Exchange 2013 Cumulative Update 8

Ex2013 LogoToday, Cumulative Update 8 for Exchange Server 2013 was released by the Exchange Team (KB3030080). This update raises Exchange 2013 version number to 15.0.1076.9.

This Cumulative Update introduces changes in the following areas:

  • Calendar and Contact Modern Public Folders favorites added in Outlook are now accessible in OWA.
  • Batch Migration of Public Folders to 2013 improves migration throughput and PF migration experience.
  • Increased support limits for Public Folders with Exchange on-premises deployments (500,000 for co-existence, or 1,000,000 for CU8-only deployments). Number of supported PF mailboxes stands at 100 though, with a per-PF mailbox limit of 100,000 Public Folders.
  • Supported EAS clients are now redirected to Office 365 upon successful Hybrid migration.

Next to DST corrections, this Cumulative Update introduces the following fixes:

  • 3045301 SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2013 environment
  • 3040681 MapiExceptionTimeout error during a hierarchy synchronization process of multiple public folders in Exchange Server 2013
  • 3037417 Outlook cannot download an OAB file in an Exchange Server 2013 environment that mixes Exchange Server 2010
  • 3037291 Can’t add members to Outlook contact group by using MAPI over HTTP
  • 3036952 Mailbox quota warning messages are not sent out after you migrate from Exchange Server 2010 to Exchange Server 2013
  • 3036374 Incorrect NDR size limit message is displayed for German localization in an Exchange Server 2013 environment
  • 3036365 “The specified address is not recognized or does not exist” error message in an Exchange Server 2013 environment
  • 3032153 Recurring events in Calendar over DST are not adjusted on all ActiveSync devices in all Exchange Server environments
  • 3031133 Default folders are duplicated after you migrate mailboxes to Exchange Server 2013
  • 3031069 Mails are spoofed in Office 365 or in an Exchange Server 2013 environment
  • 3030629 Outlook cannot open a shared folder on which a group you attend has the Reviewer permission in Exchange Server 2013
  • 3018518 Garbled text in the Japanese “From” field in a forwarded DBCS message
  • 3016440 Public folder mailbox quarantined
  • 3012266 Update to increase availability address spaces to 200 in Exchange Server 2013
  • 3011579 SaveChanges fails and generates a MAPI_E_NOT_FOUND error message on a large message body in Exchange 2013 CU6
  • 3006861 “The SMTP address has no mailbox associated with it” error when you access a user’s mailbox by using EWS application
  • 3003974 Improved support for MSG files in an Exchange Server 2013 environment where OPENTEXT products are used
  • 2988060 Cannot see the auditing results for an HttpModule-based extension for MAPI over HTTP protocol in Exchange Server 2013
  • 2986941 “An Active Directory error 0x51 occurred” error when you run the “Setup /PrepareAD” command from a DC in Exchange 2013
  • 2961741 Exchange Server 2013 delegated setup fails when the setup account is a member of Domain Admins

Notes:

  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • Previously released CU7 introduced changes to prevent restoration of pre-CU7 databases. Pre-CU7 users are advised to perform a full backup post-upgrade to CU7 or later.
  • Previously released CU7 added support for hierarchies containing 250,000 modern public folders. Consult this article for co-existence scenarios.
  • Previously released CU5 introduced OAB architectural changes which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.

This Cumulative Update does not include schema or Active Directory changes when compared to Cumulative Update 7. If you have deployed a version earlier than CU7, make sure you run PrepareSchema /PrepareAD.  If you want to speed up the Cumulative Update installation process, you can temporarily disable certificate revocation checking as described here.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

You can download Exchange 2013 Cumulative Update 8 here; UM Language Packs can be found here.

Role-based Access Control

security officer RBACIt has been over 5 years (wait, what?) since I wrote an article on Role-based Access Control, or RBAC, in Exchange 2010. At that time, RBAC was a big architectural change in Exchange 2010 over Exchange 2007.

Present day, RBAC is still a much neglected topic in many Exchange organizations. It must be said that most organization can happily live with the default RBAC configuration. They have no need to dive in this versatile model to set up granular permissions in their organization. In bigger organizations, this configuration can also easily become quite complex.

For TechTarget I started writing few articles on the topic of RBAC, starting with the base components. There you can find Part 1, Part 2, and Part 3.

Blocking Outlook App for iOS & Android

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate with the proxy service.
  • The app does not distinguish between devices (device identities are assigned to your account, which makes sense since the app uses a service to retrieve and process your e-mail).
  • The app does not honor ActiveSync policies, like PIN requirements. While true, this app is not an ordinary Exchange ActiveSync client.

You can read more about this here and here.

