Here’s the substantial list of changes included in this Rollup:

• 2510607  “Cannot open the free/busy information” error message when you try to view folder permissions in Outlook
• 2514700  Extra.exe does not trace a single user whose legacyExchangeDN attribute contains one or more special characters in an Exchange Server 2010 environment
• 2571342  The Folder contacts list is empty when a user views the properties of a mail-enabled public folder in an Exchange Server 2010 environment
• 2572029  Synchronization of an organizational forms library fails when you use Outlook in Cache mode in an Exchange Server 2010 environment
• 2586828  The EdgeTransport.exe process consumes 100 percent of CPU resources on an Exchange Server 2010 Edge Transport server
• 2589233  Meeting requests bypass the requirement for delegate approval and instead book resource mailboxes automatically in an Exchange Server 2010 environment
• 2633043  “There were no writeable domain controllers found in Active Directory site” error message when you run the ExBPA tool in an Exchange Server 2010 organization
• 2647396  You cannot disable a public folder by using the “Disable-MailPublicFolder” cmdlet in an Exchange Server 2010 environment
• 2648263  You cannot open routing log files on Exchange Server 2010 Hub Transport servers in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2667120  MSExchangeAutodiscoverAppPool application pool crashes on an Exchange Server 2010 Client Access server when you try to view the free/busy information about a user in a trusted domain
• 2668900  Event ID 2915 is logged when you apply a fallback policy to a service account in an Exchange Server 2010 environment
• 2670099  You cannot open calendar folders that are shared by hidden users in an Exchange Server 2010 environment
• 2671128  RPC Client Access Cross-Site connectivity issues occur in an Exchange Server 2010 environment
• 2673542  MRM retention policy in the Junk E-Mail folder does not work when you manually move email messages in an Exchange Server 2010 environment
• 2673591  Crash occurs in the Autodiscover application pool in an Exchange Server 2010 environment
• 2674185  MAPI_E_CALL_FAILED errors occur when a MAPI application that uses the MAPI function in Outlook 2007 MAPI or in Outlook 2010 tries to access an Exchange Server 2010 server
• 2674445  You cannot change the access permissions of a Calendar folder in an Exchange Server 2010 environment
• 2677872  You cannot use a distribution group in the hierarchical address book when you create the group in Exchange Server 2003
• 2681250  “550 5.6.0″ NDR when a journal report is sent to an external contact in an Exchange Server 2010 environment
• 2682047  You cannot access a mailbox for several hours after you disconnect and then reconnect the mailbox in an Exchange Server 2010 SP2 environment
• 2682408  AddOrganizerToSubject parameter does not take effect when a recurring meeting conflicts with another meeting in an Exchange Server 2010 environment
• 2682895  Error message when a role assignee runs the Get-MailboxExportRequestStatistics cmdlet in an Exchange Server 2010 environment
• 2684583  You cannot delete an empty folder in a .pst file by using Outlook in an Exchange Server 2010 environment
• 2689810  A meeting request that you send from an EWS application is in plain text format instead of HTML format when an attendee opens the request by using Outlook in online mode
• 2695011  Junk Email settings do not work as expected after you migrate or move a mailbox to an Exchange Server 2010 SP1 Mailbox server
• 2695022  The E-mail Signature text box is not editable in Outlook Web App when you use Google Chrome in an Exchange Server 2010 environment
• 2695836  You cannot move a mailbox in an Exchange Server 2010 environment that has a message size limit configured
• 2696642  An additional line of space is added in each paragraph in an email message when you click the Printable View icon in Outlook Web App in an Exchange Server 2010 environment
• 2698927  Resource mailbox that has AutoAccept configured does not process a meeting request that contains custom code or script in Exchange Server 2010
• 2698960  You cannot move some users’ mailboxes from one Exchange Server 2010 mailbox database to another
• 2698976  Managed Folder Assistant does not process a mailbox that has external contacts in another tenant organization in an Exchange Server 2010 environment
• 2699023  Event ID 9646 is logged on the Exchange Server 2010 mailbox server when you access a mailbox that has more than 250 folders by using an IMAP4 client
• 2699577  GAL-related client-only message rule is not applied in Outlook after you apply RU1 for Exchange Server 2010 SP2 in an Exchange Server 2010 environment
• 2699582  Error message when you play a voice mail by using Outlook 2007 in an Exchange Server 2010 environment
• 2700544  Multiple recovery items are added to a subfolder of the Recoverable Items folder in an Exchange Server 2010 environment
• 2705425  UMWorkerProcess.exe consumes large amounts of memory when you try to listen to voice messages by using Outlook Voice Access in an Exchange Server 2010 environment
• 2705555  The Set-Mailbox cmdlet takes a long time to complete configuration in an Exchange Server 2010 environment
• 2705570  An error occurs when a user whose mailbox is hidden from the Exchange address list tries to open the Scheduling Assistant tab by using the light version of Outlook Web App
• 2705647  A user cannot log on to a mailbox that is full by using Outlook Web App in an Exchange Server 2010 environment
• 2705682  Post-reform spelling rules are not used in the Portuguese (Portugal) dictionary in Outlook Web App in an Exchange Server 2010 environment
• 2706523  You cannot create a mailbox or mail-enable a mailbox for a disabled user account in an Exchange Server 2010 environment
• 2708880  You cannot set the “Country/region” attribute of a user mailbox to “Curaçao,” “Bonaire, Sint Eustatius and Saba,” or “Sint Maarten (Dutch part)” by using the Exchange Management Console on an Exchange Server 2010 server

