Monday, November 21, 2016

Exchange 2007 Autodiscover / Office 365 Staged Migration.

Recently, I was assisting a friend with getting Autodiscover workign for Exchange 2007, so he could Migrate them to Office 365, utlising the Staged Migration process.

He was receiving the following error message.

Autodiscover was not configured for external use. So we had to configure that, by using the following commands. $env:computername is a system variable, which calls the computer name you're running on the command on. Feel free to change this to the CAS server name.

I always use autodiscover A record for this, but this requires you to have it on the certificate as a SAN or use a wildcard cert. Feel free to change this to whatever is on the certificate you're using. If you're using a self signed certificate....replace it with one from a recognized CA.

Set-AutodsicoverVirtualDirectory -Identity "$env:computername\Autodiscover (Default Web Site)" -ExternalURL ""
Set-ActiveSyncVirtualDirectory -Identity "$env:computername\Microsoft-Server-ActiveSync" -ExternalURL "" 
We also set up a CNAME for autodiscover address to go to the A record for the server externally.
Once we had completed this, we ran the Exchange Connectivity Test, which returned the following result.

Further troubleshooting resulted in the following webpage, when attempting to get to the address specified in the commands above.

Heading into IIS Manager, we headed straight for the Authentication for the Autodiscover web page.
We noticed that Windows Authentication was set to Disabled. Setting that to Enabled, we were still out of luck.

We then double checked the Microsoft-Server-ActiveSync Authentication, and Windows Authentication was Disabled there, too.

Changing that we managed to get some success!

This resulted in a successful Autodiscover test.

However, \when attempting to run through the Migration Endpoint Wizard, it returned the following error.
Everything was correctly configured.

Ultimately the last piece of the puzzle was IPv6.
It was disabled on the host, but still communicating, and taking priority for autodiscover.
Setting a couple of static addresses in the HOSTS file, allowed us to connect instantly.

Thursday, October 20, 2016

RD Gateway Port Change

I recently had to set up a Remote Desktop Services deployment at a client who only had a single external IP, and utilising port 443 for their on premise Exchange server, for OWA.

Once the deployment process had finished, I launched RD Gateway Manager from the Server Manager. Went to the properties of the server, and selected Transport Settings. Changed the default port to whatever, I'm using 8443 in this example.

Once changed, I loaded IIS and checked the Default Web Site to ensure that the port had been correctly bound to RDWeb, which it had automatically.

Quick test ensured internal and remote access to RDWeb via the new port.

Testing any of the Published Apps, or the Remote Desktop, failed with the following.

When editing the .RDP icons, I found that there was no port.

 There are 2 methods of fixing this. One is in the registry, and the other is the correct way of doing it, which is using Powershell.
Run Powershell as Administrator, and use the following command "Set-RDSessionCollectionConfiguration -CollectionName "CollectionName" -CustomRdpProperty "gatwayhostname:s:<YOUR HOST NAME>:<PORT NUMBER>"

Confirm this has taken effect by using Get-RDSessionCollectionConfiguration.

Once you've run that, refresh your RDWeb page (if it's still open) and download the .RDP file again, and you will find upon editing, that it will have the port under the RD Gateway Server settings.

Thursday, October 13, 2016

Security Group Membership Export

A while back, I posted about email address auditing, and a way to export all members of distributioun groups from powershell. I found this incredibly useful, and use it quite often. I've always talked to my colleagues about looking into a similar script for

I've just created a nice little script that deals with that in a manner that I think is appropriate.
Import-Module ActiveDirectory
$ou = Read-Host -Prompt 'Specify Organizational Unit here'
Get-ADGroup -filter {GroupCategory -eq "Security"} -SearchBase $ou |  ForEach-Object {
$group = $_.SamAccountName
$saveto = $("C:\temp\" + $_.Name + ".csv")
Get-ADGroupMember -identity $group -recursive | select Name | Export-Csv $saveto
I've specify the OU where my custom security groups are, otherwise I would be exporting groups like Domain Computers.

This creates a CSV file for each individual security group, with the same name as the security group.

