Importing certificate in Exchange 2013 from Exchange 2010

By admin on June 29th, 2013

I very often hear comments like “I don’t like certificates” and realizes that if you are not working with “certs” all day long it might be a hassle to get all the stuff you need in the right place. So I thought I give you some of my experiences with certificates and then a little “how to import” them.

The best way to think of what host names that should be in a cert (for Exchange) is to find out what names you are using for your different services. Below you see a table of all services in Exchange 2013 that could need a certificate.

Service Internal URL External URL
Autodiscover Autodiscover.mailmasterlab.se Autodiscover.mailmasterlab.se
Exchange Web Services cas.mailmasterlab.se mail.mailmasterlab.se
Active Sync cas.mailmasterlab.se mail.mailmasterlab.se
Outlook Web App cas.mailmasterlab.se mail.mailmasterlab.se
Offline Address Book cas.mailmasterlab.se mail.mailmasterlab.se
Exchange Control Panel cas.mailmasterlab.se mail.mailmasterlab.se
Outlook Anywhere cas.mailmasterlab.se mail.mailmasterlab.se
  • I filled in typical values that could be valid in a split DNS scenario but you should find your own values!
  • And to be clear, it’s not a huge thing to change a value (URL) as long as you have Autodiscover setup properly, your clients will get your new configuration and use that.
  • To have a certificate to import I will start by export a certificate from Exchange 2010. This could be done via Exchange Management Shell or a GUI but to make things crystal clear I will show you a GUI-based way.
  • First lets open up a MMC on a server when you have the certificate.
  • Add the snap-in for Certificates
  • Select “Computer account”
  • Select “Local computer”
  • Navigate to Personal, Certificates
  • Then you should see something similar to the screenshot below (It’s possible you have more entries than me)
  • Select the certificate you need, right click on it, go to All tasks and select Export
  • It’s critical that you select “Yes, export the private key”
  • Choose the format you like to export your certificate to:
  • In Windows 2012 you can set permissions to a group or user but in older versions of Windows you won’t have this option so I go for Password.
  • Choose a file name and save your certificate.
  • Hit next and finish and your cert is exported. With that we can import it in Exchange 2013.
  • Open up your favorite browser on your Exchange 2013 server and enter the address https:\localhost/ecp
  • That will take you to the Exchange Admin Center logon page.
  • If you experience a sad face and “something went wrong” it’s most likely because you have not moved the mailbox you just logged on to to Exchange 2013.
  • Don’t worry about that and change the URL to https:\localhost/ecp?ExchClientVer=15 and you should see the EAC.
  • Navigate to Servers and then Certificate and hit the three dots… Go for import certificate
  • Enter the UNC path to where you exported the certificate and enter the password
  • Choose the servers you want to import the certificate to
  • Now your certificate is imported but it’s not yet assigned to any services so lets do that as well!
  • Mark your certificate and click edit (the pencil icon)
  • Go to Services and select the services you like to use the cert for
  • it’s likely that you will be presented with a Warning about overwriting the current certificate, click yes
  • That’s it, happy SSL!

Enable viewing of meeting organizer fails in Exchange 2010

By admin on April 12th, 2013

On site with a customer today I was asked to provide all bookings of room mailboxes with a note about who was the organizer. No big deal, there’s a feature for that called “Add the organizer’s name to subject” on room mailboxes, se below.

Said and done it was set on all room mailboxes and I tested to book a meeting. To my surprise the subject was not changed and no organizer was added as seen below.

After a session with Bing I found a note about this on Technet Forum and tested to add a distribution group to who was allowed to book the room. In my case I ran:

Get-Mailbox –Recipienttypedetails roommailbox | Set-CalanderProcessing –AllBookInPolicy $false –BookInPolicy mailmasterlab_all

And as soon as the command was finished I ran:

Get-Mailbox –Recipienttypedetails roommailbox | Set-CalanderProcessing –AllBookInPolicy $true

After this the organizers name is added to the subject.

My Exchange 2010 Server was a fresh install of Exchange 2010 Service Pack 3.

 

Exchange 2010 SP3 released!

By admin on February 12th, 2013

Update: Please not that Exchange 2010 SP3 adds support for coexistence with Exchange 2013 Cumulative Update 1 (will be released in Q1 2013). Text below changed to reflect that.

