Procedure to Recreate a Microsoft Clustered Role

1. Delete cluster role

2. Validate that the DNS entry has been purged
a. Check DNS

Example: entry still exists
C:\Users\176233>nslookup roguesherver
Server: dns01.kimconnect.local
Address: 192.168.500.152

Name: roguesherver.kimconnect.local
Address: 192.168.500.133
Example: entry has been removed
C:\Users\176233>nslookup roguesherver
Server: roguesherver.kimconnect.local
Address: 192.168.500.152
*** roguesherver.kimconnect.local can't find roguesherver: Non-existent domain

b. Purge instances of servername in DNS

3. Manually purge the virtual computer name object in AD
a. Search for roguesherver
b. Delete roguesherver
c. Manually trigger AD Sync or wait for automatic AD propagation schedule

4. Recreate the clustered role
a. Recreate the role using PowerShell or GUI
b. Possible Error:
– Error message: “The network name is already used on the network”
– Resolution: just wait 5 to 10 minutes or repeat previous steps
– Error message: “The IP Address ‘x.x.x.x’ is already used.”
– Resolution: purge the IP address reservation in the DNS Reverse lookup zone

How to Expand a Windows NTFS Volume as a LUN of HPe Nimble Storage

1. Take volume off synchronous mode

– Pre-emptively avoid this error: “Failed to update the volume. Failed to update the volume: Operation is not permitted on volumes configured for synchronous replication.”
– Login to Nimble > click on Manage > Data Storage > click the target volume > Edit > Next to advance to the Space settings > Next to advance to the Protection Settings > select “No Volume Protection” > Save > select Okay to disassociate… > Make Edits to commit change

2. Expand volume size

– Click on Manage > Data Storage > click the target volume > Edit > Next to advance to the Space settings > type in a numerical value to represent the desired volume size (e.g. change from 2.4 TiB to 3.0 TiB) > Save > put a check mark next to Okay to resize volume > Make Edits

3. Resize volume in Windows

These commands are to be executed on the owner node of the target volume.

The quick method
# Resize volume to its available maximum

$max=(Get-PartitionSupportedSize -DriveLetter $driveLetter).SizeMax
Resize-Partition -DriveLetter $driveLetter -Size $max
The struggles during troubleshooting
# View all partitions of disk 13
PS C:\Windows\system32> Get-Partition -DiskNumber 13
DiskPath: \\?\Disk{0a0816ef-54f0-2eae-ff8c-8edb05b53e72}
PartitionNumber DriveLetter Offset Size Type
--------------- ----------- ------ ---- ----
1 17408 128 MB Reserved
2 V 135266304 2.38 TB Basic

# View specific partition of disk
PS C:\Windows\system32> Get-Partition -DiskNumber 13 -PartitionNumber 2
DiskPath: \\?\Disk{0a0816ef-54f0-2eae-ff8c-8edb05b53e72}
PartitionNumber DriveLetter Offset Size Type
--------------- ----------- ------ ---- ----
2 V 135266304 2.38 TB Basic

# collect partition sizes as a variable
$size = (Get-PartitionSupportedSize -DiskNumber 13 -PartitionNumber 2)

Get-PartitionSupportedSize -DiskNumber 13 -PartitionNumber 2)
0/2+ completed
[ ]

PS C:\Windows\system32> $size
SizeMin SizeMax
------- -------
2612375207936 2616702516736
# Demonstration of a failed attempt due to a bug in 
Resize-Partition -DiskNumber 13 -PartitionNumber 2 -Size $size.SizeMax

PS C:\Windows\system32> Resize-Partition -DiskNumber 13 -PartitionNumber 2 -Size $size.SizeMax
Resize-Partition : Size Not Supported

Extended information:
The size of the extent is less than the minimum of 1MB.

Activity ID: {90e2f332-c11d-4df3-a056-a52a6970dcf0}
At line:1 char:1
+ Resize-Partition -DiskNumber 13 -PartitionNumber 2 -Size $size.SizeMa ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (StorageWMI:ROOT/Microsoft/.../MSFT_Partition) [Resize-Partition], CimExce
+ FullyQualifiedErrorId : StorageWMI 4097,Resize-Partition

$wrongSize = (Get-PartitionSupportedSize -DiskNumber 13 -PartitionNumber 2)
$correctSize = (Get-PartitionSupportedSize -DriveLetter $driveLetter)

PS C:\Windows\system32> $correctSize
SizeMin SizeMax
------- -------
2612374355968 2748643786240

PS C:\Windows\system32> $wrongSize
SizeMin SizeMax
------- -------
2612375207936 2616702516736
4. Turn synchronous mode back on
a. Delete orphanated copy

– Login to Nimble > click on Manage > Data Storage > put a check-mark next to the target volume’s previous replicated copy (should be shown as offline) > click on “X” or “Remove” button > verify that the volume to delete is the orphanated copy > Delete

b. Add volume back to protection group

– Click on Manage > Data Protection > click on the correct Volume Collection (also known as protection group) > Actions > Edit > highlight the target volume in the Available pool > Add > Save