Hope this helps someone who is looking for the same solution.

Thursday, October 6, 2016

AD / SYSVOL Version Mismatch

I recently had a call from a client, advising they were unable to RDP to a server.
After basic troubleshooting, I discovered that the Windows Firewall was blocking port 3389 from all sources, which was set by server.

I checked the Group Policy in question, and confirmed that Allow inbound Remote Desktop exceptions was configured.

I then confirmed that I could RDP to other servers in the same security groups and OUs.
I ran GPRESULT /R GPreport.html, which returned the following results.

Labtech is in use on this site, and the firewall rules are set from within the Default Domain Policy.

A quick look around advised me that this error for Windows 8/Server 2012 had this hotfix available. Windows 8.1/Server 2012 R2 has this issue fixed with this update

After installing this hotfix, and rebooting the server, I had one rather happy client.

Friday, August 26, 2016

Windows 10 - This app can't open

Recently, I've had a spate of requests revolving around Windows 10, and Outlook attachments with Windows Apps. Photos, Edge, etc.

When a user tries to click on a web link, or open an attachment from Outlook when a Windows App is the default application, it throws the following error.

To resolve this, type UAC in  Cortana and click on Change User Account Control Settings
Change this setting to something other than Never Notify

 Once you've made that change, open Local Security Policy and browse to Local Policies > Security Options.

Change User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop to Enabled

Restart the computer, and everything should be working fine again.

Wednesday, August 3, 2016

Event ID 1058 - The processing of Group Policy failed

After a Windows Server 2003 Standard R2 to 2012 Standard R2 migration, I ran into some Group Policy issues.

This site only one one policy, which was a Group Policy Preference for mapped network drives.
Windows 7 machines worked fine. The 2012 R2 servers and Windows 10 workstations on the domain were not working.

Performing gpupdate /force on the affected workstations returned the following.

Similarily, the error returning in the System Event log was identical.

It turns out there was a few non-confirming changes made to the default domain policy, when the 2003 was the PDC. I had to reset the default domain policy to default, with the following tool dcgpofix on the new PDC. After a reboot of the workstations, everything was functioning well.

Friday, July 29, 2016

The attempt to connect to http://.../powershell using kerberos authentication failed.

During the process of a pretty standard task, I ran into this problem with a clients SBS 2011 server.

To resolve;

  • I closed down all MMC applications (AD, Exchange, IIS, etc etc).
  • Opened Registry, browsed to HKCU\Software\Microsoft\ExchangeServer\v14\AdminTools
  • Backed up the Key, and removed the REG_BINARY item of NodeStructureSetting.

Once I reopened the Exchange Management Console, I was greeted with the following.

 Open IIS Manager, and Edit Bindings... on the Default Web Site

Here, I noticed that the http binding was set to a specific address. I edited this, and changed it to "All Unassigned" which replaces the IP Address with a *.

Restart IIS, and everything should be functioning correctly again.

Thursday, July 28, 2016

Netlogon folders missing from newly promoted DC

After I promoted a 2012 R2 server to a DC of a 2003 functional domain, I transferred all roles, and confirmed so multiple times, as I've been caught out with FSMO roles and Global Catalogs in my youth.

Everything looked good.
So I demoted the old 2003 DC.
Restarted the server, to join it back on the domain to transfer the last few shares overnight.
Couldn't communicate to the domain. Skip past all the basic troubleshooting (DNS server, etc), I'm logging onto the newly promoted DC to delete the old computer object as a "maybe", when I run into the following error. For all AD MMC applications.

Brilliant, I thought to myself. Immediately firing up a command promt as Admin, I ran dcdiag and noticed "failed" a few times flashed past my eyes in a rush. After scrolling backto the top, I notice the DcGetDcName called failed with error 1355 (as below).

This highlighted that during the promotion process, it didn't actually create the share for NETLOGON and SYSVOL, or the Scripts and Policies folders.