When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command.

Note that Rollups are cumulative, i.e. they contain fixes released in earlier Rollups for the same product level (RTM, SPx). This means you don’t need to install previous Rollups during a fresh installation but can start with the latest Rollup.

You can download Exchange 2010 SP2 Rollup 3 here.

As you may or may not know, installing SP2 on Client Access Servers introduced the breadcrumb issue which I reported here.

Unfortunately, the Language Pack (included in SP2) which was updated to fix this issue introduced an annoyance on SP2 RU1 multi-role servers, by flooding the Eventlog with 10013 error messages for non-”en-us” users after installing SP2 RU1:

The Active Directory entry for mailbox CN contains an invalid locale for attribute MsExchUserCulture: nl-NL

You can download the updated language pack bundle here. Note that you only need to apply the update on Client Access Servers.

1. It can allow users in the local organization to select the object from the (global) address list and that object exists in other organizations;
2. Exchange can route the message to its final destination using the specified targetAddress.

Reason for this blog is that I still see people putting e-mail address in the targetAddress property or the object by scripting against Active Directory (e.g. ADSI), even while they’re scripting using the Exchange Management Shell.

In the Exchange Management Shell, you can set the targetAddress by using the Set-MailContact or Set-MailUser in conjunction with the ExternalEmailAddress parameter, e.g.:

Set-MailContact  michel -ExternalEmailAddress michel@contoso.com

Setting this address is also possible using the Exchange Management Console, which may be more appropriate for testing purposes or a small number of changes (though I’d prefer the less-prone-to-error script any day):

When utilized in scripts, you can use PowerShell Piping Power (is that abbreviation already taken?) to process (CSV) files or use filtering to select the objects of which you want to configure the targetAddress, e.g.:

Get-MailContact -OrganizationalUnit “contoso.local/Division” -Filter {EmailAddresses -like *@contoso.local} -ResultSize unlimited | Set-MailContact –ExternalEmailAddress “$($_.Alias)@newcompany.local”

Get-Content “users.txt” | Get-MailContact | ForEach{ Set-MailContact $_.Identity -ExternalEmailAddress “$($_.Alias)@newcompany.local”  }

This will configure all mail-enabled contacts in the Division OU with an @contoso.local e-mail address with a target address which consists of the current alias followed by @newcompany.local. The other example uses a text file with names to process contacts and set the targetAddress to the current value of “alias” followed by the external e-mail domain.

Needless to say, the connectors between contoso and newcompany  as well as the accepted domains should be properly configured to route those contoso.local and newcompany.local domains between those organizations. Of course, this also depends on whether you’re using internal or external domain names and if you want those messages to go through the public network or not.