PowerShell: Deploy Certs on Remote Windows Servers

# Purpose: manually deploy certificates onto remote servers at the "Personal" Certificates store

# Set variables
$sourceCert="\\FILESHERVER01\SOMECERT.pfx "
$certPassword=ConvertTo-SecureString "CERT_PASSWORT" -AsPlainText -Force

# Function to copy cert to remote servers prior to accessing WinRM to apply them
function copyCertsToServers{
$servers |%{Copy-Item $sourceCert -Destination "\\$_`\c$"}

# Apply certs on remote machines
$servers | %{ Invoke-Command -ComputerName $_ -ScriptBlock {
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -FilePath "C:\WildCard.pfx" -Password $x;
} -ArgumentList $certPassword

Disk Partitioning & Formatting Reference

Refer to this table as a reference on sector/cluster size leading to maximum storage per LUN:

Cluster size

NTFS Max Size

  512 bytes             

  2,199,023,255,040 (2TB)

 1024 bytes

  4,398,046,510,080 (4TB)

 2048 bytes

  8,796,093,020,160 (8TB)

 4096 bytes

 17,592,186,040,320 (16TB) Default cluster size

 8192 bytes

 35,184,372,080,640 (32TB)

16384 bytes  

 70,368,744,161,280 (64TB)

32768 bytes

140,737,488,322,560 (128TB)

65536 bytes            

281,474,976,654,120 (256TB)

On Partitioning, the caveat is that we cannot use MBR as its limitation is (2^32)-1 sectors * 512 bytes/cluster = 2,199,023,255,040 bytes or 2TB. Instead, we use GPT (Guid Partition Table). GPT uses 64 bits for logical block addresses, allowing a maximum disk size of 264 sectors. For disks with 512-byte sectors, the maximum size is 9.4 ZB (9.4 × 10²¹ bytes) or 8 ZiB (264 sectors × 29bytes per sector). Booting on a GPT disk may require UEFI and 64bit OS. If such disk is dedicated as storage, then GTP trumps MBR.
On Formatting, “NTFS maximum theoretical limit on the size of individual files is 16 EiB (16 × 10246 or 264 bytes) minus 1 KB, which totals 18,446,744,073,709,550,592 bytes. With Windows 10 version 1709 and Windows Server 2019, the maximum implemented file size is 8 PB minus 2 MB or 9,007,199,252,643,840 bytes.”  Please note that Windows 2016 Server are having these limitations, also. (
Reference table from






Operating System Windows 2000
Windows XP
Windows 2003 Server
Windows 2008
Windows Vista
Windows 7
Windows NT
Windows 2000
Windows XP
Windows 2003 Server
Windows 2008Windows Vista
Windows 7
Windows CE 6.0
Windows Vista SP1
Windows 7
DOS v7 and higher
Windows 98
Windows ME
Windows 2000
Windows XP
Windows 2003 Server
Windows Vista
Windows 7
Max Volume Size 2 ^ 64 clusters – 1 cluster 2 ^ 32 clusters – 1 cluster 128PB 32GB for all OS. 2TB for some OS
Max Files on Volume 4,294,967,295
2 ^ 32 -1
2 ^ 32 -1
Nearly Unlimited 4194304
Max File Size 2 ^ 64 bytes 
(16 ExaBytes) minus 1KB
2 ^ 44 bytes 
(16 TeraBytes) minus 64KB
16EB 4GB minus 2 Bytes
Max Clusters Number 2 ^ 64 clusters – 1 cluster 2 ^ 32 clusters – 1 cluster 4294967295 4177918
Max File Name Length Up to 255 Up to 255 Up to 255 Up to 255

Exchange Email Sending Status code: 550 5.7.133

Error Message:

The group <group name> only accepts messages from people in its organization or on its allowed senders list, and your email address isn’t on the list.

More Info for Email Admins
Status code: 550 5.7.133

This error occurs when the distribution group, security group, or Office 365 group is configured to accept messages only from authenticated senders (senders in the same organization or those added to the group's allowed senders list).

To fix the issue, the recipient's email admin or the group owner must add the sender's email address to the group's allowed senders list or change the group's delivery management setting to accept messages from senders inside and outside of the organization.

Usually this issue can only be fixed by the recipient's email admin or the group owner.

For more information and steps to fix this error, see Fix email delivery issues for error code 5.7.133 in Office 365.


Assuming that the Office365 to On-Premise Exchange connect have been validated and functional, this command would fix the problem.

$groupName="<group name>"
Set-DistributionGroup $groupName -RequireSenderAuthenticationEnabled $false

Exchange Server Decommisioning

Decommissioning Exchange hosts should have all Exchange services disabled. Thereafter, we may safely turn these Exchange server off without interrupting email services.

Deleting Exchange servers aren’t usually recommended as there are risks involved. We could choose to archive virtual machine files onto an external hard drive to save space on production VM hosts. This typically is the extent of a decom task, and I do recommend that we pause decom activities of these machines at this phase to allow us the ability to “spin up” the machines should they consist of unknown-at-this-time email data.