To resolve this;

  1. I browsed to C;\Windows\sysvol\sysvol\domain name\ and created the Scripts and Policies folders manually.
  2. Regedit: HKLM\SYSTEM\CurrentControlSet\Services\Ntfrs\Parameters\Backup/Restore\Process at Startup
  3. Locate the BurFlags DWORD and modified the value to D4
  4. I then restarted the File Replication Services on the new DC.
  5. This automatically shares the NETLOGON and SYSVOL 
No restart required, and I was able to get into all AD MMC applications, and join the domain again.

Clocks on client and server machines are skewed

After promoting a Virtual Server 2012 R2 server to Domain Controller on a 2003 domain, I was attempting to load Active Directory Users and Computers on the new server, where I was greeted with the following error.

Simplest way of fixing, was to turn off Time synchonization from the Integration Services within the settings of the VM in HyperV

After a reboot, the time was all sorted, and it continued to work.

Thursday, July 7, 2016

Redirect Computers and Users OU

To take the guess work out of technicians remembering to place the Computer in the correct OU to receive any custom Group Policies, I've been changing the default Computer OU for some time now.

To do this, is very basic and often overlooked.

Load Active Directory Users and Computers, enable Advanced mode, and browse to the OU you want the computers to be a part of, right click and go to Properties. Switch to the Attribute Editor tab, and locate distinguishedName (should be the last option).
Click on View and then copy the contents.

Next load Powershell as Administrator

Now type in the following command
redircmp "OU=Computers,OU=Company Name,DC=Domain,DC=local"
To enter the data from your clipboard into the Powershell window, simply right click the mouse on the window when you're ready for it, and it will populate.

Friday, July 1, 2016

Free/Busy Data with Exchange 2016

We setup a new Exchange 2016 server recently, and the client advised me that the free/busy data was not displaying correctly for the Room Mailboxes, that were invited.

Previously, a simple  Set-MailboxFolderPermission -Identity MeetingRoom:\Calendar -User Default -AccessRights Reviewer command would fix it.

The MeetingRoom calendar would remove the organisers subject, and replace it with their name. It would read like:
Gareth Harris
Meeting Room
Gareth Harris

The following commands are now required for Exchange 2016, and have been in play with Office 365 for a while now.

Using the command above, I set -User Default -AccessRights LimitedDetails
Then ran Set-CalendarProcessing -Identity MeetingRoom -AddOrganizerToSubject $false -DeleteComments $false -DeleteSubject $false

This will only effect new meetings.

Thursday, June 30, 2016

Bridged Wireless over Site to Site

I setup a new Sonicwall Soho-Wireless recently, for a satellite site.
The users had mobiles and printers to setup on Wireless, so given the size of the site, I just bridged the inbuilt wireless to X0.

Once installed onsite, there was some requirement for the wireless clients to connect via the site-site VPN to head office.

I ended up having to make 2 firewall rules.


Friday, June 24, 2016

Server 2008 Logon

I had a client who could not log onto the SQL server to run some critical backups.
As it was days away from end of financial year, they were getting a bit worried.

The Logon process would get stuck at Applying Group Policy Printers policy...

During the process, the user had gotten fed up, and disconnected the remote session.
When they contacted me, I was getting the following error.

To resolve this, I logged in as my account, and ran "query process winlogon.exe". Identified the process without a session name, noted the PID. Located that PID in Task Manager (you cannot use the taskkill.exe application), and killed the process.

I then created a security group in Active Directory called "Group Policy Exceptions" and added the server in question, Fired up Group Policy Management, found the policy in question, and added the group in Delegation with "Read" permissions. Clicked on Advanced, and then unticked "read" and ticked "Apply group policy - Deny".

Logged on as the user, and confirmed successful login.

Monday, June 20, 2016

Client Managed Distribution Groups

So previously, having a user manage the distribution group via Exchange 2007 and older, through Outlook was relatively easy. You just had to remember to tick the box in Active Directory, to allow them to modify the group.

Exchange 2010 and above has changed this "by design".

To resolve this, you need to download and run the Manage-GroupManagementRole.ps1 script, from TechNet.

