Many of us are now publishing OWA using the Microsoft Forefront Threat Management Gateway, to ensure maximum protection. In these couple of articles I tried to cover how you can do the following,

  • Publish Outlook Web App using TMG 2010
  • Configure OWA redirection (implementing URL simplification for users)
  • How HTTP to HTTP redirection can be achieved using TMG 2010 rule
My Lab consist of,
Exchange Server 2010 Server (all 3 roles combined together) - 1
Forefront Threat Management Gateway(TMG) - 1, with single NIC card.
When you use TMG with 2 NIC card, the publishing rules will be created on the External Listener

Publish Exchange 2010 OWA on TMG 2010

Before you start creating the publishing rule in TMG, there are some authentication changes needs to be completed on the Exchange Server 2010 which will be used as the internal CAS server in TMG configuration.

Set-OwaVirtualDirectory -id <CASServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
set-EcpVirtualdirectory -id <CASServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false

Note - It is always recomended to take the existing cofiguration using "Get-" command before changing the authentication settings, so that you can always set it back to the previous authentication settings in case if you encounter an issue during the publishing rule creations.For e.g. for OWA Virtual directory, run "Get-OwaVirtualDirectory |fl name,*auth*" to get the current authentication settings. Likewise other as well.Also if you have more than one virtual directories in each, ensure that you give the correct identity details instead of "*" symbol that I used in my LAB.

You also need to import the certificate to TMG server certificate store. You need to generate the certificate from an Exchange server, I will not be covering the details here.

  • Open Forefront TMG and Locate Firewall Policy in the left pane
  • In the action pane on the right side, click on Publish Exchange Web Client Access
  • Name it as Exchange 2010 OWA and click Next
  • On Exchange version: select Exchange Server 2010 and web client mail services select Outlook Web Access and click Next


  • Select appropriate Publishing Type ( I selected single website or load balancer option) and go next


  • Select User SSL on Server Connectivity Security


  • On Internal Site Name, enter the CAS server name to which the TMG should forward the request.


  • On Accept Request for, select “This domain name (type below)” option and then type the external OWA URL as shown below.


  • Now time to create listener, Click on New and type a Name (I given as OWA FBA, i.e. form based authentication) and click Next.
  • On Client Connectivity Security, Select Require SSL Secured connections with client and click Next
  • On Web Listener IP Address, select Internal (I only have single NIC on the server), and select the IP as by clicking the button Select IP Addresses…


  • On Listener SSL Certificate, select the installed certificate



  • On Authentication Settings, select HTML Form Authentication and then Windows (Active Directory) option


You may ignore SSO settings, because you can configure Basic Authentication on Exchange OWA and the double authentication can be bypassed. Continue wizard click on Finish. The Listener is created, now select it.


  • Set the Authentication mechanism to Basic Authentication and Click Next
  • On next page ensure that the rule applies to “All Authenticated Users” and then continue the wizard and Finish it.

Now you have finished the publishing of OWA on TMG. The publishing rules can be now tested as shown below,


All Looks fine Laughing

It is time to create the OWA redirection rules in TMG, Part 2 of this article will cover the OWA redirection rule creation.

Read - Publish OWA in TMG 2010 and Configure OWA Redirection – Part 2


I have scripted the Prepare-MoveRequest and New-MoveRequest together to ease the process of cross forest mailbox migration. All you need to provide is the PrimarySMTP address of the user you wish to migrate in the input file. The script itself is self-explanatory.

 This script will only work if you have the target user as mail enabled. If you have not done, please read my previous post about preparing the target forest mail usersfor the migration.

