Instead of showing up “Mail”, OWA displayed “Globale Adreslijst” (Global Addresslist) which might be confusing to end users.

To implement the hotfix, you need to apply the , dated 20 Feb, 2012, on your Exchange 2010 SP2 Client Access Servers.

You can download the Microsoft Exchange Server 2010 SP2 Language Pack Bundle (219 MB) here.

(Thanks to Jetze for the heads-up).

Here’s the huge list of changes included in this rollup:

• 2465015  You cannot view or download an image on a Windows Mobile-based device that is synchronized with an Exchange Server 2010 mailbox
• 2492066  An automatic reply message is still sent after you clear the “Allow automatic replies” check box for a remote domain on an Exchange Server 2010 server
• 2492082  An Outlook 2003 user cannot view the free/busy information of a resource mailbox in a mixed Exchange Server 2010 and Exchange Server 2007 environment
• 2543850  A GAL related client-only message rule does not take effect in Outlook in an Exchange Server 2010 environment
• 2545231  Users in a source forest cannot view the free/busy information of mailboxes in a target forest in an Exchange Server 2010 environment
• 2549255  A meeting item displays incorrectly as multiple all-day events when you synchronize a mobile device on an Exchange Server 2010 mailbox
• 2549286  Inline contents disposition is removed when you send a “Content-Disposition: inline” email message in an Exchange Server 2010 environment
• 2556113  It takes a long time for a user to download an OAB in an Exchange Server 2010 organization
• 2557323  Problems when viewing an Exchange Server 2003 user’s free/busy information in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2563245  A user who has a linked mailbox cannot use a new profile to access another linked mailbox in an Exchange Server 2010 environment
• 2579051  You cannot move certain mailboxes from an Exchange Server 2003 server to an Exchange Server 2010 server
• 2579982  You cannot view the message delivery report of a signed email message by using Outlook or OWA in an Exchange Server 2010 environment
• 2585649  The StartDagServerMaintenance.ps1 script fails in an Exchange Server 2010 environment
• 2588121  You cannot manage a mail-enabled public folder in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2589982  The cmdlet extension agent cannot process multiple objects in a pipeline in an Exchange Server 2010 environment
• 2591572  “Junk e-mail validation error” error message when you manage the junk email rule for a user’s mailbox in an Exchange Server 2010 environment
• 2593011  Warning 2074 and Error 2153 are logged on DAG member servers in an Exchange Server 2010 environment
• 2598985  You cannot move a mailbox from a remote legacy Exchange forest to an Exchange Server 2010 forest
• 2599434  A Public Folder Calendar folder is missing in the Public Folder Favorites list of an Exchange Server 2010 mailbox
• 2599663  The Exchange RPC Client Access service crashes when you send an email message in an Exchange Server 2010 environment
• 2600034  A user can still open an IRM-protected email message after you remove the user from the associated AD RMS rights policy template in an Exchange Server 2010 environment
• 2600289  A user in an exclusive scope cannot manage his mailbox in an Exchange Server 2010 environment
• 2600943  EMC takes a long time to return results when you manage full access permissions in an Exchange Server 2010 organization that has many users
• 2601483  “Can’t open this item” error message when you use Outlook 2003 in online mode in an Exchange Server 2010 environment
• 2604039  The MSExchangeMailboxAssistants.exe process crashes frequently after you move mailboxes that contain IRM-protect email messages to an Exchange Server 2010 SP1 mailbox server
• 2604713  ECP crashes when a RBAC role assignee tries to manage another user’s mailbox by using ECP in an Exchange Server 2010 environment
• 2614698  A display name that contains DBCS characters is corrupted in the “Sent Items” folder in an Exchange Server 2010 environment
