Exchange Size Limits

Exchange Size Limits KB ID 0001368

Problem

When attempting to send an email from Outlook via Exchange,  you see a message like the one below.

The following files weren’t attached because adding them would cause the message to exceed the maximum size limit of {Size} MB: {File-Name}

Or, when someone attempts to send a message to one of your mailbox users they get an NDR that looks like this.

Remote Server returned ‘550 5.2.3 RESOLVER.RST.RecipSizeLimit; message too large for this recipient’

Solution: Exchange Size Limits

There are a few places this can be set, (three main places and few obscure ones!), Let’s deal with the most common one first.

Transport ‘System Wide Settings’: Exchange Size Limits

TransportConfig: This has a maximum send and a maximum receive size, to view yours use the following command.

[box]

Get-TransportConfig | format-list MaxSendSize, MaxReceiveSize

[/box]

If one of them is tripping you up, you can change the sizes with the following command.

[box]

Set-TransportConfig -MaxSendSize 100MB -MaxReceiveSize 100MB

[/box]

Send & Receive Connectors: Exchange Size Limits (PowerShell)

Send Connector: This has a maximum message size, to view yours use the following command.

[box]

Get-SendConnector | format-list Name, name,maxmessagesize

[/box]

To change the limit on a specific send connector , use the following command.

[box]

Set-SendConnector "{connector-name}" -MaxMessageSize 100MB

[/box]

To change the limit on all send connectors , use the following command.

[box]

Get-SendConnector | Set-SendConnector -MaxMessageSize 100MB

[/box]

ReceiveConnector: This has a maximum message size, to view yours, use the following command.

[box]

Get-ReceiveConnector | format-table Name, MaxMessageSize

[/box]

You will have many, the one you probably want to change is called “Default Frontend {Server-name}” To change the limit, use the following command;

[box]

Set-ReceiveConnector "{connector-name}" -MaxMessageSize 100MB

[/box]

To change the limit on all receive connectors , use the following command.

[box]

Get-ReceiveConnector | Set-SendConnector -MaxMessageSize 100MB

[/box]

Send & Receive Connectors: Exchange Size Limits (Exchange Admin Center)

Send Connector: If you prefer to do things in the GUI, then Mail flow > Send Connectors > Select the send connector > Edit > Maximum Send Message (MB) > Set accordingly > Save.

Receive Connector: Mail Flow > Receive Connectors > Select the receive connector (usually the Default Frontend  {server-name} connector > Edit > Maximum Receive Message Size > Save.

User ‘Mailbox’: Exchange Size Limits (PowerShell)

You can set individual limits on a particular mailbox. BUT Remember MOST RESTRICTIVE LIMITS WILL APPLY, so if you set a mailbox to 50o0Mb send receive, then, if the connectors the mail travels through, have a more restrictive figure, or the global transport figure is more restrictive the message WILL BE BLOCKED. UNLESS: The message is between two mailboxes internally. So it’s sensible practice to only set a mailbox restriction to LOWER than the connectors or system wide settings.

[box]

Set-Mailbox -Identity "user-name" -MaxSendSize 100MB -MaxReceiveSize 100MB

[/box]

To ensure that worked or view max limits for a particular user use the following syntax.

[box]

Get-Mailbox -Identity "user-name" | format-table MaxSendSize,MaxReceiveSize

[/box]

User ‘Mailbox’: Exchange Size Limits (Exchange Admin Center)

Again this can also be done front the web management console > Recipients > Mailboxes > Select the user to be changed > Edit > Mailbox Features > Message Size Restrictions > View Details > Set accordingly > OK > Save.

I’ve Done All This And It Still Wont Work? 

Sometimes the settings above don’t take effect until all the AppPools in IIS (on the CAS servers) have been restarted, an IISRESET command should solve the problem, (or a reboot if you can handle the downtime.) However even then in some cases you will continue to see the same error message. There are three places that it can still be misconfigured.

OWA Config File

Open the File located at;

%ExchangeInstallPath%ClientAccess\owa\web.config

Locate and set the maxRequestLength (NOTE: the value is in Kilobits)

EWS Config File

Open the File located at;

%ExchangeInstallPath%ClientAccess\exchweb\ews\web.config

Locate and set the maxRequestLength (NOTE: the value is in Kilobits)

ActiveSync (Sync)  Config File

Open the File located at;

%ExchangeInstallPath%ClientAccess\Sync\web.config

Locate and set the maxRequestLength (NOTE: the value is in Kilobits)

Having changed these values, perform an IISRESET;

Repeat for any additional servers.

Related Articles, References, Credits, or External Links

Message Size Limits on Exchange 2003

Exchange – Message Not Sent ‘Because there are too many recipients’

451 4.7.0 Temporary Server Error

451 4.7.0 KB ID 0001823

Problem

If you attempt to connect to and send mail via command line to your Exchange Server, you may see the following error after you end the data section of the operation.

451 4.7.0 Temporary server error. Please try again later. PRX5

Solution 451 4.7.1 Error

Log into Exchange Amin Center > Mail Flow > Receive Connectors > Default Frontend {Server-Name} > Edit > Scope > Select the IPV4 entry (Either Remove it and ad a new one or edit it)

Specify the IP address you want to use.

So, it should look like this > Save > Exit Exchange Management.

Open Notepad (Note: you need to run as administrator). Navigate to C:\Windows 32\Drivers\Etc locate the hosts file (If you can’t see it change the option to “All Files

At the bottom of the file enter the IP hostname and FQDN of the server then save and exit.

Then restart the Exchange Transport Service.

Related Articles, References, Credits, or External Links

Exchange 2013 / 2016 / 2019 Default Receive Connector Settings

UnifiedContent Folder ‘Growing’

UnifiedContent KB ID 0001820

Problem

If you have a vanilla install of Exchange, it will clean up the UnifiedContent folder on a four hourly schedule. the problem occurs if you have moved your Exchanges ‘Queue” directory. This will also relocate the UnifiedContent folder, but then Exchange, will still try (and fail) to tidy it up in the original location, (because it’s not there anymore!)