Cross Forest Migration GAL Preparation - Exchange 2007 to 2010

 If you are ready to move, then copy the below script and save it as _PrepareAndMove.ps1


#Script for Cross Forest Mailbox Move
Write-Host "Enter the Source Domain Migration Admin Credential"
Write-Host "Press any key when ready ..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
$InputFile = "C:\Migration\Input\MailEnable.csv" #User list file "MailEnable.csv" saved under the folder "C:\Migration\Input"
$SourceADServer = "dc01.ex2007forest.local" #Source Forest Domain Controller
$RemoteCredentials = Get-Credential #Enter the Source Forest Migration Crendentials

Import-Csv $InputFile |foreach{
&'c:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare-MoveRequest.ps1' -Identity $_.PrimarySmtpAddress -RemoteForestDomainController $SourceADServer -RemoteForestCredential $RemoteCredentials -UseLocalObject
#Call 1 minute time wait function
#.\_Wait4OneMinute.ps1 # you will get many time wait functions, use one of them.
# time Wait function ends
#------------------------------------#Initiate MoveRequest Command Section
Import-Csv $InputFile |foreach{
New-MoveRequest -Identity $_.PrimarySmtpAddress -RemoteLegacy -RemoteGlobalCatalog $SourceADServer -RemoteCredential $RemoteCredentials -TargetDeliveryDomain
#End of Script


Create the input file as shown below, and save it on the path mentioned in script.


 This should make your process easier, let me know if you face some issues.


Recently I had an issue when opening my Exchange Management Shell or the Exchange Management Console. The error that you receive when opening Shell or Console would be,

Connecting to remote server failed with the following error message : The WinRM client received an HTTP status code of 403 from the remote WS-Management service. For more information, see the about_Remote_Troubleshooting Help topic.


The shell will try to find another server available on the Org and connect to the remote server automatically, where as EMC will show the above error and wait for response. If you have single server, the EMS will fail to connect as well.

This happened because, I have enabled “Require SSL” settings on PowerShell virtual directory. Uncheck the Require SSL settings and do an IISRESET /noforce to fix this issue.


It uses Kerberos authentication, hence the SSL is not required.

If the issue is different, please read below article that may trigger a fix for you.


I have been reading… reading... goggling and yes everything to find a way for the cross forest migration of the public folder from Exchange 2007 to my Exchange 2010. There are many helpful article available on the net which you may try it.

Few of them are,

Of course, many others. Unfortunately none worked in my case.

Scenario - Cross forest migration from Exchange 2007 to Exchange 2010. User accounts are migrated to target forest and the source exchange org mailboxes are Linked mailbox. So the scenario is to migrate Linked Mailbox to User Mailbox.

Finally, I was doing my trial and error to find a way out. Most of the testing was using the Outlook 2010 and I could find a way to transfer the content of public folder using the import/export and copy folder features of MS Outlook.

Steps are simplified here (will try to elaborate when I get time later),

Note – I recommend only for small migrations, for major migration you must consider for some fairly good migration approach for public folder. And this will only migrate the public folder content (not system folders) and if your target forest already has the mailbox/mail enabled users of all planned users the permission will also be migrated(it happened in my case).

Steps would be,

  1. Export the public folder content from source exchange org to PST using outlook 2010 (ensure you use an account which has permission on all the public folders, otherwise the export will not be full).
  2. On Target exchange org, add the Exchange Administrator to Public Folder Management role group. This is to enable this exchange administration to create top level folder on public folder.
  3. Configure outlook with the delegated Exchange Admin account (I prefer to use an account which has org level permission + the member of public folder management role group)
  4. Attach the Exported public folder PST to the configured profile
  5. Create a sub folder on the mailbox, call it “PublicFolder” and import the public folder PST into this folder. Will look like below,


      6. Now you can copy each folder from the public folder tree(select the top level folder) and target it to the target exchange org public folder tree (All Public Folders).

You may now verify the permission, if the permissions are not intact I recommend you to use PFDAVAdmin and ExFolders to set the permission accordingly. The major issue of creating the folder structure (public folder tree) and the transferring the content is over here. Permission you can easily deal with using the nice tools from MS.

Share you experiences.