Note that this is also how you can set configure the targetAddress of a local (DirSync’ed) mail-enabled contact with an Office 365 mailbox in a Hybrid setup, for example after moving the mailbox to Office 365. In such case you set the targetAddress to the service domain in a Hybrid Office 365 setup, e.g. mydomain.mail.onmicrosoft.com.

Note that the problem mentioned due to replication latency may also occur when running cmdlets or scripts.

A typical issue caused by replication lag is the following error which is shown when trying to install the Mailbox server role:

Active Directory operation failed on dc01.contoso.com. This error is not retriable. Additional information: The name reference is invalid.  This may be caused by replication latency between Active Directory domain controllers.  Active directory response: 000020B5: AtrErr: DSID-03152392, #1:  0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 200ab (homeMTA)

In the Exchange setup log you can notice something like the following pattern (in this case setup takes place from a sub domain):

[04/18/2012 09:59:15.0328] [2] Active Directory session settings for 'Enable-Mailbox' are: View Entire Forest: 'True', Configuration Domain Controller: 'dc01.nl.contoso.com', Preferred Global Catalog: 'dc01.nl.contoso.com', Preferred Domain Controllers: '{ dc01.nl.contoso.com }' <snip> [04/18/2012 09:59:36.0945] [1] 0.  ErrorRecord: Active Directory operation failed on dc01.contoso.com. This error is not retriable. Additional information: The name reference is invalid. This may be caused by replication latency between Active Directory domain controllers.

You can see the Domain Controller used for updating Active Directory is different than the one used for checking. Assuming replication is working correctly, you have several options to get around the situation, depending on whether you’re running setup or executing a cmdlet or script:

First, when running setup, you can use the /DomainController parameter to specify a Domain Controller setup should use, e.g.:

setup.com /Mode:Install /Role:Mailbox /DomainController:dc1.contoso.com

Alternatively, when running a cmdlet or script you can configure the Domain Controller to use by using Set-ADServerSettings in conjunction with the PreferredServer parameter, e.g.

Set-ADServerSettings –PreferredServer dc.contoso.com

Of course, there’s also a 3rd option which would be to wait for replication cycle. However, this could take a while, depending on the structure and replication scheme.

Note that the (potential) problem mentioned in this blog is the reason why you should let scripts stick to the same Domain Controller after picking one or respect the Set-ADServerSettings setting, preventing potential replication issues like this.

For more information on Set-ADServerSettings, consult TechNet here.

Here’s the list of changes included in this rollup:

