Monday, October 27, 2014

Public Folder Migration Error

So when I tried to migrate public folders from Exchange 2007 to 2013, I encountered the following error:

Error: Property expression "xxx xxx" isn't valid.

It appears that for some reason, some mail enabled Public Folders had Alias properties with blanks in them. As we all know, blank or spaces are not allowed in Alias field.

The easiest way to fix this is to launch Public Folder Management Console (from mmc.exe, add snap-in), locate all mail enabled public folder and correct the Alias field.

Tuesday, October 14, 2014

WAAD DirSync - Broken PowerShell

As widely documented, to manually start the Windows Azure Active Directory DirSync (installed as part of the Office 365 deployment), the following PowerShell commands are issued:

Import-Module DirSync


The only trouble is that, when I tried running the PowerShell command "Import-Module DirSync" on my WAAD DirSync server, I get the following error message!

The message says:
Get-Item : Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSOLCoExistence' because it does not exist.

The trouble is, the registry does exist, as proven here:

So what I have done to fix it is:

  1. Navigate to your WAAD DirSync install path, typically "C:\Program Files\Windows Azure Active Directory Sync\DirSync\"
  2. In there, there should be a file named "ImportModules.ps1"
  3. Open the file and replace the second line with "$DirSyncInstallPath = "C:\Program Files\Windows Azure Active Directory Sync\"
  4. Save the file, and now you can run "Import-Module DirSync" with no problems.
The resultant file should look like the following (ignore the filename in the picture, it should named  ImportModules.ps1):

Friday, October 10, 2014

Exchange 2013 CU6 Beware!

Exchange 2013 CU6 have several bugs at the moment:

  1. Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007 -
  2. You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6 -
  3. Hybrid deployment's centralized mail transport doesn't work (when you want to route all Internet bound emails - including users located in Office 365 to your on premise Exchange Server 2013) -

First 2 problems are currently fixed via an combined interim update "Exchange2013-KB2997209_2997847-x64-en.msp", and the third problem currently only has a workaround. Please contact Microsoft directly for the patch - the support call is free of charge.

Regarding problem one, even though we have migrated everyone across to Exchange 2013, the ExchangeIS keeps crashing at soon as the users logon to their mailbox (not after the mailbox is migrated). This is particularly annoying as you wouldn't know that you have the problem until users actually start accessing their mailbox.

Wednesday, October 08, 2014

Hybrid Deployment - Route all emails (including Internet bound email from Office 365 users) to On Premise

There will be situation where the client wants to route all emails (including the ones from Office 365 users to the Internet) to on premise Exchange server first, before sending it out. The most common reason is for centralised tracking and quarantining.

To perform this, during HCW, you would pick the option "Enable centralized mail transport" during the HCW wizard, i.e.:

The only problem is that, when an Office 365 user sends an email to any Internet recipient, it would fail with NDR - "5.7.1 Unable to relay". Further examining the NDR, it would seem that the On Prem Exchange Server (in my case - Exchange 2013 CU6) is rejecting the email relay.

The only article I can find that relates to this problem is here (, but I couldn't find the receive connector named "Inbound from Office 365" on my Exchange 2013. See below:

So apparently, Exchange 2007 HCW creates a new receive connector called "Inbound from Office 365" and Exchange 2013 HCW just reconfigures the "Default Front End servername" receive connector with TLS authentication with Exchange Online Protection, as seen in the following HCW log entry:

[10/06/2014 13:36:21]    INFO : Session=OnPrem Cmdlet=Set-ReceiveConnector -Identity 'ServerName\Default Frontend ServerName' -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=, O=", Inc.", L=Scottsdale, S=Arizona, C=USCN=*, O=Company Name' -TLSDomainCapabilities 'CN=MSIT Machine Auth CA 2, DC=redmond, DC=corp, DC=microsoft,, OU=Forefront Online Protection for Exchange, O=Microsoft, L=Redmond, S=WA, C=US:AcceptCloudServicesMail' START

With Exchange 2013 CU6, it seems like there is a bug that relay is not enabled on the "Default Frontend" receive connector.