Recently I have involved in a cross forest Exchange 2007 to Exchange 2010 cross forest migration, and I had an issue on the converted mail user of source forest after the successful cross forest move. In my case the migration was from resource forest to account forest (Linked Mialbox to User Mailbox Migration)

This issue happens when initiate a remote legacy mailbox from Exchange 2007 forest to an Exchange 2010 forest. The mailbox move finishes as normal but we will find some corrupted data on the RecipientTypeDetails attribute on the source forest Mail-User and the value is updated with “33554432”.


And when you open the properties, the below warning shows up,


If you click on OK button, it will correct it but the email address tab may be adjusted according to the policies and the primary SMTP address may be updated with the external email address value etc.

This issue is affected only when you have updated your Exchange Server 2010 with the Service Pack 2. To fix it, please update with Update Rollup 1 for Exchange Server 2010 SP2

The update rollup1 fixes many mailbox move issue, and it is recommended to install it if you are in middle of migrations. And see the take care notes when you upgrade with Rollup1 here


Wednesday, 18 April 2012 11:35

Know More About RBAC Role Assignment

As we all know ‘Role Based Access Control’ or RBAC is the permission model introduced with the Exchange Server 2010. By now almost all of us are having a fairly good understanding about the topic RBAC. I decided to write another post on RBAC because; recently I come across a query on confusion about role assignment and role groups. Why should we create role group, why don’t we use the role assignment to assign permission to users? Looks to be a valid question, but can we stay only with role assignment? Of course not, role assignment has its own important, without a role assignment there are no role groups but at the same time role assignments alone are not enough too.

I hope you already have read enough about Role Based Access Control. If you did not get clarity about the RBAC permission model please read few of my previous articles listed below,

Role Based Access Control Exchange 2010 , Management Role, RBAC Management Role Assignment Policy

In simple words, Management Role Assignment is a link between one management role and a role assignee. A role assignee can be a role group, role assignment policy, user or a universal security group. When you create a role group by clubbing more roles together, it in turn creates individual role assignment for each role specified.

Now, let us create a role group to see the role assignee and the assignment type

New-RoleGroup -Name ED_PF_Admin -Roles "Public Folder Replication","Public Folders"

The above cmdlet will create a new role group by clubbing both the roles mentioned.


Now, see the role assignments created when we created the role group, run Get-RoleGroup ED_PF_Admin | fl Name,RoleAssignments,Roles


As you see in the above screen shot, one role assignment is created for each of the role specified (Public Folder Replication-ED_PF_Admin, Public Folders-ED_PF_Admin). Now let’s see the details of one of the role assignments

Run “Get-ManagementRoleAssignment "Public Folders-ED_PF_Admin" |fl Role*,assign*


You can see the assignee type is role group, and the role assignee is one of the Exchange Security Group. As like the role group assignee, we can link the role to a user, USG or to a role assignment policy by using a management role assignment. In case of role assignment policy, the assigned permissions will take to effect when that policy applied to any users. You may read RBAC Management Role Assignment Policy to know more about the permission delegation using the role assignment policy.

Hope you are clear and left with no confusions about RBAC Management Role Assignment concept. So my advice is, if you want to delegate the permission only to a single person use role assignment other wise use a role assignment policy or a role group depends on the situation. Read the assignment policy topic mentioned above to understand the situation where a policy to be created for permission delegation. The only option to understand the concept is to do practice it at your LAB, read as much as you can... it is really simple.

If you still confused, write meSmile


I have been seeing few questions about the mailbox PST export activity on Exchange Server 2010 in forums. In this post, I tried to pen down few helpful command combination of New-MailboxExportRequest in Exchange Server 2010.

Let’s first look at how simply you can export single mailbox PST, followed with some easier filtering option to bulk PST export.

Note – before you proceed, ensure that you have added the PSTAdmin (or any other user, it can be the Exchange Admin also) user to the “Mailbox Import Export

New-ManagementRoleAssignment –Role "Mailbox Import Export" –User PSTAdmin

After this, you will have to re-open the Management Shell to execute the New-MailboxExportRequest successfully.

