ImapEnabled       : True
MAPIEnabled       : True
EwsEnabled        :



-----------------------------------------
ActiveSync Device Statistics
-----------------------------------------

DeviceFriendlyName  : Black iPhone 5
DeviceOS            : iOS 6.0.2 10A551
DeviceModel         : iPhone5C1
Status              : DeviceOk
StatusNote          :
LastSyncAttemptTime : 12/21/2012 1:46:08 AM
LastSuccessSync     : 12/21/2012 1:46:08 AM

Distribution Group

Get-RecipientInformation -Name RebelAlliance
------------------------------------------------------------
Distribution Group: RebelAlliance
------------------------------------------------------------
PrimarySmtpAddress   : DownWithTheEmpire@righthandedexchange.com
RecipientTypeDetails : MailUniversalDistributionGroup
OrganizationalUnit   : righthandedexchange.com/DistributionGroups
WhenCreatedUTC       : 8/26/2005 2:26:58 PM
WhenChangedUTC       : 4/23/2013 2:38:16 PM

ManagedBy
---------
Bail Organa

Tuesday, April 9, 2013

Oops - I deleted the user's mailbox... Please help

How to Relink/Restore a mailbox with the "Least Amount of Administrative Effort"

http://www.youtube.com/watch?v=JlsSy8xpsYs

yeah yeah yeah yeah yeah
Yeah yeah yeah yeah yeah yeah
 I think I did it again
I made you upset, your mailbox is gone
Oh Exchange
It might seem like a rush
But it doesn't mean that I'm oblivious
'Cause to lose all your emails
That is just so frustrating
Oh Exchange, baby
 Oops!...I did it again
I played with your mail, got lost in the shame
Oh Exchange, baby
Oops!...You think I’m the IT shiz
That I'm sent from below
I'm not that incompetent 


From time to time I run across a situation where an Admin has been a little overzealous and has either deleted the AD account for the user or disconnected the mailbox. Sometimes they create a new mailbox and call it "Macaroni" but that's like sewing a plaid sleeve on a polyester suit. Sure, it's a sleeve, but take a look in the mirror.

The other situation is when a user is "moved" between domains in the same forest. By "moved", I mean "deleted and then a new account created" in the new domain. The major issue with that is, the LegacyExchangeDN will be gone if you simply recreate the mailbox and the user won't have any items from the previous mailbox. Yes, you can have the user export their mailbox to PST before this action is done, but there's no guarantee that they grabbed everything. I've seen it happen where they grab the Inbox, but forget the Calendar or Contacts.

My solution 

A script that will either Reconnect the previous mailbox to the AD account OR perform a restore  from the previous mailbox to the new one.

The basics of my script

  • Grabs the AD User object for restoration purposes
  • Searches each mailbox server in the environment for the disconnected mailbox of the user
  • If the AD User has a mailbox
    •  A New-MailboxRestoreRequest is performed to restore the items from the disconnected mailbox to the new mailbox.
    • The disconnected mailbox's LegacyExchangeDN is added to the new mailbox as a X500 address.
  • If the AD User does not have a mailbox, 
    • The latest disconnected mailbox is connected to the AD User

Here’s the script (Relink-Mailbox.ps1) - Download 

Example Usage

Variables      
  • Mailbox 
    • The mailbox alias, SamAccountName, or GUID. This should be as unique as possible.
  • DoNotRunDatabaseCleanup
    • Prevents the script from automatically running the Clean-MailboxDatabase cmdlet


Relink-Mailbox.ps1 -Mailbox "UserA"
Script Output


04/01/2013 14:05:52 - Grabbing user's AD Object: UserA
04/01/2013 14:06:19 - Grabbing list of disconnected mailboxes
04/01/2013 14:09:25 - Connecting Mailbox
04/01/2013 14:09:57 - Waiting for AD Replication - 4 Minutes

DisplayName     Alias          WhenChangedUTC            
-----------     -----          --------------            
A, User         UserA          04/01/2013 15:03:57   




Sunday, February 24, 2013

Fixing IMCEAEX NDRs - Missing X500 Addresses

My Lyrical Inspiration

http://www.youtube.com/watch?v=VuHVZ_-b868

Mr.
IMCEA and me tell each other NDR tales
Stare at the
rejected mai
"She's
rejected by you. Ah, no, no, she's rejected by me."
Frowning in the transport
Coming through in
Outlook
When everybody
bounces you, you will never be delivered

Imagine the following scenarios

  • A user complains about something weird going on with their mailbox
    • Admin disconnects that mailbox and creates a new mailbox for the user
    • User complains that they are not receiving emails from internal users
    • User can receive emails from external senders
    • Other users complain they can’t send email to the user
    • Emailing the user from OWA works
    • Emailing the user from Outlook works when selecting them from the Address Book
  • You migrate from Exchange 2003/2007 to Exchange 2010
    • The mailbox move fails
    • A new mailbox is created and the previous mailbox imported via PST
    • Same complaints as above
  •  Provisioning software “accidently” disables the user
    • The software “fixes” the issue by adding a new mailbox to the account
    • User complains they are missing their email
    • User complains that they are not receiving emails from internal users
    • Users report receiving NDRs like the example below