• 2519806  A meeting request that is sent by an external user or by using a non-Microsoft email system is stamped as Busy instead of Tentative in an Exchange Server 2010 environment
• 2556766  Slow performance when you create many contacts by using Exchange Web Services in an Exchange Server 2010 environment
• 2592398  Email messages in the Sent Items folder have the same PR_INTERNET_MESSAGE_ID property in an Exchange Server 2010 environment
• 2601301  Customized contact objects revert to the default form after a public folder database replication in an Exchange Server 2010 environment
• 2625450  You cannot generate an OAB file that is larger than 2GB in an Exchange Server 2010 environment
• 2630808  A user can log on to a mailbox by using Outlook for Mac 2011 unexpectedly in an Exchange Server 2010 environment
• 2632201  MAPI_E_INVALID_PARAMETER errors occur when a MAPI application receives notifications in an Exchange Server 2010 environment
• 2635223  A hidden user is still displayed in the Organization information of Address Book in OWA in an Exchange Server 2010 environment
• 2636387  Event ID 3022 is logged and you cannot replicate a public folder from one Exchange Server 2010 server to another
• 2636883  Returned message items can disappear from the search results view when you use Outlook in online mode in an Exchange Server 2010 environment
• 2641249  Error message when you use the “Folder.Bind” method in an Exchange Server 2010 environment
• 2641753  An email message from an Exchange Server 2003 user is forwarded incorrectly to an external recipient of an Exchange Server 2010 user mailbox
• 2644144  A read receipt is not sent when a receiver does not expand a conversation to preview the message by using OWA in an Exchange Server 2010 environment
• 2644920  The Get-FederatedDomainProof cmdlet fails in an Exchange Server 2010 SP1 environment
• 2645587  An external email message is not delivered to mail-enabled public folders and you do not receive NDR messages in an Exchange Server 2010 environment
• 2649499  Updates for a meeting request are sent to all attendees directly in an Exchange Server 2010 environment
• 2649679  Text in tables is displayed incorrectly in the Conversation view in Outlook Web App in an Exchange Server 2010 environment
• 2652730  You encounter failures when you run the Test-EcpConnectivity cmdlet to test Exchange Control Panel connectivity in an Exchange Server 2010 environment
• 2657103  CPU resources are used up when you use the Set-MailboxMessageConfiguration cmdlet in an Exchange Server 2010 environment
• 2660178  “More than one mailbox has the same e-mail address” error message when you try to manage a mailbox in a tenant organization in an Exchange Server 2010 SP1 Hosting mode environment
• 2661277  An ActiveSync user cannot access a mailbox in an Exchange Server 2010 forest
• 2661294  An email address policy does not generate the email addresses of recipients correctly in an Exchange Server 2010 environment
• 2663581  OK button is not displayed when you change your password in Outlook Web App by using Firefox in an Exchange Server 2010 environment
• 2664365  Certain MailboxStatistics properties are not updated when a user uses a POP3 or IMAP4 client to access a mailbox in an Exchange 2010 environment
• 2664761  DPM protection agent service may stop responding on Exchange Server 2010 servers that are protected by System Center DPM 2010
• 2665806  Error message when you open an RTF email message that has inline attachments in an Exchange Server 2010 environment
• 2672225  A user in a trusted account forest cannot use the EMC to manage an Exchange Server 2010 SP2 server
• 2673087   Error message when you try to copy the Inbox folder to another folder in Outlook in online mode in an Exchange Server 2010 environment
• 2677847  The Microsoft Exchange File Distribution service consumes large amounts of memory in an Exchange Server 2010 environment
• 2678361  The user-agent information about an Exchange ActiveSync device is not updated in an Exchange Server 2010 environment
• 2678414  The display name of a contact in address book is empty in an Exchange Server 2010 environment
• 2681464  An EWS application crashes when it calls the GetStreamingEvents operation in an Exchange Server 2010 environment
• 2685996  Error message when a user who does not have a mailbox tries to move or delete an item that is in a shared mailbox by using Outlook Web App Premium
• 2688667  W3wp.exe consumes excessive CPU resources on Exchange Server 2010 Client Access servers when users open recurring calendar items in mailboxes by using Outlook Web App or EWS
• 2693078  EdgeTransport.exe process crashes in an Exchange Server 2010 environment
• 2694280  Whatif switch does not work in the Set-MoveRequest or Resume-MoveRequest cmdlet in an Exchange Server 2010 environment
• 2694289  Resource mailbox does not forward meeting request to delegates after one of the delegates’ mailbox is disabled in an Exchange Server 2010 environment
• 2694414  The update tracking information option does not work in an Exchange Server 2010 environment
• 2694473  File name of a saved attachment is incorrect when you use OWA in Firefox 8 in an Exchange Server 2010 environment
• 2694474  Incorrect delivery report when you send an email message to a recipient who has configured an external forwarding address in an Exchange Server 2010 environment
• 2696857  EdgeTransport.exe process crashes without sending an NDR message when you send a message to a distribution group in an Exchange Server 2010 environment
• 2696905  Day of the week is not localized in MailTips in Outlook Web App in an Exchange Server 2010 environment
• 2696913  You cannot log on to Outlook Web App when a proxy is set up in an Exchange Server 2010 environment

When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command.

Note that update rollups are cumulative, i.e. they contain fixes released in earlier update rollups for the same product level (RTM, SP). This means you don’t need to install previous update rollups during a fresh installation but can start with the latest rollup.

You can download Exchange 2010 SP2 Rollup 2 here.