Typically, you will see your UnifiedContent folder growing slowly like so.

 

Note: You can tell by the folder path (above), that the queue directory is ‘non-standard’ i.e. I’ve placed the mail queue on its own partition, (Drive letter Q:). COPY THE PATH TO UNIFIEDCONTENT FOLDER TO THE CLIPBOARD.

Solution: UnifiedContent Growing

Locate your Antimalware.xml file, as you can see in my example (below) This lives in the Bin subfolder in the Exchange deployment folder, like the quote folder, mines in a non-standard folder also (I like to be different). If you have a standard deployment the file is usually located in.

C:\Program Files\Microsoft\Exchange Server\V15\Bin\Monitoring\Config

Locate the file and open it with Notepad.

Search withing the file for the following text string.

[box]

TransportRoles\data\Temp\UnifiedContent

[/box]

You will see that this is the location that the Microsoft Exchange Health Monitor Service expects the UnifiedContent folder to be at, and yours will probably be pointing to,

[box]

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Temp\UnifiedContent

[/box]

Change the ENTIRE path (from the semi-colon to the quotes) and replace it with the ACTUAL path to your UnifiedContent folder, (you copied earlier). Then save the file and exit Notepad.

Before the change will take place, you need to restart the Microsoft Exchange Health Manager service.

[box]

Restart-Service MSExchangeHM

[/box]

Now nothing will happen for four hours (you can manually delete some of the older files if you are having capacity issues!) After four hours all the older files should have been purged, and this process will continue to prevent the problem from re-occurring again.

Related Articles, References, Credits, or External Links

NA

PowerShell to Exchange Online

PowerShell to Exchange Online KB ID 0001814

Problem

While attempting to PowerShell to Exchange Online today, I tried to do this by using my usual method, and repeatedly got this error.

[box]

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following
error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:12
+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -Conne ...
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

[/box]

I double checked the username/password was correct, and that the user was a global admin.

PowerShell to Exchange Online: Solution

After some searching it would seem that if the user is using MFA or you need to connect via modern authentication this can happen! Open an administrative PowerShell window, and execute the following commands;

[box]

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Then Press A {Enter}
Install-Module -Name PowerShellGet -Force

If Prompted Press Y and {Enter}

Install-Module -Name ExchangeOnlineManagement -Force
Connect-ExchangeOnline -UserPrincipalName username@domain.com -ShowProgress $true

Log on interactively

[/box]

Then continue as normal.

Related Articles, References, Credits, or External Links

NA

Exchange 2013 to 2019 Upgrade

Exchange 2013 to 2019 Upgrade KB ID 0001808

Exchange 2013 to 2019 Upgrade

With Exchange 2013 going end of support (11 Apr 2023) you should be migrating away from it as soon as you can, (as it’s only supported on up to Server 2012 R2), so you should have migrated off it already! It’s been some time since Exchange had any ‘major’ redesigns, 2013 was version 15, 2016 was version 15.1, and 2019 is Version 15.2.

So the Exchange 2013 > 2019 Migration is pretty much the same as it was from 2013 > 2016, or even 2016 > 2019. 

  •  There should be NO Exchange 2010 servers in existence before deploying Exchange 2019. You would need to upgrade to 2013 (CU21 minimum)/2016 (CU 11 minimum) first.
  • There’s no Unified Comms Role with Exchange any more! If you need to upgrade look at Microsoft Teams.
  • Forest Functional Levels should be, (at least) Server 2012 R2.
  • WARNING: Memory recommendations are 128GB (Mailbox server) and 64GB (Edge Transport server). Make sure you have enough compute!
  • Edge Server Role is still supported.
  • Windows Server Core (2019/2022) is supported with Exchange 2019.
  • Windows Server Nano is NOT supported.
  • Windows Server 2019 (Standard or Datacenter) and Windows Server 2022 (Standard or Datacenter) Note: Exchange 2019 CU 12 minimum, are supported host Operating systems.
  • Outlook 2013 (and newer), and Outlook for mac 2016 (and newer) is supported.

Exchange 2013 to 2019 Upgrade: Solution

As with all Exchange migrations make sure your Active Directory Domain/DNS/Existing Exchange organisation is healthy before you start. Then upgrade the existing Exchange to the latest cumulative update.

Exchange 2013 to 2019 Upgrade Prerequisites

You will need your Server 2019 or Server 2022 server fully updated and added to your domain, then to add the required roles and services use the following Powershell commands;

Exchange 2013 to 2019 Upgrade: Adding Exchange Server Roles

[box]Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS[/box]

Note: Now Required on Server 2019: You will need to install .Net 4.8 (link)

For Server 2022: You DON’T need to do this, (it’s already installed).

You need to install the Microsoft Unified Communications API 4.0 (link)

 

You will also need to install Microsoft Visual C++ (link)

You will also now have to install the ‘IIS Rewrite Module’ (link)

Either download the Exchange 2019 install media, or insert the Exchange 2019 DVD, and launch setup.exe > Next > Next > Files will be copied over.

Don’t I need to extend the schema, forest or domain? The setup does all this for you, you don’t need to do this manually anymore, (yes you can manually do this before installing, if you want to, but unless your schema master is in a different root domain, or you’re not a schema admin, then I don’t see the point!)

Introduction Page > Next > At the EULA tick “I Accept…” > Next > Tick “Use Recommended settings” > Next.

Select ‘Mailbox role’, and ‘Automatically install Windows Server roles and features…” > Next > Select the install directory, Note: In production you probably DON’T want this on the Windows System drive > Next > Unless you have a reason to disable Malware scanning then select ‘No’ > Next.

Readiness Checks > Fix any Errors and heed any warnings > Install > The product will install, this will take a long time!

Finish > Reboot the server.