Delivery has failed to these recipients or groups:
Han Solo
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:
Generating server: mail.domain.com
IMCEAEX-_O=DOMAIN_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=Han+20Solo891@righthandedexchange.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

The scenarios are pretty similar except the timeframe. All stem from Outlook caching the LegacyExchangeDN for the user and not being able to find that in the Exchange system. The fix is to add the LegacyExchangeDN as an X500 address as a Proxy Address to the user’s mailbox. The real issue is that we are usually reactive on this and wait until a user reports the problem and sends us a NDR. Even then, we still have to convert the mumbo-jumbo that the NDR says into a valid X500 address. I don’t like being reactive or waiting for users to open tickets with this issue. I figured out that I can find this information in the Message Tracking Logs in Exchange with the EventID of FAIL. This isn’t the only information that can be gleaned from the FAIL events, but that’s a story for another day.

The basics of my script

  •  Search message tracking logs for X days for all FAIL events that have a recipient that matches IMCEAEX (See the example above)
  •  Convert the IMCEAEX address to a valid X500 address (strip out the junk)
  • Filter out the duplicates leaving only unique instances
  • Determine the potential user name from the X500 address and search for an existing mailbox.  
  • Add the X500 address to the user’s mailbox.

Here’s the script - Download 

Example Usage

Variables      
  • AutoHeal
    • Attempt to fix the invalid accounts by adding the missing X500 address as a Proxy Address
  • Days
    • Number of days to search in the logs. Default is 1
  •  Servers
  • Filter the list of server(s) to use. Defaults to all Transport servers.



Find-X500Failures -days 1 -AutoHeal
Script Output

Searching for messages sent after: 02/22/2013
Found 90 Unique user(s)
---------------------------------------
Results
---------------------------------------

Name              Alias              Status                              
----              -----              ------                              
Johnny B Good     Johnny.B.Good      Updated                             
Eddie Du Little   Eddie.Du.Little    Updated

Monday, February 18, 2013

Quick Reconnect of a Disconnected Mailbox

This is what I use to quickly reconnect a disconnected mailbox. You'll need to know the alias/SamAccountName of the user to reconnect.

#Reconnect Disconnected Mailbox
$idb="username"
#Get list of disconnected mailboxes
$mbxserver=get-mailboxserver
$mbxList=$mbxserver|%{(Get-Mailboxstatistics -Server $_.name | ?{ $_.DisconnectDate -ne $null })}
#Get the User to reconnect
$user=Get-User $idb
#Search for the user in the Disconnected Mailbox List
$dMB=$mbxlist|where {$_.displayname -match $user.DisplayName}|select displayName, mailboxGUID, Database
#Connect mailbox to user
Connect-Mailbox -Alias $user.SamAccountName -User $user -Database $dMB.Database -identity $dMB.MailboxGUID

Tuesday, February 12, 2013

How to Properly Replace a User's Mailbox Due to Corruption


Occasionally users will manage to do something to their mailbox and the only alternative to fix it is to disconnect their current mailbox and create a new one. I’m an efficiently lazy admin that likes to automate the mundane stuff to make life easier for everyone.

This involves the following steps

·                     Grab information about the current mailbox
·                     Disconnect source mailbox and connect new mailbox
·                     Configure new mailbox with the email addresses from the old mailbox (X400, SMTP, X500, etc)
·                     Restore all mail items from the previous mailbox (New-MailboxRestoreRequest)
·                     Re-provision ActiveSync or BES devices (not scripted)

Here’s the script – Use it at your own risk
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

$idb="UserA"

#Get User Information
$mbx=get-mailbox $idb
$user=Get-User $idb


#Disconnect the current mailbox
Disable-Mailbox -Identity $idb -Confirm:$false
sleep 60
#Create a new mailbox
Enable-Mailbox -Identity $user -Database $mbx.Database.Name -Alias $mbx.alias -PrimarySmtpAddress $mbx.primarySMTPAddress

#Allow AD time to catch up
sleep 120

#Add LegacyExchangeDN as X500 address to prevent NDRs
$mbx.EmailAddresses+=("X500:{0}" -f $mbx.LegacyExchangeDN)
#Add SMTP Addresses from old mailbox to new mailbox - After Search is completed
Set-Mailbox -Identity $idb -EmailAddresses $mbx.EmailAddresses

#Get Disconnected Mailbox and create restore
$mbxserver=get-mailboxserver
$mbxList=$mbxserver|%{(Get-Mailboxstatistics -Server $_.name | ?{ $_.DisconnectDate -ne $null })}
$restore=$mbxList|Where-Object {$_.DisplayName -match $mbx.DisplayName}
$request=New-MailboxRestoreRequest -SourceStoreMailbox $restore.MailboxGUID -SourceDatabase $restore.Database -TargetMailbox $idb -AllowLegacyDNMismatch

$requestStatus=get-mailboxRestoreRequest $request.RequestGuid

while ($requestStatus.Status -notmatch "Completed"){
#Check every 5 minutes
       $requestStatus=get-mailboxRestoreRequest $request.RequestGuid
       Write-Output ("Checked at {0} : {1}" -f (Get-Date), $request.Status)
       Sleep 300
}
Write-Output "Restore Request Completed"