Run the following from the Exchange Management Shell: Manage-GroupManagementRole.ps1 -creategroup -removegroup

This takes care of everything you need, and you can then use Exchange to control the groups that you wish users to be able to modify.

Friday, June 17, 2016

Windows Updates Broke My Group Policy

After the most recent round of Windows Updates, 2 of my clients started losing Group Policy Object settings on all workstations.

I tracked the issue to KB3163622, which changes the security context from users to computers, when reading the group policies.
The fix is to ensure that "Authenticated Users", or if you use Security Filtering, ensure "Domain Computers" is added with Read permissions.

More information can be found here:

Friday, June 10, 2016

0x8007046a - Not enough server storage is available to process this command

One of my clients received a new 2012 R2 server, with over 10tb of drive space on the data drive.
During the process of migrating their data from the old 2003 R2 server, I ran into the error message "Not enough server storage is available to process this command" while just manually copying the files through Windows Explorer. There was approximately 1tb worth of data to copy. Giving me 9tb free on the drive. Plenty of space.

The files were of random sizes. Some being 50gb in size, others being 10mb in size. There was no rhyme or reason.

Out of curiosity I decided to utilise Robocopy to complete the task. I normally use this for data to retain permissions, but had neglected to as this was just a backup repository.

I ran the following command robocopy \\sourceserver\folder e:\folder /mir /e /log:log.txt

All the files copied successfully.
Moral of the story? Always use robocopy.

Exchange 2010 Memory Usage Limit

Any self respecting Exchange SysAdmin will be able to tell you, that it is incredibly normal, and expected, for store.exe (Microsoft Exchange Information Store) to contionously grow in memory usage, until it uses 100% of the free RAM resources available.

This has been the case for as long as I can remember.

One of my clients is using SBS 2011, which comes with Exchange 2010.
They also heavily utilize the SQL components of SBS 2011.

The afore mentioned normal behavior of store.exe causes delays when doing basic things in SQL on the SBS 2011 server.

After a bit of searching, I found the following ADSIEDIT work around.
Connect to the Configuration Naming Context

Navigate to Configuration > Services > Microsoft Exchange > "Organisation Name" > Administrative Group > Servers > "Server Name" > InformationStore

Right click on InformationStore, select Properties and locate the both msExchESEParamCacheSizeMax and msExchESEPCacheSizeMin

I set the following, which is 1gb for min, and 4gb for max. Please note, that you must enable both Min and Max options for it to work.

Exchange 2007 uses different page sizes, and I only calculated for Exchange 2010.
Exchange 2013 and 2016 do not have SBS versions, so you won't ever need to worry about limiting their store.exe sizes.

Once you've done this, you need to restart the Microsoft Exchange Information Store, and it should stay under the 4gb limit.

Friday, June 3, 2016

Cisco VPN Install Error 27850

One of my clients recently had an issue with their MYOB AO software, which requires a Cisco VPN client to be installed to complete certain tasks.
For some reason, it had removed itself, and when attempting to reinstall manually, I encountered the following error in Windows 7 x64:
Error 27850. Unable to manage networking component.  Operating system corruption may be preventing installation.
The long and short of it is a registry edit.
Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\MaxNumFilters
Default: 8
Maximum setting: 14

I have bumped this up to 14 for my client, and it's now successfully working.

Tuesday, May 31, 2016

Changing Network Profile

I've recently encountered a slew of clients workstations, and servers alike, having issues switching to a "private" network profile.

Easiest fix I've found to date, is the following;
Browse to HKLM\SOFTWARE|Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

This is what my Windows 10 Profiles look like. Identify which folder it is with the Description String.
One confirmed, find the Category DWORD value. 0 = public, 1 = private, 2 = domain.

Monday, May 23, 2016

SMTP 554 5.1.0 Sender Denied NDR

A client of mine was unable to receive any emails from one particular email address. The NDR returned "Sender Denied". Turns out the user had blocked them by accident at some time.

I managed to identify the problem with Get-MailboxJunkEmailConfiguration Jamie which returns the below.