And there’s our new Exchange 2019 Server.

Exchange 2019 EnterProduct Key

Servers > Servers > Select the 2019 Exchange Server > Enter Product Key  > Save

At the warning click OK.

Note: You can also enter the product key using the PoweShellCommand Shell’, if you prefer.

[box]

Set-ExchangeServer {Host-name} -ProductKey 12345-12345-12345-12345-12345

[/box]

 

As directed Restart the ‘Microsoft Exchange Information Store‘ service.

[box]

Restart-Service MSExchangeIS

[/box]

Transfer Exchange Certificate to Exchange 2019

Note: The ability to Export, Import & Renew certificates and creation/completion of certificate requests has been removed from the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

I will leave the older (GUI) method, below for completeness – but all modern Exchange builds will need you to Open the Exchange Management Shell and perform the certificate migration via PowerShell

Transfer Certificates (PowerShell)

On your C: drive create a new folder called CERT  > Open an Administrative Exchange Managment Shell window on the SOURCE Exchange server.

[box]

Get-ExchangeCertificate -Server {Server-Name}

[/box]

Identify the certificate you require (by Subject) > Copy the Thumbprint text > Replace the thumbprint in this text with your thumbprint, then execute the following two  commands.

[box]

$Cert = Export-ExchangeCertificate -Thumbprint 4896265B267C38D39314121C7C6550C6E4DD23AB -BinaryEncoded -Password (ConvertTo-SecureString -String 'PASSWORD' -AsPlainText -Force)

[System.IO.File]::WriteAllBytes('\\New-Server-Name\C$\CERT\CertEx.pfx', $Cert.FileData)

[/box]

Remeber you will need to enable the certificate for the correct services also e.g.

[box]

Get-ExchangeCertificate -Server {New-Server-Name}

COPY the THUMBPRINT

Enable-Exchange Certificate –Thumbprint {Thumb-Print} -Service IIS,SMTP

[/box]

Transfer Certificates (ExchangeAdmin Centre {Older build versions only})

I’m using a wildcard certificate so I want to export the cert form my Exchange 2013 server and import it onto my new Exchange 2019 Server. You will want to do the same if you have a certificate with your public domain name on it and this will be your ‘internet facing’ Exchange server. Servers > Certificates > Select the Exchange 2013 Server, in the drop down menu > Select The Certificate > Click the ellipsis (three dots) > Export Exchange Certificate > Supply a UNC path and password > OK.

Change the Dropdown to the Exchange 2019 Server > Click the ellipsis > Import Exchange Certificate > Supply the UNC path and password you used (above) > Next.

Add in the Exchange 2019 Server > Finish.

Exchange 2013 to 2019 Upgrade Exchange 2019 Assign Services to Certificate

Select the newly imported certificate> Edit > Services > Select the services > Save > Note: Here I’m selecting SMTP and IIS. (You can’t use a wildcard cert for IMAP,POP).

Exchange 2019 Changing the Exchange Web Services URLs

Exchange relies heavily on web based services, and it needs the URLs setting accordingly (remember for Outlook Anywhere/OWA etc you might need to change firewall settings or repoint load balancers WAP server etc to the NEW 2019 server (and let it proxy these connections to the older Exchange servers, while they still exist).

[box]

Get-WebServicesVirtualDirectory -Server EXCH-2019 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.domainx.com/ews/exchange.asmx -ExternalURL https://mail.domainx.com/ews/exchange.asmx

Set-OWAVirtualDirectory -identity "EXCH-2019\owa (Default Web Site)" -InternalURL https://mail.domainx.com/owa -ExternalURL https://mail.domainx.com/owa

Get-OABVirtualDirectory -Server EXCH-2019 | Set-OABVirtualDirectory -InternalURL https://mail.domainx.com/OAB -ExternalURL https://mail.domainx.com/OAB

Get-ECPVirtualDirectory -Server EXCH-2019 | Set-ECPVirtualDirectory -InternalURL https://mail.domainx.com/ECP -ExternalURL https://mail.domainx.com/ECP

Get-MAPIVirtualDirectory -Server EXCH-2019 | Set-MAPIVirtualDirectory -InternalURL https://mail.domainx.com/MAPI -ExternalURL https://mail.domainx.com/MAPI -IISAuthenticationMethods NTLM,Negotiate

Get-ActiveSyncVirtualDirectory -Server EXCH-2019 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync

Set-OutlookAnywhere -identity "EXCH-2019\RPC (Default Web Site)" -ExternalHostname mail.domainx.com -InternalHostname mail.domainx.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM

Set-ClientAccessService -Identity EXCH-2019 -AutoDiscoverServiceInternalUri https://mail.domainx.com/Autodiscover/Autodiscover.xml

[/box]

Exchange 2019 Rename Mailbox Database

Servers > Databases > Exchange always gives databases annoying names > Select the Database on the 2019 Exchange Server > Edit > Rename it  > Save.

Note: The path to the Database retains the original name (we will fix that in the next step).

 

Exchange 2013 to 2019 Upgrade: Move Mailbox Database

I’m pretty old school, I like my Exchange databases on their own drive/partition, and I like the logs on another drive/partition. To move both the Database and the Logs;

[box]

Move-DatabasePath -Identity Database-Name -EdbFilePath X:\Folder\Database\Database-Name.edb -LogFolderPath L:\Folder\Log-Folder\

[/box]

Add Exchange 2019 to the Send Connector

Mail Flow > Send Connectors > Select your mail SMTP connector(s) > Edit > Scoping > Source Server section > Add > Add in the new server > OK > Save.

Note: The Exchange server will now need to have TCP port 25 (SMTP) open outbound on your corporate firewall.

Hybrid (On-Prem) Exchange Migration Note

If your on-premise Exchange is part of an Office 365 Hybrid deployment you will need to add the new server to the ‘scope’ for that connector also!