According to the Microsoft engineer, it is a bug that has been highlighted to the product group.

So to fix the problem, I just need to issue the command and the problem is fixed:

Get-ReceiveConnector "ServerName\Default Frontend ServerName" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Monday, October 06, 2014

Exchange 2013 Hybrid Configuration Wizard Failing

I couldn't get the Hybrid configuration wizard working. The moment after I sign into Office 365, I get the following error:

HTTP Error 500.19 - Internal Server Error
Absolute physical path "C:\inetpub\custerr\C:\inetpub\custerr" is not allowed in system.webServer/httpErrors section in web.config file. Use relative path instead.

Screenshot here:

Looking up and down the Internet, I could not find any useful clue at all. Out of the whim, I decided to move the mailbox that my admin account is associated with to Exchange 2013 and problem fixed!

Hopefully this is useful for some other poor folks with the same problem.

There are a lot of discussions about Exchange 2013 CU6 causing co-existence and hybrid problems but I do not this has been documented before.

ActiveSync and AdminSIDHolder

This one is an oldie but wanted to write a little bit about it here. Basically, mailboxes with Domain Admin privilege (and some other admin type group memberships) cannot initiate ActiveSync once their mailbox is moved from Exchange 2007 to 2013.

The following log entry is observed in Exchange 2013:

Log Name:      Application
Source:        MSExchange ActiveSync
Date:          6/10/2014 6:27:44 PM
Event ID:      1053
Task Category: Configuration
Level:         Error
Keywords:      Classic
User:          N/A
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=User Name,OU=IT,OU=Administration,DC=company,DC=com" container under Active Directory user "Active Directory operation failed on This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.

Also, from exRCA:

Attempting the FolderSync command failed.
Exchange ActiveSync returned an HTTP 500 response (Internal Server Error)

There are two ways to fix this, either by passing security on AdminSIDHolder by granting the required ActiveSync permissions on it, or make the changes on every privileged user's (usually domain admin) AD account - but caveat is that the user might make the ActiveSync directory sync within the hour, or AdminSIDHolder will kick in the original settings again.

1. AdminSIDHolder "fix"/bypass -

REM This user permissions
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /G "MYDOMAIN\Exchange Servers:CCDC;msExchActiveSyncDevices"

REM Descendant msExchActiveSyncDevices objects
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:LCRPWPRCWD;;msExchActiveSyncDevices"
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:CCDC;msExchActiveSyncDevice;msExchActiveSyncDevices"

REM Descendant msExchActiveSyncDevice objects
dsacls "CN=AdminSDHolder,CN=System,DC=MYDOMAIN,DC=COM" /I:S /G "MYDOMAIN\Exchange Servers:LCRPWPRCWD;;msExchActiveSyncDevice"

2. Per user setting - but be quick! Setup ActiveSync within the hour -

  • Launch ADUC and make sure Advanced View is enabled
  • Right-click the user account and go to Properties
  • Click the Security tab, then click Advanced
  • Check the Include inheritable permission.... checkbox
  • OK out of all the dialog boxes
  • Sync your device

Sigh - Outlook Anywhere Exchange 2007 not playing nice with Exchange 2013

OK, now it's Outlook Anywhere's turn to go wonky. Users on Ex2007 is reporting that they cannot access Outlook externally.

exRCA returned an error:

RPC Proxy can't be pinged.

Additional Details

An unexpected network-level exception was encountered. Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
Stack trace:
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()
Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
Elapsed Time: 280 ms. 

To make the long story short, the authentication method for Outlook Anywhere has to be set to NTLM on both Ex2013 and Ex2007. Again, just like the previously mentioned ActiveSync and OWA virtual directory issues, I had to reconfigure Outlook Anywhere.

