Exchange 2016 and CRM Online Email Server Profile Sync Errors

While attempting to setup a Exchange Server (Hybrid) email server profile for CRM online. At the step when testing & enabling mailboxes you may get the following error in the alerts detailed description:

System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeServiceBinding.EndFindFolder(IAsyncResult asyncResult)
at Microsoft.Crm.Asynchronous.EmailConnector.GetInboxFolderHierarchyStep.EndCall()
at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeIncomingEmailProviderStep.EndOperation()

This error is caused because the EWS virtual directory in exchange does not have Basic Authentication enabled in Exchange 2016 CU2. Enable this and then retry the test. It will now complete without any problems.


SharePoint 2013 and One-Way Forest Trusts

Hello Everyone,

Simple fix for a environment where you have a one way forest trust between an environment that hosts a SharePoint site and several other forests where you would like to use those accounts to login to the site. After establishing required trusts and domain settings the only SharePoint setting that needs to be updated is the people picker. The people picker only looks up naively to the local forest. The steps to get this working are as follows:

1. Create service accounts in each other forest that will be used to
2. Execute the following command, you will need to adjust it for your environment in this sample i’m adding 3 forests.

stsadm -o setproperty -url https://intranet.cotoso.com -pn peoplepicker-searchadforests -pv "forest:ad.acme.com,acme\sp_adtrust,password; forest:northwinds.local,northwinds\sp_adtrust,password; forest:ad.microsoft.com,microsoft\sp_adtrust,password"

Note: you always need to add ALL the domains if your updating just one it will override the ones saved. So make sure to include existing ones if your just adding one.

Exchange EventID 9646 , Mapi Session Exceeded

As users mailboxes grow or they add additional accounts to the same outlook instance such as shared mailboxes or old employees. The number of folders that the user has open from that session can exclude the number of folders allowed by exchange per session. This can cause very weird behavior, missing emails, lost calendar appointments as outlook is not able to sync every folder that is open. Here is an example of the error from the MSExchangeIS service:

Mapi session “{GUID}: /o=First Organization/ou=Exchange Administrative Group (ORGID)/cn=Recipients/cn=James Bond” exceeded the maximum of 500 objects of type “objtFolder”.

Fixing the error is easy, increase the maximum number of objects that MAPI allows:

  1. Open the Regedit and navigate to
    1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeIS
  2. Create a new key(Folder)
    1. MaxObjsPerMapiSession
  3. Create two new dwords
    1. objtFolder
    2. objtFolderView
  4. Populate the values with number that will suit your needs, 750. Make sure to switch the DWORDS base to decimal otherwise the values will be very high.

Optional – If you need to force the values. Restart the information store service that will reset user connections in a non-DAG environment. Otherwise the store will pickup the changes in a period of time, sometimes the MAPI connection(outlook) will need to be closed and reopened as well.

Active Directory Stale Account Management

Recently had a client that would like to automate stale account management without investing in a full blown identity management solution. Here is the script I came up with.

  • Gets users that have not logged in 90 days
  • Counts and sends email to administrator of accounts that where disabled
  • Sets user description with date of disabled as well as that it was disabled by the script
  • Finally it disables the accounts

There are more elegant solutions and scripts feel free to improve as you wish.

function sendMail{

#Set Date
$90Days = (get-date).adddays(-90)

#get Users before or equal to that date & enabled
$todisable = Get-ADUser -SearchBase "OU=Users,DC=contoso,DC=com" -filter {(lastlogondate -le $90days) -AND (enabled -eq $True)} -Properties lastlogondate

#count the users
$count = $todisable.count

#edit the description
$todisable | Set-ADUser -replace @{description="$($_.description) Disabled By Stale User Script $(get-date -format d) "}

#disable the accounts
$todisable | Disable-ADAccount

#SMTP server name
$smtpServer = "exch.contoso.com"

#Creating a Mail object
$msg = new-object Net.Mail.MailMessage

#Creating SMTP server object
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

#Email structure
$msg.From = "script@contoso.com"
$msg.ReplyTo = "script@contoso.com"
$msg.subject = "Stale User Script has Disabled $count Accounts"
$msg.IsBodyHtml = $True
$msg.body = $todisable | Select-object name,DistinguishedName,LastLogonDate | ConvertTo-Html -Head $style | out-string
#Sending email


I used some information from here http://blogs.msdn.com/b/rkramesh/archive/2012/03/16/sending-email-using-powershell-script.aspx for the mail information.