Also create a network share with read/write permission to this user, it can be create on the server where you run the command. We will use this path for storing the exported PSTs.

Exporting single Mailbox and Archive from Exchange Server 2010,

New-MailboxExportRequest -Mailbox Praveen.Balan -FilePath \\ED-Ex2010\pst\ Praveen.Balan.pst

It looks so simple right, now will it export the personal Archive mailbox as well? The answer is ‘NO’, but if you like to export archive mailbox also, just add –IsArchive parameter at the end of the cmdlet.

New-MailboxExportRequest -Mailbox Praveen.Balan -FilePath \\ED-Ex2010\pst\ArchPraveen.Balan.pst –IsArchive

Exporting Bulk users PST using New-MailboxExportRequest

In many scenarios, we will reach situation where we want to export PST of groups of mailboxes. How do we approach, I have shown couple of such scenario and further can be explored by yourself.

Export PST of mailboxes in a single DATABASE

foreach ($i in (Get-Mailbox -ResultSize Unlimited|Where {$_.Database -eq "Profile-01"})) { New-MailboxExportRequest -Mailbox $i -FilePath "\\ED-Ex2010\pst \$($i.Alias).pst" }

In the cmdlet above ‘Get-Mailbox -ResultSize Unlimited|Where {$_.Database -eq "Profile-01"}’ plays the filtering role, it verify the database parameter of each mailbox in your organization and pass it to the New-MailboxExportRequest cmdlet as input. So if you encounter any issue, please ensure that the filter gives necessary output (run the filter alone in EM Shell).

Export PST of all users

It is farely simple, not much of filtering,

foreach ($i in (Get-Mailbox -ResultSize Unlimited)) { New-MailboxExportRequest -Mailbox $i -FilePath "\\ED-Ex2010\pst \$($i.Alias).pst" }

In the above cmdlet, the filter Get-Mailbox -ResultSize Unlimited will retrieve all mailboxes in your organization.Now you must be think why the "-ResultSize Unlimited", If you have less than 1000 users on your infrastrucuture then you dont need specify the limit. By default the Get commands searches for first 1000 entries. To over come that we add the -ResultSize Unlimited paramater into all commands.

If you want to export Archive mailbox, add the additional parameter (switch) as mentioned earlier. As like above, you can try your own filter for exporting the PST of mailboxes. All you need to do create filtering criteria as I did above and replace it in the shell cmdlet.

Are we done? , few cleanup jobs are pending. When you run the export request it will go for queue and start the export activity. You can verify the status by running the below command,


If you find all the request status are ‘completed’, you are good to execute the Remove-MailboxExportRequest cmdlet. You can still remove the mailbox request which are completed using the below cmdlet,

Get-MailboxExportRequest | where {$_.status -eq "Completed"} | Remove-MailboxExportRequest

It looks difficult; I think it is really easy. You will get familiar with it once you execute it for couple of times…

Still you end up in issues/errors?, please comment I will help you…


The next major release of Exchange is round the corner! Is it true? No choice other than accepting the fact, because Michael Atalla (Director, Exchange Product Management) have wrote about it recently on Microsoft Exchange official blog. The next version, i.e. Microsoft Exchange Server 15 is going into beta later this year.

As always, it is definitely sure that there will be a lot of good and new features. Here you have an opportunity to listen and get your hands dirty (hands onJ) about the end to end story of this next release of Exchange Server.

Now what next? Are you/we done enough with Exchange 2010 (Exchange 14), and need to know more about the next major release Exchange 15? Register for the Microsoft Exchange Conference 2012 (MEC 2012), and get one of the initial learners/listeners of Exchange 15. MEC 2012 will mainly give you,
    • Get exclusive Exchange 15 content directly from the engineering team
    • Get hands-on experience with Exchange 15
    • Enjoy unparalleled access to Exchange team members, Masters and MVPs
    • Preview amazing new products from select vendors
    • Build personal relationships throughout the Exchange community
Please see this link for more details - MEC 2012 registration is open!

