Configure EdgeSync in an Exchange 2010/2013 mixed envt.

This Azure lab set up has an Exchange 2010 Edge Transport Server and a multi role Exchange 2013 server. As we know, Edge server is installed for extra security and anti-spam functions. The presence of Edge server does not expose your Exchange servers (Mailbox, Client Access, Hub Transport) to internet preventing from further attacks as well.

EdgeSync replicates Active Directory data to a subscribed Edge transport server periodically. First step in configuring EdgeSync is creating an Edge Subscription. Edge Subscription subscribes an Edge Transport server to an Active Directory site.

Note: This website covers the required ports and pre-requisites for configuring EdgeSync. []

On the Exchange Server 2010 Edge transport server, launch Exchange Management Shell and execute the below command:

NewEdgeSubscription FileName C:\EdgeSub.xml

Copy the xml file from C: to your Exchange 2013 Mailbox server. On the Exchange 2013 MBX server, launch Exchange Management Shell and execute the below command:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -.Path “C:\EdgeSub.xml” -Encoding Byte -ReadCount 0)) -Site “AzureSite”

Here ‘AzureSite’ is the name of my Active Directory site.

As mentioned in the notification above, make sure the pre-requisites are met in advance. You may have to add a host entry for the fqdn of your Edge server on the Exchange 2013 server. The primary DNS suffix on the Edge server should be set to prevent any resolution issues.

Once the Edge Subscription is configured, connectors will be created on the Edge Server for mail flow.

You can now perform an EdgeSync forcefully using the below command :

StartEdgeSynchronization Server testexc2

Here, server testexc2 is the Exchange 2013 mailbox server and testexc1 is the Exchange 2010 hub transport server.


Running the new Office 365 Hybrid Configuration Wizard

As you all know, the latest Hybrid Configuration Wizard now runs from O365 irrespective of the previous versions of Exchange where HCW is embedded with the on-prem product. With this addition you will get the latest wizard every time you download it, which means that  you don’t have to wait for the next CU to resolve issues with the current HCW.

I recently updated my Exchange 2013 SP1 to CU16 and is about to run the new wizard:

First, I have to enable Exchange Hybrid on the on-prem server.

You will be asked to log in to your O365 tenant.

The wizard will redirect to O365 sign in page.

Once logged in, click on Enable again and a new tab will open with the link to download the HCW.

Download and run the HCW tool.

Below is the launch page of the Office 365 HCW. Click Next to proceed.

The HCW detects the optimal on-prem server to be the Hybrid Server (in this case, its the Ex 2013 server). You can also manually select a server of your choice. Also specify the type of O365 Organization. Click Next.

Next you have to provide your windows and Office 365 tenant credentials. Once done, click Next to proceed.


In next stage, the wizard will gather and confirm the configuration information. Once the test is successful, click Next.

The wizard will ask how the hybrid environment has to be configured for mail flow. If your organization uses Edge servers, you may have to select the second option.

Click on the Advanced button to list additional features. You will then see a check box that says ‘Enable centralized mail transport‘, the description also provides information about what this feature does. If you enable this, all your e-mail flow will happen through the on-prem environment. Once the options are selected, click on Next.

Choose the on-prem Exchange server that should host the receive connector for secure mail transport. Click Next.

Now, choose the on-prem Mailbox server that should host the send connector for secure mail transport. Click Next.

Select the transport certificate to be used for secured mail flow trusted by an external CA. Click Next.

Specify your Organization FQDN for mail flow. Click Next.

Make sure your external URL’s are configured on all virtual directories prior to running the HCW. Click Next.

Since, I already have an Exchange 2010 SP3 Hybrid in place the wizard detects the same and asks to update the configuration. Click Update.

The configuration starts as shown below. Click Stop to cancel.

The HCW process completes. If any configurations are pending it will be shown as below. In this case, my endpoint (Exchange 2010 hybrid server) is offline due to which the notification was received.

The server was turned on and DNS records were confirmed. On re-running the HCW, no issues were reported indicating that procedure completed successfully.



Updating hybrid configuration failed with error ‘Subtask CheckPrereqs execution failed:Check Tenant Prerequisites’

I came across this error when running the Hybrid Configuration Wizard on my Exchange Server 2013 SP1 server. Detailed error :

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites
Deserialization fails due to one SerializationException: Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed:

Towards the end of the error, it asked to view the Hybrid Configuration log for more information. You can find the log in the following location of your Exchange 2013 server : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration.

Upon searching on the issue, I came across a Microsoft article that says this issue occurs due to a recent change in Microsoft’s Exchange Online environment that prevents the Exchange 2013 HCW to run correctly. The issue can be resolved by installing the latest cumulative update. In my environment I had to download the CU6 update to resolve this issue.

Reference :


Converting an Office 365 Federated domain to Managed

My existing azure lab has an Exchange 2010 Hybrid set up with ADFS for single sign-on. I am planning to remove ADFS from the environment and use password sync instead.

First I should check if password sync is already enabled or not. I can check and confirm this from the Azure AD Connect application. Launch AAD Connect tool and check the current configuration :

To check the status of the domain you can use the following commands, once connected to Exchange Online using powershell:

Connect-MsolService -Credential $cred


The output will be similar to the below screenshot:


As you can see above, the domain ‘‘ is ‘Federated’.

If you go to ADFS management -> Relaying Party Trust, you will notice a trust already set up with MS Office 365.