Lync Server Access Edge service Won’t Start

Recently had an out of the blue Lync edge server failed to start the critical  Lync Server Access Edge service, it would log the following error in the system log:

Event ID 7024

The Lync Server Access Edge service terminated with the following service-specific error:

Looking in the Lync Server log you get a better description of the actual error.

Event ID 12290
The evaluation period has expired.

The evaluation period for Microsoft Lync Server 2013 has expired. Please upgrade from the evaluation version to the fully licensed version of the product. Look at help for Setup.exe to learn how to upgrade from evaluation version to the licensed version.
Cause: The evaluation period for Microsoft Lync Server 2013 has expired.
Please upgrade from the evaluation version to the licensed version of the product. Look at help for Setup.exe to learn how to upgrade from evaluation version to the licensed version.

Simple fix is to update the license on the system. To do this open Lync Powershell and browse to the installation directory \Setup\AMD64\Setup. From there execute the upgrade command

msiexec.exe /fvomus server.msi EVALTOFULL=1 /qb

Then start the service. You can use the Get-CSServerVersion to confirm the license has been updated.


IE11 and Sharepoint 2010 Problems

Surprise Surprise(remember 9 & 2003), IE11 is released and it won’t work with SharePoint 2010 regardless of the version (December 19, 2013). The cause is due to the changes in IE11 compatibility mode (MSDN details).

Initial thoughts are to hard code the version from 8 to 9, (<meta http-equiv=”X-UA-Compatible” content=”IE=8″/>)

in the master page and this alleviates some problems(Infopath Forms now work(previous error was: Critical Error: Object doesn’t support this property or method addeventlistener)) but it creates more as well(Users can’t be added to sites(System.InvalidOperationException: Namespace prefix ‘xsd’ is not defined.).

Based upton my trial and error today I would recommend until MS released a CU, the farm running is a 2010 Enterprise with all standard features and items in use.

Add this javascript to the master page just above the body close tag.

<script language=”javascript”>
/* IE11 Fix for SP2010 */
if (typeof(UserAgentInfo) != ‘undefined’ && !window.addEventListener) {
UserAgentInfo.strBrowser=1; }


Dealing with a seriously stuck message and how to create a new transport queue

Came across a interesting situation earlier this week that I had not come across before. All email messages in this small (<100 users) Exchange 2010 SP2 environment where being delayed at random intervals between a few minutes and 30 minutes. Checking the event logs, services and exchange management console did not show any real problems. Only one message was logged in the application log. Task manager did show issues as the transport service was up to several GB in memory and CPU over standard.

The execution time of agent ‘Journal Agent’ exceeded 90000 milliseconds while handling event ‘OnRoutedMessage’ for message with InternetMessageId: ‘Not Available’. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message.

Event ID 1050 Source MSExchange Extensibility

I checked the queue viewer and found that one of the queues for a mailbox database was in a connecting status. Upon further investigation I found some messages delivering and others being delayed before delivery. I found one message that was very large in size being delayed the longest. I attempted to suspend the message and was not able to given an error. It appears that this message was stuck, can’t delete or remove etc. After a long attempts at powershell to remove and suspend messages I had to delete and create a queue, its a fairly simple process here are the steps:

Note: If messages are in the queue when you stop and delete the queue they are lost, there is lossless methods to remove the Queue database.

  1. Stop Exchange Transport Service
  2. Browse to the queue in explorer, if its defaults its located at (C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue)
  3. Move the mail.que database file to a new folder inside the queue root.
  4. Start the transport service

This will create a folder called queue.old and place all logs and databases inside of it. It will also create a new queue database and messages should return.

Technet – Managing the Queue Database

Exchange 2010 SP2 Update Rollup 1 Fails

Exchange 2010 server that has User Access Control (UAC) enabled fails to install Update Rollup 1.

Symptoms: The install flys by with no waiting at steps, especially the generating assemblies.

Cause: The roll up requires .NET assemblies to be rebuilt. This step takes place BEFORE the msp asked for administrative control in UAC.

Resolution: Run a CMD as administration then execute the msp!