  1. Disable Outlook Anywhere (
  2. Enable Outlook Anywhere - only performing the step under "To use the Exchange Management Console to enable Outlook Anywhere" (
Re configuring Outlook Anywhere will need 15 minutes to take effect. Watch the event viewer for the following entry:

Event Type: Information
Event Source: MSExchange RPC Over HTTP Autoconfig
Event Category: General 
Event ID: 3003
Date: 6/10/2014
Time: 10:50:51 AM
User: N/A
The Outlook Anywhere authentication settings have been updated.

Old settings: Ntlm
New settings: Basic

For more information, see Help and Support Center at

This article provides an extremely friendly insight that I could not find elsewhere:

The parts that struck me was:

  1. Note the two different authentication settings that are listed.  ClientAuthenticationMethod and IISAuthenticationMethods.   For the detail oriented people out there, you saw that one was plural and the other singular.
  2. Client authentication, which is used to allow clients like Outlook 2013 to authenticate with Exchange is properly configured.  The same consistent OA client authentication scheme should be deployed on legacy CAS and CAS 2013
  3. Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate MUST include NTLM auth.
Therefore, I have also additionally set the IISAuthenticationMethods to NTLM as well (it was Basic only for some reason)

Set-OutlookAnywhere -Identity 'ExchangeServer\Rpc (Default Web Site)' -ClientAuthenticationMethod Basic -SSLOffloading $False –ExternalHostName -IISAuthenticationMethods NTLM, Basic

Exchange 2007 OWA not playing nice with Exchange 2013 for redirection

As part of Exchange 2007 & 2013 co-existence, to provide seamless OWA login for both users having mailboxes in either Exchange environment, the typical Microsoft prescribed method of OWA redirection was deployed  -

As the customer was using ISA Server 2006, the first thing is to bypass that and change Exchange 2007 OWA into Forms Based Authentication (FBA). It was set to Basic Authentication previously to support ISA 2006 publishing.

Here comes the trouble, after logging in from OWA 2013, the following error message was displayed:

440 Login Timeout

We tried numerous things, including changing the authentication methods in IIS7 for OWA, but none worked.

The only way that we managed to get it working is to re-create the OWA virtual directories following the article ( Only trouble is, although all the virtual directories were deleted and recreated successfully, the /OWA virtual directory would not come up! When the PowerShell cmdllet was ran, an obscure error message popped out (sorry I didn't have screenshot), basically saying that is has no access to Active Directory.

Did a few things and none worked (including forceing AD replication "repadmin /syncall"),

More Internet searching came out with this solution  ( - but just as I was going to recreate the OWA container, I tried re-running the New-OWAVirtualDirectory cmdlet (not retyping it, just running the command history to repeat the command) and it worked.

I have no idea why only the /OWA virtual directory have this problem (/Exchange, /public/ and /exchweb had no such issue) - but I guess sometime button meshing does make sense.

Oh well, onward we go.

Friday, October 03, 2014

Exchange 2007 ActiveSync not playing nice with co-existence with Exchange 2013

This project that I am working on is giving me one gold nugget after another...  Anyway, so we are trying to setup co-existence between Exchange 2013 and 2007, and we stumbled into this issue.

Exchange 2013 does not seem want to proxy ActiveSync request for users still having mailbox on Exchange 2007. When testing Exchange Connectivity Test (, the error returned was:

An HTTP 500 response was returned from IIS7.

It seems that it's Exchange 2007 at fault here. The only way to fix it is to recreate the ActiveSync virtual directory on Exchange 2007, using the following PowerShell commands:

Remove-ActiveSyncVirtualDirectory -Identity "EXCHANGEServer\Microsoft-Server-ActiveSync (Default Web Site)" -Confirm:$false

New-ActiveSyncVirtualDirectory -WebsiteName "Default Web Site" -InternalUrl "" -ExternalAuthenticationMethods Basic -InternalAuthenticationMethods Basic

The Exchange 2007 Microsoft-Server-ActiveSync virtual directory must be corrupted along the way. 