Optionally, we may choose to fully purge Exchange servers. Here are the steps:

If the server is still online, start its Exchange services and move its public folder replicas to another Exchange host using these commands
$decomServers | %{MoveAllReplicas -sourceserver $_ -targetsever $productionServer}

Clear all remnants of the downed server from Active Directory – be advised that this is irreversible without AD restores:
-Connect to the domain controler
-Launch the run dialog (Windows Key + R)
-Type in the command “adsiedit.msc” et then press “OK”
-Right click on the console then “Connect to:”
-In the connexion dialog select “Well known Naming Context”
-In the drop down menu select “Configuration”
-Explode “CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\CN=Servers”
-Right click on the dead server and pick “Delete”
-We also need to delete Database information as well, navigate to “CN=Configuration [domain]\CN=Services\CN=Microsoft -Exchange\CN=[organization]\CN=Administrative Groups\CN=Databases”
-Explode each items to find wich one is related to the old server, then delete it as well.
-Launch Server Manager > Navigate to Roles > Active Directory Domain Services > Active Directory users and Computers $domain > $domain > Microsoft Exchange Security Groups > Exchange Servers > right-click the decom server > remove this server to remove it from the list of Exchange Trusted Subsystem

Microsoft Exchange Server Certificates

When Exchange Server certificates expire, it’s the responsibility of the System Administrator to update those certs. Here’s a sequence of execution to ensure server up time.

Current Instructions (Applicable to Updating Mailbox roles)
Obtain Public Cert

Get a public cert from a certificate authority such as Commodo, Godaddy, etc.

Optional: Create Updated Self Signed Cert
# Create New Cert
$friendlyName="Exchange Certificate"
New-ExchangeCertificate -FriendlyName $friendlyName -SubjectName CN=$domain -DomainName $domain,$fqdn -PrivateKeyExportable $true
Add Updated Cert into Certificates Store of Local Machine and Remove Old Cert

Using Exchange PowerShell

Import-ExchangeCertificate -FileName "\\FILESHERVER01\Software\Certificates\kimconnect_cert.pfx" -Password (ConvertTo-SecureString -String '$!JFQ$j0(jeVE@!' -AsPlainText -Force) -FriendlyName $friendlyName -PrivateKeyExportable $true -Services SMTP,IIS,UM,UMCallRouter,POP,IMAP

This certificate with thumbprint XXXXXXXXXX and subject '*' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

This certificate with thumbprint XXXXXXXXXX and subject '*' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
# Set POP & IMAP with fqdn using Exchange PS
Set-POPSettings -X509CertificateName
Set-IMAPSettings -X509CertificateName
# Restart affected services using System PowerShell (not Exchange PS)
Stop-Service MSExchangePop3
Start-Service MSExchangePop3
Stop-Service MSExchangeImap4
Start-Service MSExchangeImap4

Using GUI

Run: certlm.msc

  1.  Add New Cert
    – Personal > right-click Certificates > All Tasks > Import > navigate to the location of the New Cert > OK > OK
    – Right-click New Cert
  2. Back up Old Cert
    Right-click old cert > All tasks > Export > Next > select “Yes, export the private key” > Next > put a check mark next to “Export all extended properties” > Next > put a check mark next to “Password” > input password > Next > input file name (e.g. C:\certs\$certname_expiring_date.pfx) > Next > OK
  3. Document private key permissions of old cert
    Right-click old cert > All tasks > Manage Private Keys

    Add Network Service with READ permissions
  4. Remove old cert – WARNING: this will render URL access offline until new cert is rebound within IIS!
    Right-click old cert > delete > OK
Bind New Cert to IIS on Exchange Server

Run: inetmgr.msc > $serverName > Sites > Default Web Site > Bindings > Set these
– https 443 * = new Public Cert
– https 443 = Local Server Self Signed Cert (e.g.

Restart services
# Restart IIS
# Restart Exchange Transport
Stop-Service MSExchangeTransport
Start-Service MSExchangeTransport
# Restart MSExchangeMailboxAssistants
Stop-Service MSExchangeMailboxAssistants
Start-Service MSExchangeMailboxAssistants
# Optional: restart Exchange Information Store
Stop-Service MSExchangeIS
Start-Service MSExchangeIS
Validate Exchange Functionality
# Check Exchange Service Health
# Validate access to Exchange Control Panel
Function getDefaultBrowser {
#Get the default Browser path
New-PSDrive -Name HKCR -PSProvider registry -Root Hkey_Classes_Root | Out-Null
$browserPath = ((Get-ItemProperty ‘HKCR:\http\shell\open\command’).'(default)’).Split(‘”‘)[1]
return $browserPath
start "$fqdn"
Troubleshooting commands:
# Check for server roles (pay attention to Edge Transport roles as that role will require special Cert updating sequence)
Get-ExchangeServer | select name, serverrole, edition, admindisplayversion, isClientAccessServer | fl
# Check for self-signed certs
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
Raw Notes from Prior

1. Run inetmgr.exe (Internet Information Services Manager)

  • Default Web Site:
    – https * 443 => fqdn public certificate (e.g. Issued To = *; Issued By = “DigiCert SHA2 High Assurance Server CA”)
    – https 443 => fqdn public certificate
  • Exchange Back End:
    – https * 444 => private server certificate (e.g. Issued To =, Issued By = KimConnect SHA2 CA)