• 2616124  Empty message body when replying to a saved message file in an Exchange Server 2010 SP1 environment
• 2616230  IMAP4 clients cannot log on to Exchange Server 2003 servers when the Exchange Server 2010 Client Access server is used to handle proxy requests
• 2616361  Multi-Mailbox Search fails if the MemberOfGroup property is used for the management scope in an Exchange Server 2010 environment
• 2616365  Event ID 4999 when the Store.exe process crashes on an Exchange Server 2010 mailbox server
• 2619237  Event ID 4999 when the Exchange Mailbox Assistants service crashes in Exchange 2010
• 2620361  An encrypted or digitally-signed message cannot be printed when S/MIME control is installed in OWA in an Exchange Server 2010 SP1 environment
• 2620441  Stop-DatabaseAvailabilityGroup or Start-DatabaseAvailabilityGroup cmdlet fails when run together with the DomainController parameter in an Exchange Server 2010 environment
• 2621266  An Exchange Server 2010 database store grows unexpectedly large
• 2621403  “None” recipient status in Outlook when a recipient responds to a meeting request in a short period of time in an Exchange Server 2010 environment
• 2628154  “The action couldn’t be completed. Please try again.” error message when you use OWA to perform an AQS search that contains “Sent” or “Received” in an Exchange Server 2010 SP1 environment
• 2628622  The Microsoft Exchange Information Store service crashes in an Exchange Server 2010 environment
• 2628693  Multi-Mailbox Search fails if you specify multiple users in the “Message To or From Specific E-Mail Addresses” option in an Exchange Server 2010 environment
• 2629713  Incorrect number of items for each keyword when you search for multiple keywords in mailboxes in an Exchange Server 2010 environment
• 2629777  The Microsoft Exchange Replication service crashes on Exchange Server 2010 DAG members
• 2630708  A UM auto attendant times out and generates an invalid extension number error message in an Exchange Server 2010 environment
• 2630967  A journal report is not sent to a journaling mailbox when you use journaling rules on distribution groups in an Exchange Server 2010 environment
• 2632206  Message items rescanned in the background in an Exchange Server 2010 environment
• 2633044  The Number of Items in Retry Table counter displays an incorrect value that causes SCOM alerts in an Exchange Server 2010 SP1 organization
• 2639150  The MSExchangeSyncAppPool application pool crashes in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2640218  The hierarchy of a new public folder database does not replicate on an Exchange Server 2010 SP1 server
• 2641077  The hierarchy of a new public folder database does not replicate on an Exchange Server 2010 SP1 server
• 2642189  The RPC Client Access service may crash when you import a .pst file by using the New-MailboxImportRequest cmdlet in an Exchange Server 2010 environment
• 2643950  A seed operation might not succeed when the source mailbox database has many log files in a Microsoft Exchange Server 2010 DAG
• 2644047  Active Directory schema attributes are cleared after you disable a user’s mailbox in an Exchange Server 2010 environment
• 2644264  Disabling or removing a mailbox fails in an Exchange Server 2010 environment that has Office Communications Server 2007, Office Communications Server 2007 R2 or Lync Server 2010 deployed
• 2648682  An email message body is garbled when you save or send the email message in an Exchange Server 2010 environment
• 2649727  Client Access servers cannot serve other Mailbox servers when a Mailbox server encounters a problem in an Exchange Server 2010 environment
• 2649734  Mailbox replication latency may occur when users perform a Multi-Mailbox Search function against a DAG in an Exchange Server 2010 environment
• 2649735  Warning of undefined recipient type of a user after the linked mailbox is moved from an Exchange Server 2007 forest to an Exchange Server 2010 forest
• 2652849  The MailboxCountQuota policy is not enforced correctly in an Exchange Server 2010 hosting mode
• 2665115  Event ID 4999 is logged on an Exchange Server 2010 Client Access server (CAS)