Here’s the list of changes included in this rollup:

• 2617514  Old spelling rules on the Brazilian Portuguese dictionary in OWA in an Exchange Server 2007 SP3 environment
• 2645789  MAPI_E_NOT_FOUND error when a MAPI application calls the GetProps method on an Exchange Server 2007 mailbox server
• 2654700  Certain mailbox rules do not work automatically after you move a mailbox from an Exchange Server 2007 server to an Exchange Server 2010 server and then move it back
• 2677583  Move operation is not completed and 100 percent of CPU resources are consumed on an Exchange Server 2007 Mailbox server
• 2677979  MSExchangePOP3 service crashes in an Exchange Server 2007 environment
• 2680793  Free/busy lookups between Lotus Notes and Exchange Server 2007 users stop responding
• 2682570  Store.exe crashes on Exchange Server 2007 servers when a public folder that contains an empty PR_URL_NAME property is replicated in a mixed Exchange Server 2007 and Exchange Server 2010 environment
• 2690628  Pre-reform spelling rules are used in the Portuguese (Portugal) dictionary in Outlook Web Access in an Exchange Server 2007 environment
• 2694267  MSExchangeRepl.exe process crashes when Active Directory returns the LDAP_PARAM_ERROR value in an Exchange Server 2007 environment
• 2694274  User who has the Full Access permission cannot open another user’s mailbox by using Outlook Web App in a mixed Exchange Server 2007 and Exchange Server 2010 environment
• 2694291   The autocomplete=”off” parameter is missing in Outlook Web Access in an Exchange Server 2007 environment
• 2696628  You receive duplicate read receipts from a user who is using an IMAP4 client in an Exchange Server 2007 environment

Note that this version will also fix the CAS-CAS proxy issue with Exchange 2010 SP1 (KB2696649).

When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command.

Note that update rollups are cumulative, i.e. they contain fixes released in earlier update rollups for the same product level (RTM, SP). This means you don’t need to install previous update rollups during a fresh installation but can start with the latest rollup.

One special note: Exchange 2007 Mainstream Support has ended, making this the final standard support release. Extended support will end on April 11th, 2017.

You can download Exchange 2007 SP3 Rollup 7 here.

Note: Apparantly there was also a 18.2 version, which wasn’t announced publicly on the EHLO blog. It looks like 18.2 was released on April 7th. I’ll also mention the changes in that version compared to the last publicly announced version, which was 17.8.

Enhancements and Bug Fixes since version 18.2:

• Fixed the Storage worksheet’s “RAID Storage Configuration” Table to exclude showing “Total Number of Disks Required” for designs that do not have lagged database copies and are deploying in a JBOD configuration.
• Added a notification to Role Requirements regarding scenarios that result in >2TB databases.
• Fixed an error notification to indicate when the input parameters have resulted in a design that has more HA copies than available Mailbox servers.
• Fixed the DAG LUN total space calculation to be based on the total number of database copies, not the total number of mailbox servers.
• Fixed the database copy validation formula to ensure there is at least 1 HA copy or lagged database copy in the secondary datacenter when site resilience is enabled.
• Fixed servers.csv to not add a space between the comma and drive letter.
• Fixed cells to have the correct color formatting.
• Updated BDM throughput requirements to stipulate 7.5MB/s per database as the worst case, which aligns with what can potentially be seen in Jetstress runs.

Enhancements and Bug Fixes in version 18.2 when compared to version 17.2:

• Fixed the calculator’s database copy validation check function to allow for a single DAG to be stretched between datacenters when the database copy count is even.
• Fixed the “Storage Design Results Pane – Total Disks Required” when leveraging the “As Calculated” results to not highlight RAID disks for a datacenter’s server when JBOD was the appropriate choice in the “RAID Storage Configuration” choice.  Likewise, the “JBOD Storage Configuration” table’s calculations were also fixed to not highlight the use of JBOD disks for a datacenter’s server when RAID was the appropriate choice.
• Fixed an error in Storage Results where the Secondary Datacenter storage architecture tables would report the Primary Datacenter disk type and capacity instead of Secondary Datacenter disk type for RAID architectures.
• Fixed an erroneous alert on the Input worksheet regarding not having enough IO capability for JBOD due to isolating logs from databases.
• Fixed the calculated maximum database size for JBOD scenarios to allow for 2TB databases when >2.5TB disk sizes are selected.

You can download the calculator here. For more information please consult the changeblog or usage instructions.