It’s been a evening full of updates! It seems like Microsoft saved the best for last since Exchange 2010 Service Pack 3 was released minutes ago (just beaten by Update Rollup 10 for Exchange 2007 SP 3 and Update Rollup 6 for Exchange 2010 SP2).

The big news in Exchange 2010 Service Pack 3 is of course the ability to coexist with Exchange 2013 CU1 but let’s not forget the support for running Exchange 2010 on Windows Server 2012 witch can save a bit of money running a DAG. As mentioned above Exchange 2013 CU1  will be released in Q1 and it’s the first out of the new update model for Exchange 2013.

I suggest you take a good look at the Release Notes for Service Pack 3 but I would like to point out the following:

  • Exchange 2010 SP3 makes updates to the Active Directory schema
  • The database schema has been updated in Exchange 2010 SP3. As a result, when Mailbox servers are upgraded to Exchange 2010 SP3, the databases are upgraded to the Exchange 2010 SP3 version of the database schema. After a database has been updated to the Exchange 2010 SP3 schema, it can’t be mounted on a pre-Exchange 2010 SP3 Mailbox server.

On the following links you can download Exchange 2010 Service Pack 3, read the  What’s New in Exchange 2010 SP3 and don’t forget to check out the blog at MSExchangeTeam about SP3.

I will be back with more info on how to upgrade and coexistence soon!

Update Rollup 6 for Exchange 2010 SP2

By admin on February 12th, 2013

Today Microsoft released Update Rollup 6 for Exchange Server 2010 Service Pack 2. I have installed it on two servers without any issues but I suggest you test all updates in your lab before you install.

Download: Update Rollup 6 for Exchange Server 2010 Service Pack 2 (KB2746164)

A detailed description of fixes:

Update Rollup 6 for Exchange Server 2010 SP2 addresses the vulnerabilities that are described in Microsoft Security Bulletin MS13-012

This update also resolves the following issues:

  • 2489941 The "legacyExchangeDN" value is shown in the "From" field instead of the "Simple Display Name" in an email message in an Exchange Server 2010 environment

  • 2717453 You cannot move or delete a folder by using Outlook in online mode in an Exchange Server 2010 environment

  • 2733608 Corrupted Japanese DBCS characters when you send a meeting request or post a reply to a posted item in a public folder in an Exchange Server 2010 environment

  • 2734635 Folder-associated information (FAI) items are deleted when you run the New-InboxRule cmdlet or change Inbox rules in an Exchange Server 2010 environment

  • 2737046 AutoPreview feature does not work when you use Outlook in online mode in an Exchange Server 2010 environment

  • 2741117 High CPU utilization by Microsoft Exchange Replication service on Client Access servers in an Exchange Server 2010 environment

  • 2746030 Incorrect ExternalURL value for EWS is returned by an Exchange Server 2010 Client Access server

  • 2750188 Exchange Service Host service crashes when you start the service on an Exchange 2010 server

  • 2751417 Synchronization fails if you sync an external device to a mailbox through EAS in an Exchange Server 2010 environment

  • 2751581 OAB generation fails with event IDs 9126, 9330, and either 9338 or 9339 in an Exchange Server 2010 environment

  • 2760999 "The signup domain ‘org’ derived from ‘<TenantDomainName>.org’ is not a valid domain" error message when you use the Hybrid Configuration wizard in an Exchange Server

  • 2776259 Msftefd.exe process crashes if an email attachment has an unexpected file name extension or no file name extension in an Exchange Server 2010 environment

  • 2779387 Duplicated email messages are displayed in the Sent Items folder in a EWS-based application that accesses an Exchange Server 2010 Mailbox server

  • 2783586 Name order of a contact is displayed incorrectly after you edit the contact in an Exchange Server 2010 environment

  • 2783631 User-Agent field is empty when you run the Get-ActiveSyncDeviceStatistics cmdlet in an Exchange Server 2010 SP2 environment

  • 2783633 You cannot move or delete an email message that is larger than the maximum receive or send size in an Exchange Server 2010 environment

  • 2783649 Private appointment is visible to a delegate in an Exchange Server 2010 environment

  • 2783771 Mailbox on a mobile device is not updated when EAS is configured in an Exchange Server 2010 environment

  • 2783772 Edgetransport.exe process crashes after a journal recipient receives an NDR message in an Exchange Server 2010 environment