When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command.

You can download Exchange 2010 SP2 Rollup 1 here.

A quick run of the Exchange Remote Connectivity Analyzer (ExRCA) showed the following:

As ExRCA discovered, not all certificates of the certificate chain were offered by the server. A quick inspection of the certificate showed the following certification path:

In this example, the certificate authority (CA), GlobalSign, uses an intermediate CA, GlobalSign Domain Validation CA – G2, to delegate the process of creating UC certificates. Consequence is that the certificate of the root CA, in this example GlobalSign, as well as the certificate of the intermediate CA, here , must be present on the device or should be offered when setting up the connection so the client can validate them.

Inspection of the Exchange server showed that the intermediate certificate was properly installed on the Exchange server, after the customer imported the Personal Information Exchange File (.pfx) file, provided by the CA as part of the certificate package, which contained all certificates in the chain: root CA, intermediate CA and the UC certificate.

Then, investigation moved to the reverse proxy, in this case ISA Server 2006 SP1. It turned out the intermediate certificate on the ISA server, or rather the lack of it, was causing the issue. The customer had imported the individual UC certificate on the ISA server. Because the ISA server didn’t contain the intermediate certificate, it couldn’t send it to the client as part of the certificate chain. After importing the intermediate certificate on the ISA server, ActiveSync started working.

Generally speaking, Windows Mobile or Windows Phone devices don’t contain intermediate certificates so be sure to install them on your Exchange servers as well as on your reverse proxies. Checking and validating intermediate certificates is a client thing and in this case the intermediate CA was available on the non-Windows Phone devices which explained the difference in behavior between Windows Phone, iPhone and Android devices.

Note that, depending on your situation, you may have never seen the above issue before. |This could be the case when you’ve been using certificates directly provided a root CA so far. When selecting your CA, this might be something to take into account as not all mobile devices behave identical as you’ve seen. Also, although lifetime of root and intermediate certificates is quite long, it is something you should manage properly in your environment as you have to an additional certifiate to watch (which might expire or be revoked). Also, depending on volume and mobile costs, sending down extra traffic through the wire/air could be something to take into account. If you don’t think this could be an issue because certificates are relatively small, there’s a reason Mini OWA’s so popular in some regions. Distributing certificates to clients might become a better alternative in those circumstances.

Finally, I want to recommend the excellent SSL Certificate Management & Troubleshooting Tool, provided by DigiCert. It cannot only indicate potential certificate issues like these, or wrongly imported certificates (e.g. user store instead of computer store), but also fix them. As an alternative to ExRCA, you could use the online SSLchecker provided here.

The tool was originally from Red Gate and known as PST Importer. It’s architecture consists of three components: the central service, (optional) agents for PST discovery, registration and collecting PST files and an administrative console (image by Red Gate):

The online documentation can be found here.

Note that although it’s only supported for Exchange 2010 and Exchange Online, you can use it with Exchange 2007; it’s only untested (and probably unsupported) with that product.

You can read the official announcement here; you can download the tool and the agents here.

Here’s the list of changes included in this rollup:

• 2289607  The week numbers displayed in OWA do not match the week numbers displayed in Outlook for English users and French users in an Exchange Server 2007 environment
• 2498852  “0×80041606″ error message when you perform a prefix search by using Outlook in online mode in an Exchange Server 2007 environment
• 2499841  An arrow icon does not appear after you change the email message subject by using OWA in an Exchange Server 2007 SP3 environment
• 2523695  A “System.ArgumentOutOfRangeException” exception occurs when you click the “Scheduling Assistant” tab in Exchange Server 2007 OWA
• 2545080  Users in a source forest cannot view the free/busy information of mailboxes in a target forest when the cross-forest Availability service is configured between two Exchange Server 2007 forests
• 2571391  Applications or services that depend on the Remote Registry service may stop working in an Exchange Server 2007 environment
• 2572010  The Microsoft Exchange Information Store service may crash after you run the Test-ExchangeSearch cmdlet in an Exchange Server 2007 environment
• 2575360  A new feature is available to automatically stop the Microsoft Exchange Information Store service when a time-out is detected in an Exchange Server 2007 SP3 environment
• 2591655  A journaling report remains in the submission queue when an email message is delivered successfully in an Exchange Server 2007 environment
• 2598980  The PidLidClipEnd property of a recurring meeting request has an incorrect value in an Exchange Server 2007 environment
• 2616427   An Outlook Anywhere client loses connection when a GC server restarts in an Exchange Server 2007 environment
• 2617784  Journal reports are expired or lost when the Microsoft Exchange Transport service is restarted in an Exchange Server 2007 environment
• 2626217   Certain changes to address lists may not be updated in an Exchange Server 2007 environment
• 2629790   The Exchange IMAP4 service may stop responding on an Exchange Server 2007 Client Access server when users access mailboxes that are hosted on Exchange Server 2003 servers
• 2633801   The SCOM 2007 SP1 server cannot alert certain issues in an Exchange Server 2007 organization
• 914533  The Microsoft Exchange Information Store service may stop responding on an Exchange Server 2007 server
• 976977  The scroll bar does not work in OWA when there are more than 22 all-day event calendar items in an Exchange Server 2007 user’s calendar
• 2641312  The update tracking information option does not work in an Exchange Server 2007 environment
• 2653334  The reseed process is unsuccessful on the SCR passive node when the circular logging feature is enabled in an Exchange Server 2007 environment
• 2656040  An Exchange Server 2007 Client Access server may respond slowly or stop responding when users try to synchronize the Exchange ActiveSync devices with their mailboxes
• 2658613  The “PidLidClipEnd” property of a no ending recurring meeting request is set to an incorrect value in an Exchange Server 2007 environment

When running ForeFront Protection for Exchange, make sure you disable ForeFront before installing the rollup and re-enable it afterwards, otherwise the Information Store and Transport services may not start. You can disable ForeFront using fscutility /disable and enable it using the fscutility /enable command.