Exchange 2013 to 2019 Upgrade: Decommission Exchange 2013

From this point forward we are going to start getting rid of our Exchange 2013 server, they can of course coexist, (if you wanted to wait a while).

For that reason I change the ‘mail flow’ on the firewall to point to the new Exchange server at this point, and the HTTP access for OWA, Outlook Anywhere,  and Phone/Tablet access.

Exchange 2013 to 2019 Upgrade Exchange 2013 Mailbox Migration

Yes you can do this in the Exchange Admin Center (GUI), but I prefer to do this in PowerShell. But if I don’t put this here, I’ll get emails! Recipients > Migration  > Add > Move to a different Database > Add in the mailboxes/users > Next.

Give the ‘Batch’ a name > Select to move Archive mailboxes (if you have them) > Select the destination (Exchange 2019) Database > Again if using archive mailboxes, select the target archive mailbox database > Set the bad Item limit to 99 > Next > Select Automatically Start > Select Automatically Finish > New. 

From this point, this is where I don’t like the EAC it takes AGES to update with progress! From the Exchange Shell you can get an up to date view of that is going on!

[box]

Get-MoveRequest | Get-MoveRequestStatistics

[/box]

For a better list of commands for moving user mailboxes, monitoring the migration, (and removing the move requests when you are finished). See the following article;

Exchange: PowerShell Commands

With ALL Mailboxes migraitons, DON’T FORGET that on sucessfull completion, you need to remove the move requests. (If somehting fails, or displays an error, don’t forget to search for that error (above) before going to Google!

Exchange 2013 to 2019 Upgrade: Migrating Exchange System Mailboxes

Before you start issue the following command;

[box]

Set-AdServerSettings -ViewEntireForest $true

[/box]

In addition to the user mailboxes there are a multitude of different ‘System mailboxes’ that might be hanging around, before we can get rid of the Exchange 2013 Database(s) we need to migrate those.

Firstly AuditLog Mailboxes

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013"

[/box]

If there are any!

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013" | New-MoveRequest -TargetDatabase "Mailbox-Database-2019"

[/box]

Then Arbitration Mailboxes

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013" -Arbitration

[/box]

If there are any!

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013" -Arbitration | New-MoveRequest -TargetDatabase "Mailbox-Database-2019"

[/box]

Then Monitoring Mailboxes

[box]

Get-Mailbox -Monitoring -Server "Mail-2013"

[/box]

If there are any!

[box]

Get-Mailbox -Monitoring -Server "Mail-2013" | New-MoveRequest -TargetDatabase "Mailbox-Database-2019"

[/box]

Make sure there are no archive mailboxes;

[box]

Get-Mailbox -Auditlog -Database “Database-Name” -Archive

[/box]

If there are, move them, (as above).

Also move any  Discovery mailboxes, and move them to 2019;

[box]

Get-Mailbox DiscoverySearchMailbox* | New-MoveRequest -TargetDatabase “Mailbox-Database-2019

[/box]

Exchange 2013 to 2019 Upgrade Migrating Public Folders 

Remember after Exchange 2013 these are just mailboxes! You can move them like any other mailbox 🙂

Delete Exchange 2016 Database(s)

When you are 100% sure there’s nothing left on the old database(s) remove them;

[box]

Get-MailboxDatabase -Identity "Mailbox-Database-2013" | Remove-MailboxDatabase

[/box]

Uninstall Exchange 2013

Your install directory may not be on the C: drive so change your path accordingly;

[box]

cd "C:\Program Files\Microsoft\Exchange Server\V15\Bin
setup.exe /mode:uninstall

[/box]

At this point make sure your backup/replication software is pointed to the new Exchange 2019 Server.

 

Note: If you are running an On-Premise Exchange in Hybrid mode, and post migration if you have any mail flow problems see the following article;

No Mail Flow On-Premise To/From Office 365

Related Articles, References, Credits, or External Links

Exchange 2019 Migration from Exchange 2016

Exchange 2019 Migration from Exchange 2016

KB ID 0001472

Exchange 2019 Migration

If Exchange 2016 was Exchange 2013 in a pretty dress, then with Exchange 2019 it’s simply added a hat. In the past, every third Exchange release was a major rebuild, but Exchange 2016 is simply Exchange version 15.1 (Exchange 2013 was 15.0 and Exchange 2016 is version 15.1).

So the Exchange 2019 Migration is pretty much the same as it was from 2013 > 2016, or even 2016 > 2016. 

  •  There should be NO Exchange 2010 servers in existence before deploying Exchange 2019. You would need to upgrade to 2013 (CU21 minimum)/2016 (CU 11 minimum) first.
  • There’s no Unified Comms Role with Exchange any more! If you need to upgrade look at Microsoft Teams.
  • Forest Functional Levels should be, (at least) Server 2012 R2.
  • WARNING: Memory recommendations are 128GB (Mailbox server) and 64GB (Edge Transport server). Make sure you have enough compute!
  • Edge Server Role is still supported.
  • Windows Server Core (2019/2022) is supported with Exchange 2019.
  • Windows Server Nano is NOT supported.
  • Windows Server 2019 (Standard or Datacenter) and Windows Server 2022 (Standard or Datacenter) Note: Exchange 2019 CU 12 minimum, are supported host Operating systems.
  • Outlook 2013 (and newer), and Outlook for mac 2016 (and newer) is supported.

Solution

As with all Exchange migrations make sure your Active Directory Domain/DNS/Existing Exchange organisation is healthy before you start. Then upgrade the existing Exchange to the latest cumulative update.

Exchange 2019 Prerequisites

You will need your Server 2012R2 or Server 2016 server fully updated and added to your domain, then to add the required roles and services use the following Powershell commands for Server 2012, 2016 and 2019;

Server 2016 / 2012 R2

[box]Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS[/box]

Server 2019

[box]Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS[/box]

Now Required on Server 2012 R2, 2016, and 2019: You will need to install .Net 4.8 (link).

Server 2022: .Net 4.8 is already included in Server 2022!