2. Run services.msc to restart these services

  • IIS Admin Service (IISReset /noforce)
    Microsoft Account Signin Assistance
    Microsoft Exchange Information Store
    Microsoft Exchange Mailbox Assistants
    Microsoft Exchange Forms-based Authentication Service (may not be available on some instances)
  • Start an EMS > C:\Program Files\Microsoft\Exchange Server\V15\Bin\UpdateCas.ps1
  • Run inetmgr.exe > Reset the OWA virtual directory

3. Check Exchange Service Health to validate that there are no ServicesNotRunning items

[PS] C:\Windows\system32>Test-ServiceHealth

Role : Mailbox Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeDelivery, MSExchangeIS,
MSExchangeMailboxAssistants, MSExchangeRepl, MSExchangeRPC, MSExchangeServiceHost,
MSExchangeSubmission, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}

Role : Client Access Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeIMAP4, MSExchangeMailboxReplication,
MSExchangeRPC, MSExchangeServiceHost, W3Svc, WinRM}
ServicesNotRunning : {}

Role : Unified Messaging Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeServiceHost, MSExchangeUM, W3Svc, WinRM}
ServicesNotRunning : {}

Role : Hub Transport Server Role
RequiredServicesRunning : True
ServicesRunning : {IISAdmin, MSExchangeADTopology, MSExchangeEdgeSync, MSExchangeServiceHost,
MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM}
ServicesNotRunning : {}

Check the OWA VD settings:

Get-OwaVirtualDirectory | FL Identity,*auth*,*url*
Get-EcpVirtualDirectory | FL Identity,*auth*,*url*

4. Validate access to Exchange Admin Center

– Authenticate to https://{fqdn}/ecp
– If HTTP error 503 or 500 occurs, try https://{fqdn}/ecp/?ExchClientVer=15

5. Additional troubleshooting items

Change the authentication method of the “owa” virtual directory to Windows authentication

set-Owavirtualdirectory -identity "E15MBX\owa (Exchange Back End)" -WindowsAuthentication $True -Basicauthentication $false -Formsauthentication $false
IISReset /noforce

Raw Notes:

Failed to connect to the Edge Transport server ADAM instance with exception The supplied credential is invalid.. This could be caused by a failure to resolve the Edge Transport server name in DNS, a failure trying to connect to port 50636 on, network connectivity issues, an invalid certificate, or an expired subscription. Verify your network and server configuration.

Process to Resolve:

Preliminary steps to rule out easy to fix problems:

# Verify connectivity from Hub to Edge
ran check-netconnection function to verify connectivity between exch-hub to EXCH-EDGE port 50636 with success = $true

# Check to see whether there are any error messages in the queue:

Restart some services on Hub and Edge servers
1. Restart the following services on MBX Server
Microsoft Exchange EdgeSync
Microsoft Exchange Transport
2. Restart the following services on Edge Server
Microsoft Exchange ADAM
Microsoft Exchange Credential service
Microsoft exchange Transport

# Confirm if the certificate meets the FQDN of Edge Server if it has been enabled for SMTP service
get-exchangecertificate | FL

Intermediate Level steps to address connector issues:

Mail flow:
Outlook client <==> Hub Exchange <==> Edge Exchange <==> Barracuda (smart host) <==> Internet <==> Destination email systems

- Hub uses EdgeSync to connect to the edge server via ADAM credentials and those are periodically changed by the "Edge Credential Service"
- Only the Client Access Role server requires public certs. The rest of the other roles does not require such.
- Connectors between Edge and Hub servers require SSL, and those can be private certs.
- If the Edge server cert is updated, New-EdgeSubscription command needs to be ran to generate a newEdgeSubcription.xml file
- The newEdgeSubscription.xml needs to also be ran on the Hub server to import new Edge connector information
- Make sure the credential service is up and running on the edge.
- Call start-edgesynchronization is required to synchronize between Edge and Hub is a new subscription has been created
- Send connectors and Receive connectors can be automatically generated

[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2010>Start-EdgeSynchronization

RunspaceId : f9a541a8-51db-4b87-a392-b727eeae6c42
Result : CouldNotConnect
Type : Recipients
FailureDetails : The supplied credential is invalid.
StartUTC : 8/9/2019 6:45:46 PM
EndUTC : 8/9/2019 6:45:46 PM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0

RunspaceId : f9a541a8-51db-4b87-a392-b727eeae6c42
Result : CouldNotConnect
Type : Configuration
FailureDetails : The supplied credential is invalid.
StartUTC : 8/9/2019 6:45:46 PM
EndUTC : 8/9/2019 6:45:46 PM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0

[PS] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Exchange Server 2010>Get-EdgeSubscription

Name Site Domain
---- ---- ------


Recreate Edge Subscription:

On Hub server

# Generate new private Exchange certificate
New-ExchangeCertficate -DomainName $domain, $fqdn -PrivateKeyExportable $true -KeySize 2048