Note that update rollups are cumulative, i.e. they contain fixes released in earlier update rollups for the same product level (RTM, SP). This means you don’t need to install previous update rollups during a fresh installation but can start with the latest rollup.

You can download Exchange 2007 SP3 Rollup 6 here.

This Rollup fixes a “Bad Request” issue when accessing OWA through Forefront TMG. For a full list of changes, consult knowledgebase article kb2649961.

Note that along the lines of products like Exchange, cumulative updates for ForeFront TMG are now also called Rollup instead of Software Update or Update.

You can request ForeFront TMG SP2 RU1 directly from support here.

To configure the initial mailbox database name, the location of the initial mailbox database (and catalog) files or its log files, you can incorporate the following parameters in your setup command line:

• MdbName is the name of the initially created mailbox database, e.g. MDB01
• DbFilePath is the full path of the initially created mailbox database file, e.g. E:\MDB01DB\MDB01.edb
• LogFolderPath is the folder used to store the database log files, e.g. D:\MDB01LOG

Note that you must use the complete filename of the edb file, including the .edb extension. Also, you don’t need to create the folders; Exchange will do that for you during setup.

So, to setup Exchange with a custom initial mailbox database name and non-default locations of database and log files, you can use the following command line for example:

setup /mode:install /roles:c,h,m,t /mdbname:MDB01 /DbFilePath:E:\MDB01DB\MDB01.edb /LogFolderPath:D:\MDB01LOG

Of course, these parameters are nice to incorporate in your scripted setup to deploy multiple servers.

I started the removal process from an elevated command prompt (using the GUI doesn’t work as it complains about the need to use setup.com, which I can’t since I’m using the GUI):

setup /m:uninstall

The output was the following:

Hmm. Without even looking at the Exchange setup log, I noticed there was something strange with the error message:

The term ‘C:\Program Files\Microsoft\Exchange Server\V14\Bin\ManageScheduledTask.ps1′ is not recognized as the name of a cmdlet, function, script file, or operable program.

As you probably know, all Exchange scripts are located in the Scripts folder, not the Bin folder.

I tried a quick and dirty fix, which was to copy the ManageScheduledTask.ps1 and ManageScheduledTask.strings files to the Bin folder, and again started setup /m:uninstall. This time, Exchange uninstalled nicely.

From experience, this isn’t expected behavior, but in case you encounter this problem in the field, you now know how you can easily work around this.

Attendants and Subscriber Access was functioning properly, as well as call diversion to voicemail. Also, people were able to retrieve and replay voicemail messages.

So, apparently communications originating from Lync to Exchange was working, but from Exchange to Lync wasn’t.

I started off by inspecting the eventlog on the Exchange Server. Here I noticed UMCore process generated event 1400 periodically when trying to contact the UM IP gateway (Lync server):

This provided a clue as to what I already expected; the Lync server wasn’t responding to Exchange.

A quick search led me to this blog, which is mainly a checklist. Since Lync and Exchange were able to set up an RPC session and after verifying the ability to communicate from Exchange to Lync by doing a telnet on port 5061, I concluded networking wasn’t the issue and required services seemed to be running properly.

Next, I increased the logging level for all UM related components using:

Get-EventLogLevel “MSExchange Unified Messaging\*” | Set-EventLogLevel –Level Expert

I created a new voicemail message and after a short while MWI General event 1344 showed up:

Again, an indication signaling from Exchange to Lync didn’t work. Because I was able to open communications on port 5061 earlier on, I suspected Lync might be rejecting or refusing communications for whatever reason. Therefor, I connected to the Lync server. Since no clues were found in the event  log, I fired up the Lync Server Logging Tool. I turned on logging for SIPStack, checked All Levels and All Flags and started logging. Since I didn’t want to wait for the UM contacting Lync cycle and because it was a live system so a lot of SIP traffic was expected, I quickly created another voicemail waited a while (for accommodate for Voicemail Preview generation) and stopped logging. Next, I selected Analyze Log Files to inspect the results.