You need to install the MS Unified Communications API 4.0 (link).

You will also need to install Microsoft Visual C++ (link)

You will also now have to install the ‘IIS Rewrite Module’ (link)

Either download the Exchange 2019 install media, or insert the Exchange 2019 DVD, and launch setup.exe > Next > Next > Files will be copied over.

Don’t I need to extend the schema, forest or domain? The setup does all this for you, you don’t need to do this manually anymore, (yes you can manually do this before installing, if you want to, but unless your schema master is in a different root domain, or you’re not a schema admin, then I don’t see the point!)

Introduction Page > Next > At the EULA tick “I Accept…” > Next > Tick “Use Recommended settings” > Next.

Select ‘Mailbox role’, and ‘Automatically install Windows Server roles and features…” > Next > Select the install directory, Note: In production you probably DON’T want this on the Windows System drive > Next > Unless you have a reason to disable Malware scanning then select ‘No’ > Next.

Readiness Checks > Fix and Errors and heed any warnings > Install > The product will install, this will take a long time!

Finish > Reboot the server.

An there’s our new Exchange 2019 Server.

Exchange 2019 EnterProduct Key

Servers > Servers > Select the 2019 Exchange Server > Enter Product Key  > Save

Note: On the pre-release version of Exchange 2019, the Exchange 2016 keys worked fine.

At the warning click OK.

Note: You can also enter the product key using the Command Shell, if you prefer.

[box]

Set-ExchangeServer {Host-name} -ProductKey 12345-12345-12345-12345-12345

[/box]

As directed Restart the ‘Microsoft Exchange Information Store’ service.

[box]Restart-Service MSExchangeIS[/box]

Transfer Exchange Certificate to Exchange 2019

Note: The ability to Export, Import & Renew certificates and creation/completion of certificate requests has been removed from the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

I will leave the older (GUI) method, below for completeness – but all modern Exchange builds will need you to Open the Exchange Management Shell and perform the certificate migration via PowerShell

Transfer Certificates (PowerShell)

On your C: drive create a new folder called CERT  > Open an Administrative Exchange Managment Shell window on the SOURCE Exchange server.

[box]

Get-ExchangeCertificate -Server {Server-Name}

[/box]

Identify the certificate you require (by Subject) > Copy the Thumbprint text > Replace the thumbprint in this text with your thumbprint, then execute the following two  commands.

[box]

$Cert = Export-ExchangeCertificate -Thumbprint 4896265B267C38D39314121C7C6550C6E4DD23AB -BinaryEncoded -Password (ConvertTo-SecureString -String 'PASSWORD' -AsPlainText -Force)

[System.IO.File]::WriteAllBytes('\\New-Server-Name\C$\CERT\CertEx.pfx', $Cert.FileData)

[/box]

Remeber you will need to enable the certificate for the correct services also e.g.

[box]

Get-ExchangeCertificate -Server {New-Server-Name}

COPY the THUMBPRINT

Enable-Exchange Certificate –Thumbprint {Thumb-Print} -Service IIS,SMTP

[/box]

Transfer Certificates (ExchangeAdmin Centre {Older build versions only})

I’m using a wildcard certificate so I want to export the cert form my Exchange 2016 server and import it onto my new Exchange 2019 Server. You will want to do the same if you have a certificate with your public domain name on it and this will be your ‘internet facing’ Exchange server. Servers > Certificates > Select the Exchange 2016 Server, in the drop down menu > Select The Certificate > Click the ellipses (three dots) > Export Exchange Certificate > Supply a UNC path and password > OK.

Change the Dropdown to the Exchange 2019 Server > Click the ellipsis > Import Exchange Certificate > Supply the UNC path and password you used (above) > Next.

Add in the Exchange 2019 Server > Finish.

Exchange 2019 Assign Services to Certificate

Select the newly imported certificate> Edit > Services > Select the services > Save > Note: Here I’m selecting SMTP and IIS. (You cant use a wildcard cert for IMAP,POP).

Exchange 2019 Changing the Exchange Web Services URLs

Exchange relies heavily on web based services, and it needs the URLs setting accordingly. (remeber for Outlook Anywhere/OWA ets you might need to change firewall settings or repoint load balancers WAP server etc to the NEW 2019 server (and let it proxy these connections to the olde rExchange servers, while they still exist).

[box]

Get-WebServicesVirtualDirectory -Server EXCH-2019 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.domainx.com/ews/exchange.asmx -ExternalURL https://mail.domainx.com/ews/exchange.asmx

Set-OWAVirtualDirectory -identity "EXCH-2019\owa (Default Web Site)" -InternalURL https://mail.domainx.com/owa -ExternalURL https://mail.domainx.com/owa

Get-OABVirtualDirectory -Server EXCH-2019 | Set-OABVirtualDirectory -InternalURL https://mail.domainx.com/OAB -ExternalURL https://mail.domainx.com/OAB

Get-ECPVirtualDirectory -Server EXCH-2019 | Set-ECPVirtualDirectory -InternalURL https://mail.domainx.com/ECP -ExternalURL https://mail.domainx.com/ECP

Get-MAPIVirtualDirectory -Server EXCH-2019 | Set-MAPIVirtualDirectory -InternalURL https://mail.domainx.com/MAPI -ExternalURL https://mail.domainx.com/MAPI -IISAuthenticationMethods NTLM,Negotiate

Get-ActiveSyncVirtualDirectory -Server EXCH-2019 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync

Set-OutlookAnywhere -identity "EXCH-2019\RPC (Default Web Site)" -ExternalHostname mail.domainx.com -InternalHostname mail.domainx.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM

Set-ClientAccessService -Identity EXCH-2019 -AutoDiscoverServiceInternalUri https://mail.domainx.com/Autodiscover/Autodiscover.xml

[/box]

Exchange 2019 Rename Mailbox Database

Servers > Databases > Exchange always gives databases annoying names > Select the Database on the 2019 Exchange Server > Edit > Rename it  > Save.