You will see BlockedSendersAndDomains has a single entry in it. This was the email address with the problem.
To remove it, I ran Set-MailboxJunkEmailConfiguration Jamie -BlockedSendersAndDomains @{remove=""} and it removed the user.

To confirm that the change has taken effect, run Get-MailboxJunkEmailConfiguration Jamie
You will see there is no entry in BlockedSendersAndDomains

Monday, May 16, 2016

Service '' () could not be stopped. Verify that you have the correct permissions to stop system services. Exchange 2010

Recently while attempting to update an out of date Exchange 2010 installation to the latest SP3 RU 13 patches. The catch is, the server only had SP1, RU8 installed.

I've previously jumped from SP1 RU4, straight to SP3, without issues, so I took the backup right before hand, and commenced doing the install.

Soon after I commenced, it failed when trying to remove 4934d1ea-be46-48b1-8847-f1af20e892c1. This GUID points to SP1RU8 patch, with the "Service " () cannot be stopped" error message. After identifying which update the GUID was pointing to, I attempted to run the uninstall from Programs and Features, command line, multiple domain admin accounts, even attempted to go into safe mode to remove it. Unfortunately, nothing would work, as I didn't have the required permissions to stop the mystery service. After a quick eyeball, I confirmed that none of the Exchange services were started, either - which is normal when you're doing an update. No clue.

At this stage, I decided to venture into the world we know as Google. I found only one other person (Captain Hotsauce) who had the same error message, with the exact same situation as me, who was posting on this Spiceworks post, with literally everything that I had attempted myself, and was in the same situation. I believe he had also posted on the TechNet forums, which ended in a suggestion to "Call Microsoft".

To get everything working again, I went through and manually started all the required Exchange services, so that I didn't have to restore the server from backups.

In the end, it was Captain Hotsauce who had figured out that not only was Exchange so far out of date, but so was Windows. Ran through a bunch of Windows updates, and everything was working.

I confirmed the same. I checked Windows Updates, which WSUS was controlling...poorly. It looks like someone had done an attempted uninstall of WSUS at some point in time, and botched it. I fixed this, performed over 180 Windows updates, rebooted. Attempted to manually uninstall SP1RU8, which was successful. I then went through and updated to SP3 with no issues, and immediately followed with CU13.

I'm posting this as an additional result for Google, so that anyone who runs into the same situation can find multiple posts confirming the successful resolution for both of us.

Tuesday, April 19, 2016

Mass-UPN Suffix Change

I was recently asked how to fix autodiscover for mobile devices. I hadn't even considered that it wasn't working correctly. It was just a way of life, that when I entered my email address and password in my mobile, it required the server address too. Old habits from Exchange 2003, really.

After this question, it became glaringly obvious that it was a huge oversight for our clients user experience. If a user knows their email and password, why should they have to call up IT, to configure their emails on the phone.

Simple fix. User Principle Name (UPN) Suffix.

There are 2 steps required. First add the new UPN suffix in Domains and Trusts, and then set it as the default, for the users. As I was in the process of rolling it out to all of our clients, I deemed it worth my time to investigate a script to create the new UPN suffix, and then set it by default, per OU.

So, there is no way to set the default UPN to anything other than the conical name, in the domain.
You can change the domain, and perhaps that might be worth looking into for your circumstance, but for me and my clients, definitely not worth the headache.
That aside, this is really the only thing that I can see that would benefit from that.

Below is the script that I managed to come up with. 
There’s 2 sections. 1 to add the UPN, the other to set it based on OU. You can apply it to the root of AD, but I think best practices would be to treat this like GPOs, and apply it to only the OU that it’s required. This also allows modular management, if you have multiple accepted domains in Exchange, with multiple defaults for different users.

If you run this from Active Directory Module for Powershell, you do not need the top line.
I’ve made bold all the bits that are variable. 

Side note: I  have not tested the 2 sections in the same script yet.