Exchange 2013 - Problems Relocating Log Path

After one of the Exchange 2013 database got dismounted due to insufficient log space, I've done the typical "ESEUTIL /MK" command to move the transaction log files as any self respecting Exchange Administrator would do. After mounting the database, I issued the following PowerShell command to move the log path for that database to a larger drive:

move-databasepath "DatabaseName" -LogFolderPath "G:\BiggerExchangeLogs\"

The PowerShell would start and then awkwardly dump me back to the prompt without any message.

So I did some searching and came up with the following solution:

Dismount-Database –identity "DatabaseName" -verbose

Move-DatabasePath –identity "DatabaseName" –logFolderPath –configurationOnly:$TRUE –verbose

ROBOCOPY /MOVE /XD *Catalog* /XF *.edb

Mount-Database –identity "DatabaseName" –verbose

Dismount-Database –identity "DatabaseName" -verbose

Although the article is to fix another bug in Exchange 2010, it worked perfectly in Exchange 2013 CU6 for this purpose.


Wednesday, October 01, 2014

Fido what?

Nope, this has nothing to do with Fido Dido.

I've been working on this Exchange 2013 Hybrid deployment when I came across this when accessing OWA from IE11/Win8.1.

After I sign on (Exchange 2013 FBA), OWA briefly loads and then crashes with the following error message:

X-OWA-Error: ClientError;exMsg='fidoCallback' is undefined;file=
X-OWA-Version: 15.0.995.29
X-BEServer: null

Scouring the Internet, I could not find any reference to "fidoCallback" relating to OWA, but there were some other suggestions relating to Office 365 OWA crashing in similar fashion (but no reference to fidoCallback):

  1. Clearing the cache (d'oh - first thing that anyone would try)
  2. Reset IE's security setting to default (under Advanced tab, not Security tab)
  3. Try InPrivate browsing
  4. Make sure "Enable XMLHTTP Support" is enabled
None of them worked. I thought I was going mad as I got some other people to try it out as well, same Win8.1 and IE11. All of them worked.

Then I came across an article that talked about setting IE as the default browser -  (I use Chrome almost exclusively - which can access OWA without a problem) and it worked. Bizarre! To set IE as default, Start > Search > Default Programs > Set your default programs > Internet Explore > Set this program as default. Restarted my computer and voila!

I can't understand why this is happening, and I might ring up Microsoft if this persists. Keep posted!

Thursday, September 04, 2014

HOST Files Shortcut!

You can't imagine how many times in a day that I had to change settings in my host file to test sites that are not in production yet. This article is lifesaver!

Basically, create a Windows shortcut to:

notepad c:\windows\system32\drivers\etc\hosts

And then change the Properties > Shortcut tab > Advanced > Run as Administrator:



It's just one of those stupid things that I should have done long ago.


Wednesday, August 27, 2014

Another Printer Tip! Extend Brother starter toner life

Or strictly saying, reset the print counter so tell the Brother printer to continue to print. Enjoy!

Reset the low toner message for HL Series printers

These steps will help you reset the low toner message:
1. Open front door
2. Turn off printer
3. While holding down the GO button, turn printer back on
4. When all four LEDs light up release GO button. All LEDs will turn off
5. Press the GO button 2 times. The 3 LEDs (toner, drum, paper) will light up solid
6. Press the GO button 5 times
7. Paper light will be blinking
8. At this point the toner end-of-life condition has been reset. Close front door.
*Also, just a reminder, timing is important here so don’t pause between button presses*

Monday, August 11, 2014

Lenovo Thinkpad T440p

So I have left ISA Technologies and joined Readify, and they have a cool budget for every consultant to pick their own laptop. So I was mulling between getting a MacBook Pro 13/15 or some Windows laptop. As I have learnt myself (and from many others) that the keyboard layout in the Mac would not bode well with Windows, I decided to go down the rabbit hole in search for a decent Windows laptop.