Note: The path to the Database retains the original name (we will fix that in the next step).

Exchange 2019 Migration Move Mailbox Database

I’m pretty old school, I like my Exchange databases on their own drive/partition, and I like the logs on another drive/partition. To move both the Database and the Logs;

[box]Move-DatabasePath -Identity Database-Name -EdbFilePath X:\Folder\Database\Database-Name.edb -LogFolderPath L:\Folder\Log-Folder\[/box]

Add Exchange 2019 to the Send Connector

Mail Flow > Send Connectors > Select your mail SMTP connector(s) > Edit > Scoping > Source Server section > Add > Add in the new server > OK > Save.

Note: The Exchange server will now need to have TCP port 25 (SMTP) open outbound on your corporate firewall.

Hybrid (On-Prem) Exchange Migration Note

If your on-premise Exchange is part of an Office 365 Hybrid deployment you will need to add the new server to the ‘scope’ for that connector also!

Decommission Exchange 2016

From this point forward we are going to start getting rid of our Exchange 2016 server, they can of course coexist, (if you wanted to wait a while).

For that reason I change the ‘mail flow’ on the firewall to point to the new Exchange server at this point, and the HTTP access for OWA, Outlook Anywhere,  and Phone/Tablet access

Exchange 2019 Mailbox Migration

Yes you can do this in the EAC, but I prefer to do this in PowerShell. But If I don’t put this here, I’ll get emails! Recipients > Migration  > Add > Move to a different Database > Add in the mailboxes/users > Next.

Give the ‘Batch’ a name > Select to move Archive mailboxes (if you have them) > Select the destination (Exchange 2019) Database > Again if using archive mailboxes, select the target archive mailbox database > Set the bad Item limit to 99 > Next > Select Automatically Start > Select Automatically Finish > New. 

From this point, this is where I don’t like the EAC it takes AGES to update with progress! From the Exchange Shell you can get an up to date view of that is going on!

[box]Get-MoveRequest | Get-MoveRequestStatistics[/box]

For a better list of commands for moving user mailboxes, and monitoring the migration, and removing the move requests when you are finished, see the following article;

Exchange: PowerShell Commands

 

Migrating Exchange System Mailboxes

Before you start issue the following command;

[box]Set-AdServerSettings -ViewEntireForest $true[/box]

In addition to the user mailboxes there are a multitude of different ‘System mailboxes’ that might be hanging around, before we can get rid of the Exchange 2016 Database we need to migrate those.

Firstly AuditLog Mailboxes

[box]Get-Mailbox -AuditLog -Database “Mailbox-Database-2016

If there are any!

Get-Mailbox -AuditLog -Database “Mailbox-Database-2016” | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Then Arbitration Mailboxes

[box]Get-Mailbox -AuditLog -Database “Mailbox-Database-2016” -Arbitration

If there are any!

Get-Mailbox -AuditLog -Database “Mailbox-Database-2016” -Arbitration | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Then Monitoring Mailboxes

[box]Get-Mailbox -Monitoring -Server “Mail-2016

If there are any!

Get-Mailbox -Monitoring -Server “Mail-2016” | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Make sure there are no archive mailboxes;

[box]Get-Mailbox -Auditlog -Database “Database-Name” -Archive[/box]

If there are, move them, (as above.)

Also move any  Discovery mailboxes, and move them to 2019;

[box]Get-Mailbox DiscoverySearchMailbox* | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Migrating Public Folder Mailboxes

Remember after Exchange 2013 these are just mailboxes! you can move them like any other mailbox 🙂

Delete Exchange 2016 Database(s)

When you are 100% sure theres nothing left on the old database(s) remove them;

[box]Get-MailboxDatabase -Identity “Mailbox-Database-2016” | Remove-MailboxDatabase[/box]

Uninstall Exchange 2016

Your install directory may not be on the C: drive so change your path accordingly;

[box]cd “C:\Program Files\Microsoft\Exchange Server\V15\Bin

setup.exe /mode:uninstall[/box]

At this point make sure your backup/replication software is pointed to the new Exchange 2019 Server.

 

Note: If you are running an On-Premise Exchange in Hybrid mode, and post migration if you have any mail flow problems see the following article;

No Mail Flow On-Premise To/From Office 365

Related Articles, References, Credits, or External Links

NA

Upgrade Server 2012 (In Place)

Upgrade Server 2012 KB ID 0001802

Server 2012 End Of Life

Windows Server 2012 (and Windows Server 2012 R2) will go end of life on October 10th 2023. Start planning to migrate your productions workloads off this platform as soon as you can.

I’ve mentioned before on the site, I’m not a fan of ‘in place’ upgrades, you get to migrate all the ‘broken bits’ (that you didn’t realise were broken), and if the process goes wrong, best case scenario is you are going to be restoring from backup.

What can I upgrade to? Well essentially, your target is to upgrade to Server 2019 , (not Server 2022 that’s not supported).

Upgrade Server 2012 Pre Requisites

Licenses: Just because you’re legally running Server 2012 does not mean you can upgrade to Server 2019, unless you have  software assurance. If you’re wondering if you have software assurance you probably do not (typically you buy it on a three year deal with the option to extend it to five years, and it’s VERY expensive). So if you dont know, you probably DONT have the software assurance. So you will need to purchase a new agreement, or buy new retail copies of Server 2019.

You will require a Windows Key for the new server (or KMS services setting up that will allocate a Server 2019 key to the newly upgraded server.)

CALs/SALs (Chances are you WONT have SALs, but if you do then speak to your MSP). You will need the correct amount of user/device CALS for server 2019 before you start your upgrade.

Backup Support: Does your backup solution support server 2019? 