Import-Module ActiveDirectory
#Create new UPN.
Set-ADForest -Identity garhar.local -UPNSuffixes @{Add=""}

#Current/old suffix
$old = 'garhar.local'

#new suffix
$new = ''

#targeted OU
$ou = "OU=Users,OU=Test,DC=garhar,DC=local"

#AD server
$server = "DC01"

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$new = $_.UserPrincipalName.Replace($old,$new)
$_ | Set-ADUser -server $server -UserPrincipalName $new


Friday, April 15, 2016

Event ID 15021 HttpEvent Exchange 2013

Recently a client of mine stopped receiving external emails, 2 days after their SSL had been renewed.
Event logs revealed error 15021 come from HttpEvent, stating "An error occurred while using SSL configuration for endpoint The error status code is contained within the returned data."

Quick and easy fix.

  • From an elevated command prompt, run netsh http show sslcert
  • From the returned content, look for, and copy the certhash and appid details
  • Run netsh http delete sslcert ipport:
  • Run netsh http add sslcert ipport= certhash=xxxxx appid="{xxxxx}"
  • Once you've successfully added the binding, reboot your exchange server, and all will be well.

Monday, April 4, 2016

Exchange 2013 ECP error 500 - Unexpected Error

Recently I discovered one of my clients ECP wasn't loading.
This obviously wasn't effecting mail flow, and ultimately it didn't cause any problems, as we still had EMS access. But some of the technicians who work with me cannot use PowerShell, so I took it upon myself to resolve the issue.

The resolution was to recreate the ECP Virtual Directory. Steps are below.

1) Remove the current ECP.
It's worth noting at this point, that doing this is the same process as it was in Exchange 2010, but you may run into some issues, specifically if you only have the one Exchange server with CAS and Database roles.

From EMS, run the following command Remove-EcpVirtualDirectory -Identity "SERVER\ecp (Default Web Site)"

This command removes the ECP virtual directory located within the default IIS website installed on the Exchange server that you specify with SERVER, but it also removes the ECP VD from the Exchange Back End web site, on the same server.

If you still see ECP under either Default Web Site or Exchange Back End, remove it manually.

2) Re-Create new ECP VD.
The command to create a new ECP VD is New-EcpVirtualDirectory -WebSiteName "Default Web Site" -InternalURL https://servername/ecp -ExternalURL
At this point, my personal preference is to have Internal and External URLs the same, as it removes the certificate error internally. Not critical, but just something nice for sys admins to deal with.

When I attempted this initially, it returned an error to state that the folder already existed. So I had to open C:\Windows\system32\inetsrv\config\applicationhost.config in Notepad, and remove all configuration lines referring to ECP

Once the command is run successfully, I noticed in IIS that the Exchange Back End ECP VD was still missing. To correct this, I ran New-EcpVirtualDirectory -WebSiteName "Exchange Back End" -InternalURL https://servername/ecp -ExternalURL

This command returned the following error "The AD configuration for virtual directory 'ecp' already exists"

I fired up ADSIEdit.msc and connected to Configuration, and located the folder in question here:
Services > Microsoft Exchange > First Organization > Administrative Groups > Exchange Administrative Group > Servers > Server Name > Protocols > HTTP

Do not delete it.
Open IIS, and Add Application under Exchange Back End site,
Alias: ecp
Application Pool: MSExchangeECPAppPool
Physical Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp
Select ECP > Authentication.
Ensure that both Anonymous Authentication and Windows Authentication are enabled.

Additional note:
During this process, I also ran into an issue where when I entered in valid credentials to the ECP page, it would redirect me to the logon page of ECP again. Entering invalid credentials, would show the expected error.

To resolve this, all I had to do was enabled Windows Authentication on the ECP site under Exchange Back End.

Wednesday, March 23, 2016

Trust Relationship Issues

A pretty common issue that has plagued Windows operating systems in a domain environment for as long as I can remember, the classic fix is to remove the computer from the domain, restart and rejoin the domain.

With Powershell, comes a much nicer and easier method of doing it.
From the computer having the issue, run Powershell as Administrator (log in with a local account, if you have to, or pull the network cable out to log on, then plug it back in again once you've logged on).

Reset-ComputerMachinePassword -Server <Name of any domain controller> -Credential <domain admin account>

Example: Reset-ComputerMachinePassword -Server DC01 -Credential GARHAR\Administrator

After a reboot, the computer/Server should be working fine.