# Check certs

# Get more details about cert
# $newcert = get-ExchangeCertificate | ? { $_.certdate -like "blah blah"} | select name
get-exchangecertificate $number | fl

# set iis to bind to new cert
# perform iisreset
# backup old cert and remove it

# New-SendConnector -Custom -Name Baracudda -AddressSpaces * -smarthost -ForceHELO $true -SmartHostAuthMechanism None -Source $edgeServer

# Remove Edge Subscription
Get-EdgeSubscription | Remove-EdgeSubscription

On Edge

# Clean up old certs
lmcert.msc > remove Microsoft Exchange ADAM from Personal Certs folder

# Remove Edge Subscription
Get-EdgeSubscription | Remove-EdgeSubscription

# Generate new subscription file
New-EdgeSubscription -Filename c:\newEdgeSubscription.xml
Re-start the Microsoft Exchange ADAM

On Hub server
# New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "\\EXCH-EDGE\c$\newEdgeSubscription.xml" -Encoding Byte -ReadCount 0)) #Experimental command
New-EdgeSubscription -Filename c:\newEdgeSubscription.xml

[PS] C:\Windows\system32>New-EdgeSubscription -Filename c:\newEdgeSubscription.xml

If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result,
any of the following objects that were created manually will be deleted: accepted domains, message classifications,
remote domains, and Send connectors. After creating the Edge Subscription, you must manage these objects from inside
the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the
TransportConfig object will be overwritten during the synchronization process.
EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Hub Transport servers in the
Active Directory site to which the Edge Transport server is being subscribed, and those Hub Transport servers be able
to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the organization in
the next "1440" minutes before the bootstrap account expires.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y

New-EdgeSubscription : Microsoft Exchange couldn't create or update the Edge Subscription account on the Edge Transport
server for the following reason: The LDAP server is unavailable.. Stack is at System.DirectoryServices.Protocols.LdapConnection.Connect()
at system.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential)
at Microsoft.Exchange.MessageSecurity.EdgeSync.AdamUserManagement.CreateOrUpdateADAMPrincipal(String user, String password, Boolean bootStrapAccount, TimeSpan expiry)
at Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription.InitiateSubscriptionOnEdge()
At line:1 char:21
+ New-EdgeSubscription <<<< -Filename c:\newEdgeSubscription.xml
+ CategoryInfo : InvalidOperation: (:) [New-EdgeSubscription], InvalidOperationException
+ FullyQualifiedErrorId : 780DB3C3,Microsoft.Exchange.Management.SystemConfigurationTasks.NewEdgeSubscription

# Check status of Exchange ADAM Services
Get-Service *ADAM* | ft Di*,St*

# Check Exchange certificates
[PS] C:\Windows\system32>Get-ExchangeCertificate | fl

AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
CertificateDomains : {ab0ee702-f37f-4dff-bfb2-66698a441d9a}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=280b6975-b30a-4f5b-b2c3-7864e37f1c05
NotAfter : 8/9/2119 1:36:53 PM
NotBefore : 8/9/2019 12:36:53 PM
PublicKeySize : 2048
RootCAType : Unknown
SerialNumber : 73AC7DDB217BA7AF44847CC68A8B9CC9
Services : None
Status : Invalid
Subject : CN=ab0ee702-f37f-4dff-bfb2-66698a441d9a
Thumbprint : CFD78D7F9DFAA0BD537B3755C24089CE3ED0EC55

AccessRules :
CertificateDomains : {EXCH-EDGE,}
HasPrivateKey : True
IsSelfSigned : True
NotAfter : 10/11/2017 11:09:54 PM
NotBefore : 10/11/2012 11:09:54 PM
PublicKeySize : 2048
RootCAType : Registry
SerialNumber : 5DC03A0D09D1C594468C11CE9EC919D4
Services : SMTP
Status : DateInvalid
Subject : CN=EXCH-EDGE
Thumbprint : 4157434692710986BAC026FD2DFE32D4352DE9B3

AccessRules :
CertificateDomains : {,,,, autodisc,,,,,,}
HasPrivateKey : True
IsSelfSigned : False
Issuer : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=
com/repository, O=", Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter : 5/16/2016 11:18:35 AM
NotBefore : 5/16/2011 11:18:35 AM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 2B94032E16C980
Services : SMTP
Status : DateInvalid
Subject :, OU=Domain Control Validated,
Thumbprint : A05FBA0E72AD3D3E666973C9AFDE378535E24393


# Create New Cert
$friendlyName="Exchange Certificate"
New-ExchangeCertificate -FriendlyName $friendlyName -SubjectName CN=$domain -DomainName $domain,$fqdn -PrivateKeyExportable $true #Optional:-Services SMTP -KeySize 2048

# Check for self-signed certs
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

# Restart Exchange Transport
Stop-Service MSExchangeTransport
Start-Service MSExchangeTransport

# Create new Subscription on Edge servers:
New-EdgeSubscription -Filename c:\newEdgeSubscription.xml

# Import subscription on Hub server
New-EdgeSubscription -Filename c:\newEdgeSubscription.xml

# On Hub, trigger New Edge Susbcription via Exchange Management Console GUI
New-EdgeSubscription -FileData '<Binary Data>' -Site $site -CreateInternetSendConnector $true -CreateInboundSendConnector $true