Now to convert the domain to ‘Managed’ execute the below command :

Convert-MsolDomainToStandard -DomainName <String> -PasswordFile <String>              -SkipUserConversion <Boolean>  [-Confirm] [-WhatIf] [<CommonParameters>]


Once the domain is converted to ‘Managed’ single sign-on will be no longer applicable, instead same sign-on will be applied. The trust with Microsoft Office 365 will be removed from Relaying Party Trust as well.

Installing Exchange 2013 in an Exchange 2010 SP3 Hybrid Environment

I have an Exchange 2010 SP3 hybrid set up in my lab, and is planning to install and an Exchange 2013 as an Hybrid server.

I directly ran the Exchange 2013 setup without performing any schema preps and received the following error


So, I went on to my DC server and tried executing the commands for Schema preps as shown below only to get another failure notification :


As I am already in Hybrid, Exchange requires me to run the prep command adjacent to the /TenantOrganizationConfig switch. You also have to generate a config xml file by connecting to your Exchange online tenant.

For this, connect to your Exchange online tenant through powershell and execute the below command :

Get-OrganizationConfig | Export-Clixml -Path MyTenantOrganizationConfig.XML


The xml file will be generated as shown above. Copy the xml file to C: of the server where you are running the prep command ie, the DC.

Make a note that instead of /PrepareSchema, we will use /PrepareAD to run the /TenantOrganizationConfig switch adjacent to the setup.

.\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /TenantOrganizationConfig:C:\MyTenantOrganizationConfig.XML


The Exchange setup will complete successfully now. 🙂

Error “Passive copy of Mailbox Database is not in a good state. Status: FailedAndSuspended”

Recently it was noticed that an active mailbox database copy got failed over and was in a “Failed and Suspended” status.


Upon analyzing the event viewer, the following alerts were noticed:




The first thing you can do is to right click on the problematic database and select Resume Mailbox Database Copy


The database will start re-synchronizing and will become healthy. If still issue persists, you can right click the database and select Update Mailbox Database Copy option.


You can also use Exchange shell to troubleshoot these issues.

When further analysis was performed, we noticed that the issue occurred due to the storage drive issues which was later resolved.


Reference :

Move File Share Witness to another server

DAG is configured in my client’s Exchange environment and the file share witness is configured as a hub transport server. Due to the O365 migrations, the management has decided to cut short the number of on-premise servers. Hence, the current FSW server which also happen to be a CAS/HUB server was planned for decommission. So we had to move the FSW role to a different CAS/HUB server.

This can be achieved either using GUI or shell.

In GUI, select the DAG properties and modify the existing values with the new directory and server details. Once done, click OK and confirm whether the changes have been reflected or not.


In order to make this exact change through Exchange shell, execute the below command:

Set-databaseavailabilitygroup -witnessdirectory “Directory” -witnessserver “ServerName” -identity “DAGName”

To confirm, execute the command:

Get-DatabaseAvailabilityGroup -Identity “DAGName” | Select Wi*

Configure RpcClientAccessServer Attribute on Mailbox Database

Recently, my team was notified on an issue happening to outlook clients. Outlook was not able to launch for all users in a particular site. The outlook connection status indicated that it is trying to connect to the F5 load balancer/CAS array, but immediately drops the connection.


We suspected an issue at the load balancer end and hence planned to bypass the load balancer and directly connect to the CAS server instead.

We tried to manually configure outlook for a test mailbox with the fqdn of the CAS server, but the profile configuration was not successful. DAG was configured and the mailbox database in which the mailbox resided had a copy on another Mailbox server. I tried to activate the passive copy and the observed the status, but the issue persisted.

It was then noticed that the RpcClientAccessServer attribute for the mailbox database was configured to point to the fqdn of the cas array, which was expected. In order for outlook to bypass the cas array and directly connect to the CAS server this attribute value should be changed and made to point to the CAS server.

Following cmdlets were used for this :

First to view the current configuration, the below command was executed in Exchange shell :-

Get-MailboxDatabase -identity MailboxDatabase | select rpcclientaccessserver

Now to modify th attribute to point to CAS server,

Set-MailboxDatabase -identity MailboxDatabase -RpcClientAccessServer ‘CASServerFQDN’

Once this change was performed, outlook connected directly to CAS and the connection was established. Later it was identified that there were some network/port issues which prevented the connection. The above change was then reverted and the RpcClientAccessServer attribute was pointed to CAS array.

Hide DL membership in Exchange 2010

As we know while sending a mail to a distribution group, we can view the members of the distribution group by clicking on the ‘+‘ symbol next to the email address in outlook.


In case you want to disable expanding the distribution group, you can achieve it through ADSI Edit as discussed below:

Launch ADSI Edit, find your distribution group and select Properties.

Select Attribute Editor and find out the attribute ‘hideDLMembership‘. Now set the value to ‘True‘ to hide the membership of the DL.



Reference :

Configuring Send on Behalf permission for a shared mailbox in Exchange Online

Most of you guys must have noticed that you do not have the option to configure Send on Behalf permission for shared mailboxes in O365. This can be done only using the PowerShell. The below command could be run on PowerShell to achieve this:

Set-Mailbox -Identity -GrantSendOnBehalfTo testuser

where, ‘’ is the shared mailbox and ‘testuser’ is the user account or mailbox for which the permission is assigned.

You can confirm the above operation by using the below Get-command

Get-Mailbox -Identity mailbox | FL GrantSendOnBehalfTo

Reference :