  • 2783776 You cannot perform a cross-premises search in a mailbox in an Exchange Server 2010 hybrid environment

  • 2783782 Error message when you use Scanpst.exe on a .pst file in an Exchange Server 2010 environment

  • 2784081 Store.exe process crashes if you add certain registry keys to an Exchange Server 2010 Mailbox server

  • 2784083 Week numbers in the Outlook Web App and Outlook calendars are mismatched in an Exchange Server 2010 environment

  • 2784093 SCOM alerts and event ID 4 in an Exchange Server 2010 SP2 organization that has Update Rollup 1 or later

  • 2784566 Exchange RPC Client Access service crashes on an Exchange Server 2010 Mailbox server

  • 2787023 Exchange Mailbox Assistants service crashes when you try to change a recurring calendar item or publish free/busy data in an Exchange Server 2010 environment

  • 2793274 A new option is available that disables the PermanentlyDelete retention action in an Exchange Server 2010 organization

  • 2793278 You cannot use the search function to search for mailbox items in an Exchange Server 2010 environment

  • 2793279 Exchange Server 2010 does not restart when the Microsoft Exchange Replication service freezes

  • 2793488 Internet Explorer freezes when you connect to the OWA several times in an Exchange Server 2010 environment

  • 2810616 Email message delivery is delayed on a Blackberry mobile device after you install Update Rollup 4 for Exchange Server 2010 SP2

Released: Update Rollup 4 for Exchange Server 2010 Service Pack 2

By admin on August 14th, 2012

Update Rollup 4 for Exchange Server 2010 Service Pack 2 has been released and I already downloaded and installed it on a multi role server without issues. The only issue right now is that KB2706690 that describes all changes seems to be unavailable at the moment, but I guess that will be fixed soon.

Download Update Rollup 4 for Exchange Server 2010 Service Pack 2 here

Microsoft Security Advisory (2737111) and Exchange Outlook Web App Mailbox Policies

By admin on July 29th, 2012

Last week Microsoft published Microsoft Security Advisory (2737111), in short it says that in Outlook Web Access in Exchange 2007 and Exchange 2010 it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file.

The workaround for this issue if to disable Web Ready Document Viewing on the Outlook Web App virtual directory. But if you have applied a Outlook Web App Mailbox Policy and assigned that to users the workaround described won’t be enough. As you can read in Understanding Outlook Web App Mailbox Policies it clearly states that:

“When an Outlook Web App mailbox policy is applied to a mailbox, it will override the settings of the virtual directory.”

Effectively this means that if you disable Web Ready Document Viewing on the Outlook Web App virtual directory your users who has an Outlook Web App Mailbox Policy assigned might still be affected by this issue. The default value for Web Ready Document Viewing is set to enabled so if you haven’t specifically turned it off users are affected. To check if you have any users with an assigned OWA Mailbox Policy run the following command in Exchange Management Shell:

Get-CASMailbox –Resultsize Unlimited | Where {$_.OWAMailboxPolicy –ne $null}

To disable Web Ready Document Viewing for all OWA Mailbox Policies run:

Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

Update: This issue is solved in Update Rollup 4 for Exchange Server 2010 Service Pack 2

Microsoft Security Advisory (2737111) and Exchange Outlook Web App Mailbox Policies

By admin on July 29th, 2012

Last week Microsoft published Microsoft Security Advisory (2737111), in short it says that it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file.

The workaround for this issue if to disable Web Ready Document Viewing on the Outlook Web App virtual directory. But if you have applied a Outlook Web App Mailbox Policy and assigned that to users the workaround described won’t be enough. As you can read in Understanding Outlook Web App Mailbox Policies it clearly states that:

“When an Outlook Web App mailbox policy is applied to a mailbox, it will override the settings of the virtual directory.”

Effectively this means that if you disable Web Ready Document Viewing on the Outlook Web App virtual directory your users who has an Outlook Web App Mailbox Policy assigned might still be affected by this issue. The default value for Web Ready Document Viewing is set to enabled so if you haven’t specifically turned it off users are affected. To check if you have any users with an assigned OWA Mailbox Policy run the following command in Exchange Management Shell:

Get-CASMailbox –Resultsize Unlimited | Where {$_.OWAMailboxPolicy –ne $null}

To disable Web Ready Document Viewing for all OWA Mailbox Policies run:

Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False