In all fairness, when the app was still named Accompli, nobody cried foul. But the app is now rebranded Outlook and property of Microsoft, so it seems this made the app fair game. I hope Microsoft is working behind the scenes to make the new Outlook app enterprise-ready, and I’m sure it won’t be long before we see the app’s services move from AWS to Azure. The whole outrage in the media also seems a bit misplaced, as Connected Accounts in Exchange Online, which will retrieve e-mail from a POP or IMAP mailbox, will also store credentials ‘in the cloud’.

It is recommended to treat the app as a consumer app for now, and you may want to block the app in your organization. I have written on how to accomplish blocking or quarantining faulty iOS updates before. However, in those articles I used the reported OS version to block or quarantine devices. The Outlook app proxy service reports itself as “Outlook for iOS and Android” as device model when querying your mailbox, allowing us to use the DeviceModel parameter for matching.

The cmdlet to block or quarantine the new Outlook app in Exchange 2010, Exchange 2013 or Office 365,  is:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Block

or, to quarantine:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Quarantine

For examples of alternative blocking methods using TMG or F5, check this article. If you need to specify the user agent string, use “Outlook-iOS-Android/1.0″ (or partial matching on “Outlook-iOS-Android” to block future updates of the app as well).

As goes for all mobile devices in enterprise environments, as an organization it may be better to test and aprove devices and OS versions rather than to be confronted with mobile apps with possible faulty behavior after an update or which may violate corporate security policies.

(Re)configuring IM Integration

powershellAnyone who has configured Exchange 2013 IM integration with Lync Server at some point has to modify the web.config file on the Mailbox servers to configure OWA with the proper certificate for enabling IM. Another thing (read: nuisance) is that when you have configured IM integration and you apply a Cumulative Update to Exchange 2013, the web.config will be overwritten, in which case you need to reapply those changes to the web.config file.

This is where the script Configure-IMIntegration.ps1 might come in handy.

Requirements
Using the script requires Exchange 2013 and Lync Server. You need to provide the Lync pool and the Mailbox server you want to configure needs to have a valid certificate assigned to UM services. The script will modify the web.config remotely using the system share (e.g. C$), using the location of the Exchange installation, and uses WMI to recycle the OWA Application Pool in IIS. It will create a backup of the web.config before modifying it.

Note that the script does not perform the following steps:

  • It does not perform the Lync Server parts to configure IM integration, e.g. configure Exchange as a trusted application.
  • It does not configure Lync Server as an partner application for Exchange (Configure-EnterprisePartnerApplication.ps1).

Usage
The script Configure-IMIntegration.ps1 uses the following syntax:

.\Configure-IMIntegration.ps1 [-Server <String>] -PoolFQDN <String> [-AllCAS] [-AllMailbox]

A quick walk-through on the parameters and switches:

  • Server specifies the server to configure. When omitted, it will configure the local server. This parameter is mutually exclusive with AllMailbox.
  • AllMailbox switch specifies to configure all Mailbox servers. This switch is mutually exclusive with Server.
  • AllCAS switch specifies to enable IM integration on all Client Access servers.
  • PoolFQDN specifies the FQDN of the Lync Pool to use. This parameter is required.

So, suppose you want to quickly reconfigure IM integration on a Mailbox server after applying a Cumulative Update, you can use:

.\Configure-IMIntegration.ps1 -PoolFQDN lync.contoso.com –Server exchange01.contoso.com

image

Or, you can quickly configure Mailbox servers and CAS servers for IM integration after performing the required steps to configure the trusted application settings and installing and assigning the certificate for UM:

.\ Configure-IMIntegration.ps1 -PoolFQDN lync.contoso.com -AllMailbox –AllCAS

image

Note that the script will skip Mailbox servers for which it cannot find a valid UM certificate assignment. Also, in the example above, the CAS servers had already been enabled for IM.

Download
You can download the script from the TechNet Gallery here.

Feedback
Feedback is welcomed through the comments. If you got scripting suggestions or questions, do not hesitate using the contact form.

Revision History
See TechNet Gallery page.

Book: Pro Exchange 2013 SP1 PowerShell Administration

As some of you may have noticed, it has been a bit more quiet here than it used to be. Well, the reason for that, after several months of collaborative hard work, blood, sweat and tears, is finally here (and in stores just in time for the Holidays): A book titled Pro Exchange 2013 Service Pack 1 PowerShell Administration!

2013pa

Together with fellow Exchange MVP Jaap Wesselius, we will talk you through topics such as:

  • Deployment and co-existence scenarios.
  • The Client Access Server role and topics such as namespaces, certificates, load balancing, and publishing.
  • The Mailbox Server role and topics such as managing mailboxes, distribution lists and recipients, message transport
  • High availability topics like Database Availability Groups and Client Access and Transport availability.
  • Message Hygiene using the Edge Transport server role and anti-spam features.
  • Backup, Restore and Disaster Recovery, including the backup-less’ Native Data Protection scenario.
  • Unified Messaging features and integration with IP telephony solutions such as Microsoft Lync Server.
  • Compliance features like In-Place Archiving and MRM, In-Place Discovery, In-Place Hold, Data Loss Prevention including fingerprinting, and auditing.
  • Role-Based Access Control model and Split Permissions model for organizations that require this.
  • Office 365 and Exchange Online (EXO) scenarios, federating organizations, directory synchronization, ADFS and Multi-Factor Authentication, as well as basic tasks like onboarding and offboarding mailboxes.