# Trigger sync
start-edgesynchronization -forcefullsync

# Restart Exchange Transport
Stop-Service MSExchangeTransport
Start-Service MSExchangeTransport

# Check mail queue

# Check logs, navigate to:

# Create new connector to point to the smart host (Barracuda spam filter). Make sure that the Source of Send Connector is Edge Server (not Hub Server)
# Disable the automatically generated connector that does not use the smart host

# Example of mail flow issue when the smart host does not accept connections from the Hub server. Resolution was to change the connector Source to the Edge transport

[PS] C:\Windows\system32>Get-Queue

Identity DeliveryType Status MessageCount NextHopDomain
-------- ------------ ------ ------------ -------------
exch-hub\1639048 MapiDelivery Active 17 school-mailboxdb3
exch-hub\1639053 SmartHost... Retry 5675 []
exch-hub\1639058 MapiDelivery Active 10 do-mailboxdb
exch-hub\1639059 MapiDelivery Active 12 school-mailboxdb4
exch-hub\1639060 MapiDelivery Active 14 school-mailboxdb2
exch-hub\Submission Undefined Ready 103 Submission
exch-hub\Shadow\1591071 ShadowRed... Ready 62
exch-hub\Shadow\1639036 ShadowRed... Ready 166

[PS] C:\Windows\system32>Get-Queue -Identity exch-hub\1639053 | fl #where 1639053 is Identity of the smart host

RunspaceId : b2e3dae0-ecb1-4508-b307-31da04271141
DeliveryType : SmartHostConnectorDelivery
NextHopDomain : []
TlsDomain :
NextHopConnector : 77215356-bf27-49bc-bd41-4603375ac561
Status : Retry
MessageCount : 5656
LastError : 451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection dropped due to SocketE
rror." Attempted failover to alternate host, but that did not succeed. Either there are no alter
nate hosts, or delivery failed to all alternate hosts.
LastRetryTime : 8/9/2019 5:45:39 PM
NextRetryTime : 8/9/2019 5:50:39 PM
DeferredMessageCount : 0
QueueIdentity : exch-hub\1639053
Identity : exch-hub\1639053
IsValid : True

PowerShell: Microsoft Exchange to Require that all Senders are Authenticated

In this scenario, the business decision is to limit exposure of certain internal accounts to only allow those to receive emails from the same “Exchange Organization”. This is an extra measure to improve enterprise security posture by further reducing spams and potential messaging vulnerabilities.

# Set "Require that all senders are authenticated" for one account
$targetObject = Get-ADUser -Filter 'SamAccountName -eq $targetUsername'
Set-ADUser $targetObject -Replace @{msExchRequireAuthToSendTo = $True}
# Set "Require that all senders are authenticated" for all Distribution Groups
$distributionGroups = Get-ADGroup -Filter 'groupcategory -eq "distribution"'
ForEach ($group In $distributionGroups){
Set-ADGroup $group -Replace @{msExchRequireAuthToSendTo = $True}

HPE: Gen8 Bios Settings to Prepare Host for Virtualization Role

Proliant Gen8 Blade Servers

HP Servers are often chosen as VMWare & Hyper-V hosts. To further optimize these “pizza boxes” for their intended purposes, here are the steps to prep these things:

At cold boot, select the “System Options” menu > choose option “Disabled” for each NICs from “Network Boot” capability

“Power Management Options” menu > “HP Power Profile” > select “Maximum Performance”

“Power Management Options” menu > “Advanced Power Management Options” > select “Maximum Performance” for the “Memory Power Savings Mode”

Set the correct date and time in the “Date and Time” menu

“Advanced Options | Advanced System ROM Options” menu > select “Disabled” for the “Power-on Logo

“Advanced Options | Advanced Performance Tuning Options” menu > select “Enabled” for the “ACPI SLIT Preferences”

Also set “Intel Performance Counter Monitor (PCM)”

Proliant Gen9 / Gen10 Servers

⦁ For Synergy Blade Servers the BIOS settings are pre-configured in the Server Profile Template.
⦁ For HPE Synergy Blade servers, use the Composer to create a Server Profile using the ESXi template to apply it to the appropriate server hardware.
⦁ This screenshot provides the expected BIOS settings.

Outlook: How to Rebuild Profile

Remove Existing Profile

Run: control.exe > click on Mail

Click on Show Profiles

Click on Remove > Yes > OK

Purge Local Outlook Folder of all previous files
# run these commands in DOS COMMAND or PowerShell
del /q %LocalAppData%\Microsoft\Outlook\*
for /d %x in (%LocalAppData%\Microsoft\Outlook\*) do @rd /s /q "%x"
Trigger Outlook and re-create profile

Start > Outlook.exe > Follow wizard to create new profile

What Problems Does this Solve?
  1. This one (after the “phantom” DNS record of has been removed):
  2. That one…
    I don’t have a screenshot of a frozen Outlook anymore, but you get the idea.
  3. Crashing Outlook cases that are isolated to certain users.