The cause of this can simply be a second computer has been joined to the domain with the same name, causing the initial computer to lose the trust.

The most recent case of this for me was a 2012 R2 RDS server, which is less than 6 months in production. This case, I do not know what caused, which can happen quite often.

Tuesday, March 22, 2016

Exchange 2013 Mailbox Audit

Tasked with the request to gain a list of mailboxes a particular user had access to, I quickly devised a powershell cmdlet to accomplish this, and record the results in a text file.

Get-Mailbox | Get-MailboxPermission | ?{($_.AccessRights -eq "FullAccess") -and ($_.User -like 'DOMAIN\username') -and ($_.IsInherited -eq $false)} | ft id* > C:\temp\users.txt

Nice, quick, easy.

Exchange CU Update Failure on Transport

Recently I was updating Exchange 2013 at a client site, to CU11.
Everything was ticking along nicely, when the installer threw the following error.  It's worth noting, that this error can happen on all CU updates, if there is a Receive Connector set to Hub Transport.
Mailbox role: Transport service FAILED The following error was generated when “$error.Clear();
$connectors = Get-ReceiveConnector -Server $RoleFqdnOrName; 
foreach($connector in $connectors) { if($connector.MaxLocalHopCount -gt 1) { Set-ReceiveConnector -Identity $connector.Identity -MaxLocalHopCount 5 }};” was run: “Microsoft.Exchange.Management.SystemConfiguration Tasks.ReceiveConnectorRoleConflictException: The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector “EX2013SRV2\Test”. Receive connectors assigned to different Transport roles on a single server must listen on unique local IP address & port bindings.​

My immediate reaction was to load the ECP and create a new Receive Connector using Front End Transport, instead of Hub Transport. Easy, right? Internal error 500.
No problem, EMS to the rescue. Nope.
Rebooted server. No joy either.
It's at this point I'm wishing I had a second Exchange server onsite, that I could connect to.
But due to the fact there was only one Exchange server, the only way around the issue was to use ADSIEdit.msc. A reference to this fix was found at
  1. ​Launch ADSIEdit.msc and connect to Configuration
  2. Browse to Configuration > Services > Microsoft Exchange > Org Name > Administrative Groups > Exchange Administrative Group > Servers > Name > Protocols > SMTP Receive Connectors.
  3. Locate msExchSmtpReceiveRole and change the value from 32 (Hub Transport) to 16384 (Front End Transport)
This allowed me to re-run the update, which picked​ off where it failed, and successfully completed.

Email Address Audit

Recently,​ a client asked for a list of all email addresses currently active on the server.
As anyone in IT can tell you, this would be a nightmarish task for any Medium to Enterprise company.
These two scripts will be your friend. They work in Exchange 2010, but I haven't tested them in 2007 or 2013.

Export Mailbox Email addresses and Alias.
Get-Mailbox -ResultSize Unlimited |Select-Object DisplayName,ServerName,PrimarySmtpAddress, @{Name=“EmailAddresses”;Expression={$_.EmailAddresses |Where-Object {$_.PrefixString -ceq “smtp”} | ForEach-Object {$_.SmtpAddress}}} | Export-CSV c:\temp\smtp.csv -NoTypeInformation
The following will give you a useful list of Distribution groups, with all their members. This can be typed in, or copied to a .PS1 file, and ran as a script.
$saveto = "C:\temp\listmembers.txt"

Get-DistributionGroup | sort name | ForEach-Object {

 "`r`n$($_.Name)`r`n=============" | Add-Content $saveto
 Get-DistributionGroupMember $_ | sort Name | ForEach-Object {
  If($_.RecipientType -eq "UserMailbox")
    $_.Name + " (" + $_.PrimarySMTPAddress + ")" | Add-Content $saveto

Distributed Ping

I found this useful tool while trying to isolate an issue with DNS not replicating correctly for a client.
One ISP was pointing to the wrong IP address, while everyone else was pointing to the updated IP.