Get ready for it ... and wait for more updates on Exchange 15.


It is very important to know few very important details/truths about the CAS Array object during the planning phase of an Exchange 2010 Infrastructure.Recently Brian Day written couple of very nice blog on this, in which he has explained about it very clearly.

The articles mainly focused on the answers for below points (truth about a CAS Array),

A CAS array,

  1. does not load balance your traffic
  2. does not service Autodiscover, OWA, ECP, EWS, IMAP, POP, or SMTP
  3. fqdn does not need to be part of your SSL certificate
  4. should not be resolvable via DNS by external clients
  5. should not be configured or changed after creating Exchange 2010 mailbox databases and moving mailboxes into the databases
  6. should be configured even if you only have one CAS or a single multi-role server.

I strongly recommend you to read both his posts to understand why the above statements, explained the truths in a very simple and interesting way...

Demystifying the CAS Array Object - Part 1

Demystifying the CAS Array Object - Part 2


Happy Reading... :)


When you try to upgrade your Exchange 2007 Server with Exchange 2007 SP3(similar errors could be seen in sp1 and sp2 as well, but most of us will go for sp3 only these days), you may receive the below errors

Summary: 3 item(s). 0 succeeded, 3 failed.
Elapsed time: 00:00:35
“Client Access/Hub Transport/Mailbox” Role Prerequisites
Setup cannot continue with the upgrade because the 'beremote' () process (ID: 2432) has open files. Close the process and restart Setup.
Setup cannot continue with the upgrade because the 'mmc' (Exchange Management Console) process (ID: 8480) has open files. Close the process and restart Setup.
Setup cannot continue with the upgrade because the 'MonitoringHost' () process (ID: 5784) has open files. Close the process and restart Setup.
Setup cannot continue with the upgrade because the 'RFExchConn' () process (ID: 2176) has open files. Close the process and restart Setup.
Setup cannot continue with the upgrade because the 'svchost' () process (ID: 1804) has open files. Close the process and restart Setup.
Setup cannot continue with the upgrade because the ' smlogsvc' () process (ID: 2658) has open files. Close the process and restart Setup.
Elapsed Time: 00:00:20

Most of the above errors are straight forward like,

'beremote' () process - Stop the” BackupExec Remote Agent” (used to Symantec BackupExec)

'mmc' (Exchange Management Console) – Close all mmc opened for Exchange management, ensure that all other users connected to the server console is also logged off.

'MonitoringHost' () process – Stop SCOM/MOM Agents or any system center agents on the server

'RFExchConn' () process – Right Fax services (Stop all of them)

' smlogsvc' () process – See if the “Performance Logs and Alerts” service is running, then stop it to proceed.

Now, we have one more “ 'svchost' () process” where we do not have any clear indication what needs to be done, since svhost is a generic host process name for services that run from dynamic-link libraries. You can also see many svhost instances, and it is not recommended to kill any such process unless you know it clearly.

Now how do we know which is the process behing the svhost? Don’t worry, it is not that difficult!!!

Just enter the cmdlet “tasklist /svc” without the quotes. It will list down all process with its corresponding PIDs and Services.

Shown below,


Yes, search for the svhost PID listed in the pre-requisites error list. Mostly it will be poiting to the Remote Registry service, all you need to do is to restart the Remote Registry service and re-run the pre-requisite check.

Do not wait for initiating the upgrade process once the pre-requisites are met, just click Upgrade otherwise there are chances for some of unwanted process to initiate.

Also stop any other third party products installed on the Exchange server before you proceed. This includes Antivirus applications, any third party connectors, email scanners, transport agent applications etc.

Time requirement, yes it takes its own sweet time to complete the upgrade process. However, in my test LAB it took about 1.5Hrs, where as when I did it on my production box the upgrade process finished in about 30 – 35 mins. So upgrade your server when you have ample time, and the upgrade process goes pretty smooth.

Let me know your comments if any,


Page 12 of 15
theme by reviewshub