Our 600+ page book will take a PowerShell-first approach when talking about Exchange Server 2013. You can order the book from Amazon here.

I have also added it to the book page here, which also contains other useful books when you want to learn about Exchange or related technologies like PowerShell, Active Directory or Lync Server.

Outlook 2010 gets MAPI/http support

Office-2010-Outlook-Icon[1]Update (December 13th, 2014): Hotfix pulled until further notice due to possible issues.

A quick heads-up today as the recently released KB2899591 hotfix adds MAPI/http support for Outlook 2010 clients. This will benefit organizations using Exchange 2013 SP1 or later considering switching from RPC/http to MAPI/http. The KB article includes details on the additional fixes that are included in hotfix KB2899591 as well.

You can request the hotfix for x86 and x64 versions of Outlook 2010 here.

Links to background information on MAPI/http, its impact on client performance, and impact on network traffic in an earlier blog post here.

Exchange 2013 Cumulative Update 7

Ex2013 LogoToday, Cumulative Update 7 for Exchange Server 2013 was released by the Exchange Team (KB2986485). This update raises Exchange 2013 version number to 15.0.1044.25.

Note: Customers that run backups of their Exchange databases are advised to upgrade to CU7 and perform a post-upgrade full backup. This is due to a race condition which could prevent proper restoration of pre-CU7 Exchange databases.

This Cumulative Update contains a security update to fix a potential elevation of privilege issue (bulletin MS14-075), as well as the following fixes:

  • 3004235 Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014
  • 3012655 New-MailboxImportRequest causes unreadable characters when you import an ANSI format .pst file of Russian language
  • 3012652 CalendarProcessing cmdlet does not generate delegate permissions to universal security groups in Exchange Server 2013
  • 3009631 Advanced Find against the Sent Items folder in Outlook returns no result in Exchange Server 2013
  • 3009612 Outlook Web App shows organization details on the contact card beyond the scope of user ABP in Exchange Server 2013
  • 3009291 Shared mailbox cannot be opened in Outlook in an Exchange Server 2013 environment that has multiple domains
  • 3008453 Cannot edit or delete forms from the organizational forms library in Exchange Server 2013
  • 3008438 User who is trying to Log on to Exchange Admin Console is logged in to OWA instead
  • 3006672 Move request fails if the IsExcludedFromProvisioning option is true in Exchange Server 2013
  • 3005391 Exchange Server 2013 Cumulative Update 5 breaks free|busy lookup from Exchange Online to Exchange Server 2007
  • 3003986 RejectMessageReasonText in transport rule appears in the user section of a DSN in Exchange Server 2013
  • 3001217 TLS 1.0 is hardcoded for SMTP traffic encryption in Exchange Server 2013
  • 3001037 Distribution group cannot send email messages to a mail enabled public folder in an Exchange Server 2013 environment
  • 2999031 A cross-forest mailbox move from Exchange Server 2007 to Exchange Server 2013 finishes with CompletedWithWarnings status
  • 2998144 New-MoveRequest cmdlet with RemoteLegacy parameter cannot perform a cross-forest mailbox move
  • 2988553 Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013
  • 2981538 Exchange Control Panel crashes when you proxy from Exchange 2013 to Exchange 2010
  • 3014051 Cannot migrate mailboxes in a multiple domains environment in Exchange Server 2013
  • 3012986 ContentIndexRetryQueueSize value for a passive node never drops to zero in Exchange Server 2013 Cumulative Update 6
  • 3004011 Sound alerts do not work in Outlook Web App when new email or calendar notification is received in Exchange Server 2013
  • 3003580 Event ID 4999 and 4401 when the Microsoft Exchange Replication service crashes in Exchange Server 2013
  • 3003518 “550 5.7.1″ NDR when you send messages to external recipients in an Exchange Server 2013 hybrid environment
  • 3003068 Cannot see online archive mailbox after you upgrade to Exchange Server 2013 Cumulative Update 6
  • 3000944 Subfolders under the Deleted Items folder are not visible in Outlook in an Exchange Server 2013 environment
  • 2997847 You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6
  • 2997355 Exchange Online mailboxes cannot be managed by using EAC after you deploy Exchange Server 2013 CU6
  • 2997209 Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007
  • 2995263 OAB cannot be rebuilt if the .flt file is larger than two GB in Exchange Server 2013
  • 2994216 PublicFolderMoveRequest deletes all read or unread state in target mailbox for each user in Exchange Server 2013
  • 2993871 Resource Booking Assistant crashes after you upgrade to Exchange Server 2013 Cumulative Update 5
  • 2983216 Category setting on an item in Outlook jumps the selection to the top of the list in an Exchange Server 2013 environment
  • 2931223 MAPI virtual directory is missing from Default Web Site node

Notes:

  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • CU7 adds support for hierarchies containing 250,000 modern public folders. Consult this article for co-existence scenarios.
  • Be advised of OAB architectural changes introduced with CU5 which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.
  • If you have installed the Interim Update to fix Hybrid Configuration Wizard, you can install the Cumulative Update over it – there is no need to uninstall the IU prior to installing CU6.

This Cumulative Update includes schema and AD changes, so make sure you run PrepareSchema / PrepareAD. After updating, the schema version will be 15312. If you want to speed up the process, you can temporarily disable certificate revocation checking as described here.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

You can download Exchange 2013 Cumulative Update 7 here; UM Language Packs can be found here.

Exchange 2013 Server Role Requirements Calculator 6.6

Ex2013 LogoNote: Shortly after publishing, a minor update was made in to fix circular referencing in the sheet.

Next to an updated Exchange 2010 Server Role Requirements calculator, the Exchange team published an update for the Exchange 2013 Server Role Requirements Calculator as well. The new version number is 6.5.

This new version includes a nice new feature, courtesey of Excel, which will plot mailbox usage using the provided input. You can find this chart on the Mailbox Space Modeling tab.

msm

Changes since version 6.5:

  • Fixed circular logic issue with initial mailbox size calculation

Changes since version 6.3:

  • New: The calculator now includes mailbox space modeling graphs that extrapolates (for each mailbox tier) the projected amount of time it will take to consume the mailbox quota.
  • Fixed “Number of Exchange Data Volumes per Server” to support more than 50 volumes.
  • Optimized memory sizing for FAST which reduces memory requirements for small mailbox server designs.
  • Added the ability to specify multiple AutoReseed volumes per DAG server to calculator and scripts.
  • Fixed 3 database/volume layout scenario involving 100 copies/server.
  • Fixed rounding error in calculating number of databases/volume in “2 Volumes / Backup Set”
  • Log isolation is now a calculated property to align with best practices guidance.
  • Changed “Disk” to “Vol” in left column of Distribution tab to align with scenarios that do not involve JBOD configurations.
  • Added additional processor core options.
  • Fixed JBOD storage design results table to accurately account for Restore Disk capacity being set to “–” and for differences between PDC and SDC Restore Disk capacity settings.
  • Fixed Backup Requirements worksheet to expose Weekly Full backups correctly.
  • Various comment changes/corrections.

You can download the calculator here. For more information, please consult the list of changes here or Read Me here.

Ex2013 CU6 & Ex2007 coexistence issue for EAS

Ex2013 LogoA short notice on an issue when you have deployed Exchange 2013 Cumulative Update 6 in coexistence in an Exchange 2007 environment. Exchange fellow Tony Redmond did a write-up on the issue here.

The issue prevents ActiveSync users whose mailbox reside on Exchange 2007 to authenticate properly when their requests are being proxied from Exchange 2013 CU6 to Exchange 2007. It has been identified in KB2997847. Alternatively, you direct Exchange 2007 EAS traffic directly to Exchange 2007 CAS servers when they are internet-facing and published.

Be advised that a previous known issue in this deployment scenario with delegates and dismounting stores has been identified in KB2997209.

Both articles provide links to request these hotfixes.

Another Exchange fellow, Jason Sherry, is keeping track of resolved and open Exchange 2013 CU6 issues here.

Exchange2013-KB2997355-FixIt-v2

Ex2013 LogoAs mentioned earlier, when you have deployed Exchange Server 2013 Cumulative Update 6 in a Hybrid deployment, several Office 365-related mailbox functions will not show up in the Exchange Admin Center (EAC). The issue was identified by Microsoft in KB2997355 and a fix was published.

However, the script to fix the issue looks for the XAML file in the default Program Files folder, using the default Exchange installation folder. Better is to check the actual Exchange installation folder, which can easily be accomplished in Exchange Management Shell using the $exinstall environment variable, or by reading the folder from the registry.

To help those installing Exchange in a non-default installation folder, and I know there are quite a few of you out there, who are hesitant to correcting the installation path in the provided FixIt script, I have create an alternative version of the Exchange2013-KB2997355-FixIt script. This version will read the installation path from the registry. Not disturbing but changed as well is correcting the XAML file in one go, unlike the official script which performs 3 consecutive read/modify/write actions on the same file.

You can download the Exchange2013-KB2997355-FixIt-v2.ps1 script here.