Application Support: Does your AV Software, Endpoint protection solution, or Managed Detection and Response system support Server 2019? Make sure you check this list for Microsoft application support, and ensure any third party applications are supported with the vendor.*

*I cannot stress this enough, I work for a major MSP, and most clients are astounded when we wont simply upgrade their old server(s) from 2012, because we simply cannot guarantee that THEIR applications will work successfully on a newer version of Windows Server.

Hardware Support: Most servers are virtual these days, so this is less of an issue, but the machine/VM being upgraded needs to meet the minimum hardware requirements for server 2019.

Updates: MAKE SURE your existing 2012 server is up to date, (and the applications are patched as much as possible!)

Maintenance Window: During the upgrade the server will be offline to users, this will be for as long as a normal OS install, but you will need to plan in additional time for testing applications (post OS upgrade), then programming in any maintenance timings, and arranging and planning any CAB.

Snapshot: If you’re running in a virtual environment, then carry out a snapshot, (or Checkpoint if you are running Hyper-V).

Backup: Before even entertaining the idea of updating the server, make sure you have a good backup. I would make sure I could restore from backup successfully before even attempting an in place upgrade on a production server running 2012/2012R2. In fact if your risk averse, upgrade the restored server itself!

WARNING: Make sure the media you use to upgrade is up to date. While Windows server has a mainstream support date of 9th January 2024, some earlier versions may not be supported. ENSURE you are using build number 1809 Long-Term Servicing Channel (LTSC) or newer.

If you are in doubt about any role or application that may not work (post in place upgrade), then clone your machine, and test the upgrade on an isolated network to test the procedure beforehand.

Upgrade Server 2012 (Domain Controllers)

Other posts say this is not possible, but that is not true, (with some caveats). But it’s so much easier to build a new member server with server 2019/2022 and then extend the forest and domain, promote the new server to be a DC, and demote the old server(s). 

If you attempt to in place upgrade a 2012 server Windows MAY stop an in place upgrade with the following error;

Active Directory on this server does not contain Windows Server ADPREP / FORESTPREP updates.

Which makes sense (if you’ve ever done any domain upgrades or migrations). Before a 2019 DC can be introduced into a domain the forest and domain need to be prepared, (the schema extended). You can either (on this or another DC) run adprep.exe / forestprep and adprep.exe /domainprep from the 2019 install media (look in the support/adprep folder).  

Note: Make sure you’re logged in as a member of the schema admins group!

Obviously if you’ve already ran forest prep and adprep and already have 2019 domain controllers this error will not appear and the server will simply update.

Upgrade Server 2012 (Exchange Server)

NO ! Just don’t do this. Exchange on-premises is designed to be ‘swing migrated‘ to a newer version. If you need to do this then PeteNetLive is littered with upgrade run through even if you are on older versions of Exchange.

Migrate Exchange 2010 to Exchange 2016 (& 2013)

Exchange 2019 Migration from Exchange 2016 (&2013)

Upgrade Server 2012 (SQL Server)

We are in murky waters here! Server 2019 (at time of writing) does not support anything OLDER than SQL 2014. So you may need to upgrade your SQL instances before you consider upgrading the OS. Every single time I’ve ever replaced a SQL server (and I’ve been doing this for over 20 years now) I’ve built a new one, migrated the databases and then the application vendor has installed ‘whatever‘ application or website that required the database.

Also Server 2019/2022 have particular SQL CU level requirements!

If some SQL Jedi walks in here I’d welcome any comments below. But for me it’s a No!

Upgrade Server 2012 / 2012 R2 to Server 2019 (In Place)

By this point you’re adamant you DON’T want to build a new server and migrate your apps and data, and you’ve understood all the pre-requisites and warnings above.

Before starting, Microsoft recommend that you gather some information, run the following commands and take the information dumped into text files and put them safely elsewhere.

[box]

Systeminfo.exe >> SystemInfo.txt
ipconfig /all >> IPConfig

[/box]

Then take a copy of the contents of the following two registry values;

[box]

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID

[/box]

Note: I lost the will to live trying to work out how to dump those two values into a text file with PowerShell 5.1 (there’s a challenge for you!)

Present the Server 2019 Install to your 2012 server, locate and run setup.exe.

It will ask to check for update let it do so  > Next.

If you are installing a ‘retail’ version of Windows server, at this point it will ask of the licence key > 

Call me an  old traditionalist, I require a graphical user interface > Next.

I believe that someone at Microsoft should be made to read one of these out loud for EVERY copy of Windows it sells, seriously they could put anything in here. Now that your firstborns soul belongs to Microsoft > Accept.

The whole point is to retain our data! > Next.

It will now run through its pre-flight checks, pull down any updates and make sure it’s happy. When finished it will warn you if there’s any potential problems. Here it’s complaining about my monitor driver, (probably because it’s using the Window update download one, and not the VMware tools one to be fair). I know this wont cause me any problems, I can click Confirm > 

Last chance to bail out! Install.

One hour and twenty five minutes later,

In Place Upgrade of Server 2012 Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here

 

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Outlook OAB download fails with 0x80004005 and/or 0x8004010F

KB ID 0000035 

Problem

0x8004010F is caused by client not being able to see the Offline Address Book.

0x8004010F Error With Exchange 2013/2016/2019

Firstly make sure your autodiscover is correct, on the Exchange server open the Exchange management shell, and issue the following  command.

[box]

Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

[/box]

If you need to fix/change it, use the following syntax.

[box]

Set-ClientAccessServer -Identity PNL-MAIL-2019 -AutoDiscoverServiceInternalUri "https://mail.petenetlive.com/autodiscover/autodiscover.xml"

[/box]

Then check that the Offline Address Book is set correctly also.

[box]

Get-OabVirtualDirectory -server PNL-MAIL-2019

[/box]

 

If you need to fix/change it, use the following syntax.

[box]

Set-OabVirtualDirectory -Identity "PNL-MAIL-2019\oab (default web site)" -InternalUrl "https://mail.petenetlive.com/oab" -ExternalUrl "https://mail.petenetlive.com/oab"

[/box]

Then ensure ALL Mailbox databases are set to use the Default Offline Address Book.

[box]

Get-Mailboxdatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book”
Get-MailboxDatabase | Ft Name, *book*

[/box]

Then check for the existence of the ‘Arbitration Mailbox’

[box]

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “*OAB*”} | ft Name, Servername, Database

[/box]

If its broken/ missing then you can do the following.

[box]

New-OfflineAddressBook -Name “NEW-OAB” -AddressLists “\Default Global Address List” -VirtualDirectories “PNL-MAIL-2019\OAB (Default Web Site)”
Get-Mailboxdatabase | Set-MailboxDatabase -OfflineAddressBook “NEW-OAB”
Create New-Mailbox -Arbitration -Name “OAB-GEN” -UserPrincipalName OAB@pnl.com –DisplayName “OAB-Generation-Mailbox” -Database MBX-DB-2019v2
Set-Mailbox -Arbitration OAB@pnl.com -OABGen $true

[/box]

Then finally restart the Exchange services WARNING this will cause downtime.

[box]

$services = Get-Service | ? { $_.name -like "MSExchange*" -and $_.Status -eq "Running"};foreach ($service in $services) {Restart-Service $service.name -Force}

[/box]

For Exchange 2020 / 2007 (0x8004010F Error)

1. Log onto the Exchange Server.
2. Start > All Programs > Exchange Management Console > Organisation Configuration > Mailbox > Offline address Book > Create a new one (Must have a different name to {Default}.
3. Delete the Old Offline Address Book.
4. Set the one you created as the default.

WAIT 20 MINUTES – If the Problem Persists

1. Log onto the Exchange Server.
2. Start > All Programs > Exchange Management Console > Server Configuration > Mailbox.
3. Select the Mailbox store in the middle section > Right Click > Properties.
4. Client Settings tab > Browse > Select the Address book you created above > OK > OK.

WAIT 20 MINUTES

Note: I’ve also fixed by creating a new mail profile – though when I switched back to the original one it was ok – so I may not have been patient enough.

Related Articles, References, Credits, or External Links

NA

Group Won’t Accept Mail From ‘Outside’

KB ID 0001771

Problem

Exchange has been this way for a long time here’s me explaining this very problem with older versions of Exchange. If you create a ‘Group’, be that a Distribution Group, or a ‘Microsoft 365’ Group, the default setting is to NOT ALLOW mail from anyone outside your organisation. If you attempt to send mail to that group you will see errors like these;

Errors;

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group

550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender not authenticated when sending to the group’

550 5.7.193 UnifiedGroupAgent; Delivery failed because the sender isn’t a group member or external senders aren’t permitted to send to this group.

Allow External Senders (On Premises & Hybrid Exchange)

If you have your own on premises Exchange server, this includes those of you that have migrated to Exchange online, but are in Hybrid Mode and are syncing your domain objects into Microsoft/Office 365 (Azure). Then you should change this setting in the on premises Exchange Admin Centre.

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

Note: Remember in hybrid mode this will need to sync to Microsoft online, so apply the ‘cup of coffee rule’ before testing it.

Allow External Senders Office/Microsoft 365 (Exchange Online)

Classic Exchange Admin Center

Recipients > Groups > Select the group in question  > Edit > Delivery Management > Change to ‘Senders inside and outside of my organisation’ > Save.

 

New Exchange Admin Center

Microsoft 365 Groups: Recipients > Groups > Microsoft 365 > ‘Double Click’ the group in question > Settings  > Allow external senders to email this group > Save.

Distribution Groups: Recipients > Groups > Distribution List > ‘Double Click’ the group in question > Settings  > Edit Delivery Management.

Allow messages from people inside and outside my organisation > Save changes.

Related Articles, References, Credits, or External Links

NA

Can you Use ‘Let’s Encrypt’ on Hybrid Exchange?

KB ID 0001770

Problem

A few months ago I wrote an article about getting free exchange certificates with Lets ‘Encrypt’. And that still works peachy, I implemented it on my test Exchange 2019 server (in Hybrid mode) and all appeared well. 

Some time later, (remember this is my test network so it’s not in production.) I noticed that mail was not getting forwarded from O365 to the on premises Exchange server. I’ve also had to fix similar problems like this before here.

These were to sort of errors I was seeing;

450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB8EUR05FT046.eop-eur05.prod.protection.outlook.com]

450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 TLS negotiation failed with error SocketError] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB3EUR04FT033.eop-eur04.prod.protection.outlook.com]

So the problem is obviously something to do with the certificate on the on premises server, so either it’s misconfigured or Microsoft O365 does not like the ‘Lets Encrypt’ certificate.

Solution

Firstly I made sure the send and receive connecters were using the correct certificate.

 

[box]

Get-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" | fl TlsCertificateName  
Get-SendConnector "Outbound to Office 365" | fl TlsCertificateName  

[/box]

Note: Above, change the server names and send connector name to match your own.

At this point I was pretty sure that the problem was with that cert so I bought myself a 12 month SSL cert (for the princely sum of $17) and used that instead.

How To Swap Hybrid Connector Certificates

Get the Thumbprint for the NEW publicly signed certificate (Get-ExchangeCertificate). Then use the following PowerShell.

[box]

$cert = Get-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename
Set-ReceiveConnector "PNL-MAIL-2019\Default Frontend PNL-MAIL-2019" -TlsCertificateName $tlscertificatename
Restart-Service MSExchangeTransport

[/box]

Now recheck the connectors again;

 

Then attempt to re-validate the connector in Office 365, and it works straight away.

SO NO YOU CAN’T USE ‘LETS ENCRYPT’ FREE CERTIFICATES IF YOUR EXCHANGE SERVER IS IN HYBRID MODE

Related Articles, References, Credits, or External Links

Office 365: Migrating To Exchange Online

Free Exchange Certificate

No Mail Flow On-Premises To/From Office 365