Instead, Outlook will return a “There are no items to show in this view” message. The folder in the folder navigation pane displayed the proper number of (unread) items in the folder.

This could be the symptom of an issue which was already solved in Exchange 2010 Service Pack 1 Rollup 5. It seems the Office 365 data centers are not running a current version of Exchange, as today I received the message the Office 365 environment is currently being upgraded with Exchange 2010 Service Pack 2. The message also mentions the upgrade is to be completed at the end of the month.

More information on the issue in knowledge base articles kb2500648, announcing the fix is included in Exchange 2010 SP1 RU5.

Until then, the suggested workaround is to click one of the columns twice after which Outlook will update the view properly. Of course, you could also enable cached mode, if your setup and company policy permits (e.g. not running Outlook on terminal server).

These appliances contain a feature called fixup protocol smtp, SMTP fixup, (E)SMTP inspect(ion) or Mailguard (Cisco), which – when enabled – limit the number of allowed SMTP verbs or obfuscate parts of SMTP dialogs. This tampering will cause problems when you try to configure SMTPS connections between e-mail servers and will prevent you from configuring a working Exchange Hybrid deployment, where TLS secured communications between the on-premise environment and Office 365 is enforced.

Note: By enforced, I mean it requires TLS which is more strict than opportunistic TLS,  which will attempt to set up TLS before continuing with regular SMTP communications.

You’ll end up with Office 365 specific Receive and Send connectors after setting up your Hybrid configuration using the Hybrid Configuration Wizard (or manually). Then, when sending e-mail between on-premise and Office 365, you notice e-mail doesn’t arrive and will remain queued.

After verifying your ISA or TMG isn’t blocking things (ports are open, SMTP filter not blocking STARTTLS etc), you start troubleshooting the issue by enabling Verbose logging for the Office 365 send connector (of course, this can also be achieved using the Exchange Management Console):

Set-SendConnector “Outbound to Office 365” –ProtocolLoggingLevel Verbose

The logs will by default be generated in the $exinstall \V14\TransportRoles\Logs\ProtocolLog\SmtpSend ($exinstall will contain the Exchange installation path).

If you look at the current log file, you’ll see the following pattern for each possible destination – in the example below the TX2EHSMHS017.bigfish.com – as the local Exchange 2010 hybrid server will try to get the message(s) delivered:

Outbound to Office 365,08CEBBEB07152FBC,0,,65.55.88.22:25,*,,attempting to connect 
Outbound to Office 365,08CEBBEB07152FBC,1,192.168.1.11:51841,65.55.88.22:25,+,, 
Outbound to Office 365,08CEBBEB07152FBC,2,192.168.1.11:51841,65.55.88.22:25,<,220 **********************************************************************************************, 
Outbound to Office 365,08CEBBEB07152FBC,3,192.168.1.11:51841,65.55.88.22:25,>,EHLO mail.contoso.com, 
Outbound to Office 365,08CEBBEB07152FBC,4,192.168.1.11:51841,65.55.88.22:25,<,250-TX2EHSMHS017.bigfish.com Hello [92.70.102.115], 
Outbound to Office 365,08CEBBEB07152FBC,5,192.168.1.11:51841,65.55.88.22:25,<,250-SIZE 157286400, 
Outbound to Office 365,08CEBBEB07152FBC,6,192.168.1.11:51841,65.55.88.22:25,<,250-PIPELINING, 
Outbound to Office 365,08CEBBEB07152FBC,7,192.168.1.11:51841,65.55.88.22:25,<,250-ENHANCEDSTATUSCODES, 
Outbound to Office 365,08CEBBEB07152FBC,8,192.168.1.11:51841,65.55.88.22:25,<,250-XXXXXXXA, 
Outbound to Office 365,08CEBBEB07152FBC,9,192.168.1.11:51841,65.55.88.22:25,<,250-AUTH, 
Outbound to Office 365,08CEBBEB07152FBC,10,192.168.1.11:51841,65.55.88.22:25,<,250-8BITMIME, 
Outbound to Office 365,08CEBBEB07152FBC,11,192.168.1.11:51841,65.55.88.22:25,<,250-BINARYMIME, 
Outbound to Office 365,08CEBBEB07152FBC,12,192.168.1.11:51841,65.55.88.22:25,<,250 XXXXXXXB, 
Outbound to Office 365,08CEBBEB07152FBC,13,192.168.1.11:51841,65.55.88.22:25,*,,Connector is configured to send mail only over TLS connections and remote doesn't support TLS 
Outbound to Office 365,08CEBBEB07152FBC,14,192.168.1.11:51841,65.55.88.22:25,>,QUIT,