I have pretty much narrowed down the brand to:

Lenovo - thanks to it's Thinkpad reputation
Asus - heard a lot of good things and price point advantage over others. But decided against it after speaking to Funj - failure rate is quite high.
Toshiba - next to IBM Thinkpads, Toshiba is well known for it's reliability and high engineering as well
Sony - they do make great laptops, but too bad Sony decided to drop the Vaio line and stop making/developing the Vaio product line.

So, it's down to Lenovo vs Toshiba. Went around the usual suspects (TGG, JB, DSE) and play around with a few. Everyone has high regards of the Lenogo Yoga Pro 2, and it looks great on paper. Super high res screen, thin, 8GB RAM/256GB SSD, nice keyboard. Seems to tick all the boxes....until I tried typing on it. All is well until I try to hit the backspace. What a disappointment. Why did Lenovo had to shrink the backspace key down to a non standard size. I keep missing it and hitting the "\" key instead. Eliminated!

Next up, the Toshiba Kirabook - it's very MacBook Air like, and even has a super high res display. All boxes are ticked as well. But I thought about it again and I am going to get a workhorse and will need to survive the abuse of a consultant, so I decided against getting a Ultrabook.

Back to square one - Lenovo Thinkpads. I have always wanted an IBM Thinkpad back in the days, so this seems like a good compromise.

Now here comes the headache - for around $2000 dollars, there are several Thinkpads to choose from. namely:

  1. T440 - eliminated because the highest resolution was 900 lines - lame.
  2. T440s - eliminated because although it's lighter than T440p, it's so much more expensive (almost $2.4K speced up)
  3. X1 Carbon - eliminated because the screen was too high of a resolution and apparently the keyboard is not as good as the T440 series
  4. T440p - finally decided on this. 1080p screen, backlit keyboard, 16GB/256GB SSD, ultrabay for 2nd hard drive, Ultra dock.

Anyway - here is a gist of difference of the T440x series:
  1. T440p = p for powah! Better CPU choices, more upgradability
  2. T440s = s for slim, but costly and uses slower CPUs (mobile series)
  3. T440 = entry version, almost identical to T440p but not as sturdy (no carbon fiber base), and standard 900 lines display.

There you go, here is my new workhorse for the next 2 years :)

Das Keyboard 4 Professional MX Brown

Finally pulled the trigger after for many years wanting a mechanical keyboard. Settled on the Das Keyboard 4 Professional MX Brown. Phew, that's sure a mouth full. Basically it's the 4th Generation Das keyboard, Professional as it has lettering printed on each key, compared to the Ultimate, which is the same keyboard - but it's blank without any prints on the key caps. I also chose MX Brown, which is the non-clicky type of switches. Saying that, it's still pretty loud compared to the rest of the keyboards I own (all membrane based).
Here is a sample of how much better I can type 5 minutes taking the keyboard out of the box:

Not too bad huh?
The keyboard is built like a tank, which is how I like all my things to be - unbreakable (Although Sean would disagree with my Volkswagen choice)....

Wednesday, February 19, 2014

Windows 8 / 8.1 Memory Problems

This might be an oldie but it's not something that I thought could happen to me.

So slightly related to the last post, after fixing the Immersive Shell DCOM issue, my computer BSODed once more, but this time with slightly different error code "MEMORY_MANAGEMENT", which prompted me to think this might be a hardware issue.

Finally came across this - and true enough, one of my 2 x 8GB Corsair Vengeance C9 1600 DIMM units is faulty. Got it replaced with PLE and fingers cross hopefully no more BSODs!

Wednesday, February 12, 2014

My Windows 8 / 8.1 installation have been BSODing on me since I bought my new gaming PC. Took me a while but eventually tracked down to the "faulty" Immersive Shell component - aka Modern UI, aka Metro UI.

The following article saved my bacon. There are various of other articles, but the this is the correct one, as it points you to change the permission on the following registry key.


Some other article points you to HKEY_CLASSES_ROOT\ClsID but that doesn't work.

Here is the article: