While trying to fix another Azure AD Replication problem today I managed to delete one of the connectors (the one for the local ‘on-prem’ Active Directory). In an effort to ‘recreate’ it, I ran the ‘Microsoft Azure Active Directory Connect’ and went to ‘Customise the Synchronisation Options’. Unfortunately I got this error;
The forest {forest-name} cannot be added because the attribute used to uniquely identify your users in Azure AD (mS-DS-ConsistencyGuid) is already in use.
Thats not good! I was starting to get concerned.
Solution
There was, (on the old DirSync,) an install flag that would skip this step, would it still work? Yes it does, this time the wizard will complete, recreate the connector correctly and everything will work without any carnage! So what’s the command? See Below;
[box]
cd "C:\Program Files\Microsoft Azure Active Directory Connect"
AzureADConnect.exe /SkipLdapSearch
[/box]
By the time I checked the Synchronisation service, everything has burst back into life, and all was well.
Related Articles, References, Credits, or External Links
Out of the box, Exchange 2016 (&2013) has five receive connectors. Three for the frontend transport service and two for the mailbox transport service.
Front End Transport Service: Does not alter, inspect, or queue mail. It is the first port of call for ALL mail coming into (and out of) the Exchange organisation. This service creates THREE receive connectors All are bound to 0.0.0.0 0.0.0.0, and all IPv6;
Client frontend {Server-Name} : listens on TCP 587 (Secure SMTP). It is generally only used for POP clients that are ‘Authenticated’, so are then able to send mail though the Exchange Org.
Default frontend {Server-Name}: Listens on TCP 25 (SMTP) and will allow Anonymous connections (by default). Note: Your incoming mail, (from the public internet,) usually comes in through this connector.
Outbound proxy frontend {Server-name}: Confusingly this is actually a send connector and it’s only used if you have set your ‘send connector’ to proxy though one of your Exchange servers.
Mailbox Transport Service: Does NOT receive mail from clients it, (as the name implies), routes mail from/to mailboxes from/to the frontend transport service. It is further broken down into;
Mailbox Transport Submission Service:
Mailbox Transport Delivery Service:
This creates two more receive connectors;
Client Proxy {Server-Name}: Listens on TCP 465.
Default {Server-Name}: Listens on TCP Port 25 (or 2525).
So what if someone ‘fiddles’ with them, or you are unsure if they are setup correctly?
Solution: Default Receive Connectors
Default Receive Connectors Settings
If you just want to check the settings in the Exchange Admin Center;
Client Frontend {Server-Name}
General Settings;
Name: Client Frontend {Server-name}
Connector Status: Enable
Protocol logging level: None
Maximum receive message limit size (MB): 36
Maximum hop local count: 12
Maximum hop count: 60
Security Settings;
Transport Layer Security (TLS)
Basic Authentication
Offer basic authentication only after starting TLS
Integrated Windows Authentication
Permission Groups;
Exchange Users
Scoping;
Remote network settings;
::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
0.0.0.0-255.255.255.255
Network adaptor bindings;
(All Available IPv6) Port 587
(All Available IPv4) Port 587
FQDN: {The internal FQDN of your server}
Client Proxy {Server-Name}
General Settings;
Name: Client Proxy {Server-name}
Connector Status: Enable
Protocol logging level: None
Maximum receive message limit size (MB): 36
Maximum hop local count: 12
Maximum hop count: 60
Security Settings;
Transport Layer Security (TLS)
Basic Authentication
Offer basic authentication only after starting TLS
Integrated Windows Authentication
Exchange Server Authentication
Permission Groups;
Exchange Servers
Exchange Users
Scoping;
Remote network settings;
::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
0.0.0.0-255.255.255.255
Network adaptor bindings;
(All Available IPv6) Port 465
(All Available IPv4) Port 465
FQDN: {The internal FQDN of your server}
Default {Server-Name}
General Settings;
Name: Default {Server-name}
Connector Status: Enable
Protocol logging level: None
Maximum receive message limit size (MB): 36
Maximum hop local count: 12
Maximum hop count: 60
Security Settings;
Transport Layer Security (TLS)
Basic Authentication
Offer basic authentication only after starting TLS
Integrated Windows Authentication
Exchange Server Authentication
Permission Groups;
Exchange Servers
Legacy Exchange Servers
Exchange Users
Scoping;
Remote network settings;
::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
0.0.0.0-255.255.255.255
Network adaptor bindings;
(All Available IPv6) Port 2525
(All Available IPv4) Port 2525
FQDN: {The internal FQDN of your server}
Default Frontend {Server-Name}
General Settings;
Name: Default Frontend {Server-name}
Connector Status: Enable
Protocol logging level: None
Maximum receive message limit size (MB): 36
Maximum hop local count: 12
Maximum hop count: 60
Security Settings;
Transport Layer Security (TLS)
Enable domain security (mutual Auth TLS)
Basic Authentication
Offer basic authentication only after starting TLS
Integrated Windows Authentication
Exchange Server Authentication
Permission Groups;
Exchange Servers
Legacy Exchange Servers
Anonymous
Scoping;
Remote network settings;
::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
0.0.0.0-255.255.255.255
Network adaptor bindings;
(All Available IPv6) Port 25
(All Available IPv4) Port 25
FQDN: {The internal FQDN of your server}
Outbound Proxy Frontend {Server-Name}
General Settings;
Name: Outbound Proxy Frontend {Server-name}
Connector Status: Enable
Protocol logging level: Verbose
Maximum receive message limit size (MB): 36
Maximum hop local count: 12
Maximum hop count: 60
Security Settings;
Transport Layer Security (TLS)
Enable domain security (mutual Auth TLS)
Basic Authentication
Offer basic authentication only after starting TLS
Integrated Windows Authentication
Exchange Server Authentication
Permission Groups;
Exchange Servers
Scoping;
Remote network settings;
::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
0.0.0.0-255.255.255.255
Network adaptor bindings;
(All Available IPv6) Port 717
(All Available IPv4) Port 717
FQDN: {The internal FQDN of your server}
Recreating Your Exchange Default Receive Connectors From Scratch
Note: We are talking about the default receive connectors here, if you have created any of you own, for mail relaying from a device for example, you would need to manually recreate these. Below we are going to delete all the default connectors, and recreate them with a PowerShell Script.
Optional: Take a backup of the default receive connectors settings to a text files. Run the ‘Backup-Connector-Settings.ps1‘ script. This will dump the settings to the root of the C: drive in ‘Current {Server-Name} {Connector-Name}.txt’ format.
You can now delete the default receive connectors (Warning: Notice I said default receive connectors, this may or may not be all the connectors).
Recreate the Default Receive Connectors: Run the ‘Create-Default-Receive-Connectors.ps1‘ script.
Optional: You can now output the settings of the new connectors, (why? So you can compare them to your original settings.) Run the ‘AFTER-Connector-Settings.ps1’ script. This will dump the settings to the root of the C: drive in ‘Receive {Server-Name} {Connector-Name}.txt’ format.
You can now compare differences, the only differences are usually the creation date, and the GUID.
Related Articles, References, Credits, or External Links
One of the big drawbacks of Exchange management being built on PowerShell, and it talking to the PowerShell virtual director is, when IIS has a problem, you can’t manage your Exchange via the command shell, or the Exchange Management Console.
While trying to fix a problem last week I wanted to remove and recreate the PowerShell virtual directory, and I found the PowerShell command, but no working examples for the correct syntax.
Solution
1. Remember your Exchange Management Shell won’t work, so load the Windows Powershell Modules shell. (Note: You will find this one under Administrative tools, NOT the one on the taskbar).
2. To remove the PowerShell virtual directory from the default web site;
[box]
Remove-PowerShellVirtualDirectory “Powershell (Default Web Site)”
[/box]