As you can notice in this example, the SMTP banner has been turned into stars and AUTH and STARTTLS have been changed by the appliance into XXXXXXXA and XXXXXXXB. This behavior is typical of Cisco’s Mailguard feature; other smtp obfuscating appliances might result in different output. Key indicator is, expected elements are missing or garbled.

In such cases, you need to make sure SMTP traffic between on-premise and Office 365 goes through unfiltered. Depending on the capabilities of the device, you could allow the FOPE addresses to go through unfiltered. If that’s not an option, or you don’t like managing that address set, you need to disable the feature completely.

Note that Cisco is not the only vendor offering SMTP obfuscating products; companies like Checkpoint, Barracuda, Sonicwall or Symantec offer products with the feature mentioned above.

When inspecting the Update-HybridConfiguration results, it reads:

Updating hybrid configuration failed with error ‘Subtask Configure execution failed: Creating Organization Relationships.
Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.
Federation information could not be received from the external organization.
..

The problem lies in the sentence “Federation Information could not be received from external organization”. To see where it goes wrong, you could run Set-HybridConfiguration and Update-HybridConfiguration manually, using additional parameters as shown in the result screen, providing proper credentials and additionally addint the Verbose parameter to increase output logged.

Most of the time this problem comes down to one of the following issues, which can be verified by running the following cmdlet, where example.com is to be replaced by the federated domain:

Get-FederationInformation example.com –Verbose

You’ll probably see the cmdlet going trough the discovery motions using autodiscover, ending up in the same “Federation information could not be received from the external organization” message. When analyzing this output, you’ll see it contains two hints on the potential issues:

Get-FederationInformation : The discovery process returned the following results:
Type=Failure;Url=https://autodiscover.example.com/autodiscover/autodiscover.svc;Exception=Discovery for domain example.com failed.; …

1. Autodiscover
The first issue often overlooked is internal autodiscover not working via DNS or not being set up properly, i.e. split DNS configurations. Some customers don’t configure internal DNS autodiscover records or don’t allow (internal) autodiscover to go through the proxy from inside.

Normally, when using regular clients like Outlook, this isn’t an issue because domain joined clients will be using SCP records from AD. However, federation will use DNS records so you need allow it or set it up in DNS; a CNAME for autodiscover.example.com as well as autodiscover.service.example.com pointing to your hybrid server will suffice.

Also make sure you enable WSSecurity authentication for autodiscover on your hybrid server using:

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover (Default Web Site)’ –WSSecurityAuthentication $true

2. Proxy rules
In the error message you’ll notice a autodiscover-related request going to /autodiscover/autodiscover.svc. These requests are normally caught by the autodiscover rule (path /autodiscover/*) in ISA or TMG. Issue is, these service requests require unauthenticated traffic. When you turn on logging in TMG, you’ll notice the requests for /autodiscover/autodiscover.svc will be denied.

To solve this issue, and to get federation working, you need to set up an additional ISA/TMG rule pointing to the hybrid server, using the proper public names (don’t forget autodiscover), bound to the OWA listener. You need to allow All Users (as opposed to Authenticated Users), set authentication to “No Authentication, but users can authenticate directly” and configure the following paths:

• /EWS/Exchange.asmx/wssecurity
• /Autodiscover/Autodiscover.svc
• /Autodiscover/Autodiscover.svc/wssecurity

After configuring the rule, you need to put it above all the other Exchange rules, making it the first matching rule when federation traffic hits ISA/TMG.

After applying the rule changes, Get-FederationInfo example.com should work and you can continue with the Hybrid Configuration.

For more information on setting up co-existence, consult the steps provided by the Exchange Deployment Assistent.