Insufficient Access Rights

During an Exchange 2003 to Exchange 2010 migration I ran into an issue where the mailbox could not be moved to Exchange 2010 because of an “Insufficient Access Rights” error:

[PS] C:\Windows\system32>get-mailbox -Identity “Joe Sixpack” | New-MoveRequest -TargetDatabase dB01 -BadItemLimit:25 -AcceptLargeDataLoss:$true

Continue reading Insufficient Access Rights

msExchQueryBaseDN and Exchange 2010

In the old days when using Exchange 2007 for hosting scenarios you would use the Configuring virtual organizations and address list segregation in Exchange 2007 whitepaper. In Exchange 2007 the msExchQueryBaseDN property on a mailbox was used to limit the search scope of users in OWA. The typical setting of this property is the OU where the users would reside in Active Directory.

The msExchUseOAB property on a mailbox is used to select an Offline Address Book in a hosting environment (where multiple OAB exist of course). This way the user would receive the OAB of his particular organization.

Continue reading msExchQueryBaseDN and Exchange 2010

Change OWA Logon Page in TMG

Normally when you use OWA you see the initial logon page where the credentials are asked like Domain\User name:


When you want to use the UPN (in most cases identical to the e-mail address) you can set this on the OWA Virtual Directory in the Exchange Management Console:


When you select “Use forms-based authentication” and select “User principal name (UPN)” the initial login page changes accordingly:


When using TMG2010 in front of Exchange 2010 things are different. The logon form is now generated by TMG, and the Exchange server itself is set to basic authentication. By default the TMG logon page for Exchange is set to show the Domain\Username format and unfortunately there’s no easy way to change the logon page to show something different.

Please note that although the default page shows Domain\Username you still can use the UPN to logon!

To change the logon page to show a different text (or change the layout completely) you have to change the HTML pages. These pages can be found on the TMG server in directory C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML. The various languages files can be found in subdirectories here, for example the Dutch language component can be found in subdirectory nls\nl. Open the strings.txt file, search for the L_UserName_Text string and change its value.


Restart the TMG Firewall service and open Outlook Web App. You’ll see that the logon page has now changed:


SSL offloading with Powershell

When you’re using a (hardware) load balancer in combination with Exchange Server 2010 you might want to offload SSL from the Exchange servers to the load balancers. This way you get more options available for persistence in the load balancer.

Enabling SSL offloading in Exchange 2010 is not that difficult but it consists of several steps which can be prone to error if you have to configure this on multiple servers (which is most likely the case of course with a load balancer).

Continue reading SSL offloading with Powershell

Building Hosted Exchange – Part V

In my earlier blog posts Building Hosted Exchange Part I (overview), Building Hosted Exchange Part II (Active Directory) and Building Hosted Exchange Part III (Exchange and ABP’s) and Building Hosted Exchange Part IV (Global Settings) we’ve created a simple Exchange 2010 organization that’s capable of hosting multiple organizations, separated from each other and each having their own Address Books. There’s one last issue I want to point out and that’s message routing. Exchange sees the entire Exchange organization as just one entity and does not care at all about routing between tenants. This is true for SMTP routing as well as out-of-office messages (which are SMTP messages as well of course) for internal and external OOF messages.

Note: using the Address Book Policies you can do ‘GAL segmentation’ but this is a feature that’s only targeted towards Address Books. Transport doesn’t do anything with Address Book Policies! Continue reading Building Hosted Exchange – Part V

Microsoft UC Specialist