Note: Analyze Log Files requires installing the Lync Resource Kit as utilizes the Snooper tool; hardcore SIP fanatics may prefer the Notepad view and click on View Log Files instead.

When going through the events I noticed the following dialog between the Exchange server (srv12) and Lync (srv03):

After establishing a TLS session (so SIP secured was configured properly on both sides), the Lync Server received a SIP OPTIONS request after which it actively terminated the connection returning “The peer is not a configured server on this network interface” . The details section of this message displayed the following:

Now I have obfuscated the remainder of the FQDN, but as you probably still can see is that it states a wildcard as FQDN, e.g. *.contoso.com. Since “*.<something” isn’t a valid FQDN, Lync server wasn’t too blame for rejecting communications. I went back to the Exchange server because I suspected it might be a certificate issue and because I learned that the FQDN shown was the subject (CN) of the wildcard certificate used (and wildcard certificates aren’t supported by Lync).

I opened up the Exchange Management Console, went to Server Configuration to view the certificates. Indeed the public wildcard certificate was used for UM services. Luckily there was already another internal certificate in-place for Exchange,with the host FQDN as subject. I selected it, opened up Assign Services and activated it for UM (which automatically disables UM for the other certificate).

After switching certificates for UM, UM services like MWI and play-on-phone started working properly.

Apparently, the instructions “If you didn’t choose to create a wildcard certificate .. you must use a public certificate if you are using Unified Messaging with Office Communications Server” isn’t complete, since Lync verifies the certificate’s subject against the FQDN of the host it’s talking to. So that rules out certificates with a wildcard Subject (CN). Unfortunately, the certificate creation instructions don’t rule out (public) wildcard certificates for UM and there’s no mention of limitations regarding the Subject. I assume originally the customer created an improper – yet technically valid – request for an “all in one” certificate for internal usage and applied the result to all Exchange and Lync services, breaking UM – but not IIS nor SMTP, in the process.

Update: Turns out the requirement for non-wildcard subjects in certificates subject names is mentioned in the Supportability section of the Lync documentation on TechNet here. It reads: “There is no support for a wildcard entry as the subject name (also referred to as the common name or CN) for any role”.  Using wildcards as one of the Subject Alternate Names (SAN) is supported for most Lync roles. Since a lot of people find certificates challenging and troubleshooting improperly configured certificates isn’t everyone’s favorite pastime, being as clear as possible helps a lot. In my opinion, the certificate generation page should mention limitations or requirements and a link to the supportability page wouldn’t hurt. Luckily, in this case the issue can easily be solved using a trusted certificate generated by an internal CA.

I’d also like to share with you some blog statistics of 2011, it’s 2nd year running:

• Number of views: 221,049 (when compared to 2010 +314%)
• Number of posts: 70 (241 total)
• Busiest day: December 5th (1,330 views)
• Top post: Exchange 2010 SP1 Network Ports Diagram v0.31

Next to the Main, Versions, Builds and Dates and Toolkit pages, these were the Top 5 posts of 2011:

• Limiting Exchange 2010 SP1 Database Cache
• Exchange 2010 SP1 Network Ports Diagram v0.31
• GAL Segmentation announced for Exchange 2010 SP2
• Mac Outlook 2011 & Exchange 2003
• Exchange 2010 SP1 Rollup 3 & Exchange 2007 Rollup 3

Top 5 posts of all time:

• Exchange 2010′s CAS Arrays & NLB
• Limiting Exchange 2010 Database Cache
• Limiting Exchange 2010 SP1 Database Cache
• Exchange 2010 SP1 Network Ports Diagram v0.31
• Cross-Forest Mailbox Move

Top 5 referrers of 2011:

• social.technet.microsoft.com (TechNet forum)
• blogs.technet.com (Microsoft blogs)
• exchangeserverpro.com (Paul Cunningham)
• experts-exchange.com (Community)
• workinghardinit.wordpress.com (Didier Van Hoye)

Again, thanks for visiting and keep coming back! Don’t forget, you can also follow me on Twitter.