PowerShell: Script to Stop, Start, Disable, and Enable Exchange Server

This script contains a set of functions to administer Exchange 2010, 2013, 2016, and 3000. However, it will not control Lotus Domino, Open Xchange, or Zimbra.

Usage: paste this into an elevated PowerShell session of an Exchange server. Then, run one of these commands:
- stopExchange
- startExchange
- disableExchange
- enableExchange

$exchangeServices=Get-Service | Where-Object {$_.DisplayName –like "Microsoft Exchange *"};

function stopExchange{
net stop msexchangeadtopology /y
net stop msexchangefba /y
net stop msftesql-exchange /y
net stop msexchangeis /y
net stop msexchangesa /y
net stop iisadmin /y
net stop w3svc /y
$exchangeServices | Stop-Service -Force;

function startExchange{
net start "World Wide Web Publishing Service"
net start "Microsoft Exchange Information Store"
net start "Microsoft Exchange Unified Messaging"
net start "Microsoft Exchange Transport Log Search"
net start "Microsoft Exchange Transport"
net start "Microsoft Exchange Throttling"
net start "Microsoft Exchange Service Host"
net start "Microsoft Exchange RPC Client Access"
net start "Microsoft Exchange Replication"
net start "Microsoft Exchange Mailbox Replication"
net start "Microsoft Exchange Mailbox Assistants"
net start "Microsoft Exchange EdgeSync"
net start "Microsoft Exchange Anti-spam Update"
$exchangeServices | Start-Service;

function disableExchange{
$exchangeServices | Set-Service –StartupType Disable;
$exchangeServices | Get-Service | select -property name,starttype

function enableExchange{
$exchangeServices | Set-Service –StartupType Automatic;
$exchangeServices | Get-Service | select -property name,starttype

Reference Entries of Office 365 records for Internal & External DNS

CNAME: autodiscover 5 minutes (300 seconds)
CNAME: sip 5 minutes
CNAME: lyncdiscover 5 minutes
CNAME: enterpriseregistration 5 minutes
CNAME: enterpriseenrollment 5 minutes
TXT: @ v=spf1 -all 5 minutes
SRV: _sip._tls.@ 100 1 443 5 minutes
SRV: _sipfederationtls._tcp.@ 100 1 5061 5 minutes
MX: <MX-prefix> 5 minutes (Obtain MX-prefix from:
CNAME: imap
CNAME: mail
CNAME: pop
CNAME: smtp
# Quick DNS checkup:
nslookup -type=a
nslookup -type=cname
nslookup -type=a
nslookup -type=cname
nslookup -type=mx
nslookup -type=txt
nslookup -type=srv
nslookup -type=srv

Outlook Error: An Encrypted Connection Not Available


The Fix:

Run: control.exe > click on Mail

Click on Show Profiles

Click on Add

Input a profile name and click OK

Toggle the radio button next to Manual Setup > Next

Select POP or IMAP > Next

Fill out this screen as shown > click More Settings

At the Internet Email Settings window, click on Outgoing Server and copy this configuration > click on Advanced when ready

Fill out the port numbers and other settings > OK

Click Next  > OK > Set this New-Profile as Default > OK

Run Outlook as Normal and allow it some time to download the entire mailbox from the Office 365 Exchange server.

Office 365 Mail Import Using CSV Files

The Point and Click Method

Prepare a CSV file in this format


Access Office 365 Exchange Admin Center > Recipients > Migration > click on the + sign > Migrate to Exchange Online

Select “Remote move migration” > Next

Toggle the radio button next to “Specify the users with a CSV file” > click on Choose File

Navigate to the prepared CSV > select it > Open > Next > Verify the FQDN of migration end point (of the on premise Exchange Edge role or Client Access role with MRS proxy feature enabled) > Next

Name the batch > select the Target delivery domain > set bad item limit as 99999 > Next

Select the time schedule to start the batch (e.g. Automatically start) > select Automatically complete the migration > New

Click OK on this warning

Ignore this notification

Go sip some coffee and check back to this Migration status view periodically

MS Exchange 2010: Mailbox Repair

PowerShell snippet to initiate repair

# set user alias or email addresses here:

foreach ($user in $userAliases){
New-MailboxRepairRequest -Mailbox $user -CorruptionType ProvisionedFolder,SearchFolder,AggregateCounts,Folderview

PowerShell command to monitor progress:

# This command doesn't work
# Get-MailboxRepairRequest -Mailbox $userAlias | Format-List

Use Event Viewer to monitor progress:

Eventvwr.exe > Action > Create Custom View > select “By Source > select “MSExchangeIS Mailbox Store” > Event IDs = 10044,10045,01146,10047,10048,10049,10050,10051,10059,10062 > OK

Give this Custom View a name such as “Get-MailboxRepairRequest” > OK

Navigate to Event Viewer > Custom Views > click on Get-MailboxRepairRequest > check for Event ID 10048 to signify a successful completion of a mailbox repair job

Events IDs:

  • 10047 A mailbox-level repair request started
  • 10064 A Public Folder repair request started
  • 10048 The repair request successfully completed
  • 10050 The mailbox repair request task skipped a mailbox
  • 10059 A database-level repair request started
  • 10062 Corruption was detected

Office 365 User Logon Instructions

How to Access Email via Outlook Web Access (OWA)
  1. Navigate to:
  2. Input the provided username and click ‘Next’
  3. Enter the Windows logon password
  4. Put a check mark next to “Don’t show this again” and click “Yes”
  5. If this if the first time of logging in, this screen will appear. Set the appropriate time zone for the user locality and click ‘Save’
  6. Enjoy Office 365 Mail Access online
How to Access Email Using Outlook
  1. Logon to Windows using normal Active Directory credential
  2. Start Outlook 2016. Since the email account is now hosted on, that credential is required for these types of prompts
  3. If there is another pop-up for the credential, input the same username and password as provided by your System Administrator
  4. Proceed to use Outlook as normal
How to Access Email Using iPhones
  1. Click on the Settings icon

  2. Tap “Mails, Contacts, Calendar”
  3. Add Account
  4. Click on Exchange
  5. Input given credentials and click Next
  6. Change the slider to green for any features to be synchronized
  7. Enjoy sending and receiving emails
How to Access Email Using Android
  1. Open Google Play Store. Search for Outlook for Android and install it.
  2. Run the newly installed Outlook for Android
  3. Go to Settings  > Add Account > Add Email Account.

  4. Enter email address. Tap Continue.

  5. Tap Setup account manually if available, and then on the email provider page choose Exchange and toggle Advanced Settings on.

  6. Enter your server setting details, if available and then tap the checkmark icon.

  7. Server Settings:
    Incoming Server Settings

    • Domain\Username:

    • Password: Use the password that you use to access your email.

    • Server

      • Exchange accounts:

      • Office 365 work or school accounts:

    • Port 
      Try 443 – use 993 if necessary

    • Security type 
      Select SSL/TLS or make sure the Use secure connection (SSL) checkbox is checked, then tap Next.

    8. Outgoing SMTP Server Settings

    • SMTP Server

      • Exchange accounts:

      • Office 365 work or school accounts – Use

    • Security Type 
      Choose TLS.

    • Port Number 
      Enter 587. Tap Next.

  8. You may be prompted to enter your email account password again or agree to/activate any necessary permissions.

  9. Done

On Premise Exchange to Office 365 Migration Using Method: Asynchronous PST Export & Import


1. Hybrid Exchange Migration and Stage Migration methods have been considered and rejected
2. Active Directory Sync has been deployed and on premise users and groups have been synchronized onto Office 365

Export PST of the user > Disable the mailbox within on premise Exchange > Trigger manual Azure AD Sync > Upload the mailbox onto O365 > Wait until mailbox object was updated on O365 without a mailbox feature > Add or reset the user account to trigger creation of new mailbox feature > Import PST to user account’s mailbox
Technical instructions:
Preparation Phase

1. Add all LTD domains onto Office 365
2. Enable relay from local Public IPs to Office 365
4. Create multiple csv files with information on mailbox exporting batches
5. Export on premise Exchange mailboxes to local storage as PST files
6. Install Azure Az Copy
7. Sign up for Azure Storage
8. Add a Global Admin account into “Import Export Management” group, and then add “Import Export Management” into “Organizational Management” group

Pilot Phase

1. Send “batch 1” to Azure Storage
2. Prepare csv files with information on mailbox importing batches
3. Import “batch 1” to Office 365
4. Validate importing success of batch 1
5. Test from inside network > Manually configure email clients (Outlook) to use Office 365 URLs on batch 1 > Confirm successful mail flows (sending and receiving) of email clients of batch 1 accounts
6. Test from outside the network > Manually configure email clients (Outlook) to use Office 365 URLs on batch 1 > Confirm successful mail flows (sending and receiving) of email clients of batch 1 accounts

Roll-back Plan of Pilot Phase
1. Manually reconfigure email clients to use on premise Exchange
2. Confirm successful mail flows of test accounts

Cut-over Phase

1. Make storage & bandwidth calculations
2. Write detailed “run book” on cutover procedure, including Roll-back Plan
3. Practice following the run book to detect potential technical difficulties and time duration feasibility. Make adjustments to run book if necessary.
4. Schedule cutover date and mail outtage time window
5. Obtain approval from Stake Holders that external email access will be unavailable during scheduled cutover
6. Configure internal and external DNS on all top level domains to point to Office 365: MX, SPF, autodiscover, smtp/mail
7. Send “batch 2” to Azure Storage
8. Import batch 2
9. Validate importing success of batch 2
10. Test from inside network > Restart email clients > Confirm successful mail flows (sending and receiving) of email clients of batch 2 accounts
11. Test from outside the network > Restart email clients > Confirm successful mail flows (sending and receiving) of email clients of batch 2 accounts

Roll-back Plan of Cutover Phase
1. Reverse DNS changes
2. Restart all email clients and validate automatic reconnections from inside the network
3. Validate reconnections of email clients from outside the network