Tuesday, April 19, 2016

Mass-UPN Suffix Change

I was recently asked how to fix autodiscover for mobile devices. I hadn't even considered that it wasn't working correctly. It was just a way of life, that when I entered my email address and password in my mobile, it required the server address too. Old habits from Exchange 2003, really.

After this question, it became glaringly obvious that it was a huge oversight for our clients user experience. If a user knows their email and password, why should they have to call up IT, to configure their emails on the phone.

Simple fix. User Principle Name (UPN) Suffix.

There are 2 steps required. First add the new UPN suffix in Domains and Trusts, and then set it as the default, for the users. As I was in the process of rolling it out to all of our clients, I deemed it worth my time to investigate a script to create the new UPN suffix, and then set it by default, per OU.

So, there is no way to set the default UPN to anything other than the conical name, in the domain.
You can change the domain, and perhaps that might be worth looking into for your circumstance, but for me and my clients, definitely not worth the headache.
That aside, this is really the only thing that I can see that would benefit from that.

Below is the script that I managed to come up with. 
There’s 2 sections. 1 to add the UPN, the other to set it based on OU. You can apply it to the root of AD, but I think best practices would be to treat this like GPOs, and apply it to only the OU that it’s required. This also allows modular management, if you have multiple accepted domains in Exchange, with multiple defaults for different users.

If you run this from Active Directory Module for Powershell, you do not need the top line.
I’ve made bold all the bits that are variable. 

Side note: I  have not tested the 2 sections in the same script yet.

Import-Module ActiveDirectory
#Create new UPN.
Set-ADForest -Identity garhar.local -UPNSuffixes @{Add="garhar.com"}

#Current/old suffix
$old = 'garhar.local'

#new suffix
$new = 'garhar.com'

#targeted OU
$ou = "OU=Users,OU=Test,DC=garhar,DC=local"

#AD server
$server = "DC01"

Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$new = $_.UserPrincipalName.Replace($old,$new)
$_ | Set-ADUser -server $server -UserPrincipalName $new


Friday, April 15, 2016

Event ID 15021 HttpEvent Exchange 2013

Recently a client of mine stopped receiving external emails, 2 days after their SSL had been renewed.
Event logs revealed error 15021 come from HttpEvent, stating "An error occurred while using SSL configuration for endpoint The error status code is contained within the returned data."

Quick and easy fix.

  • From an elevated command prompt, run netsh http show sslcert
  • From the returned content, look for, and copy the certhash and appid details
  • Run netsh http delete sslcert ipport:
  • Run netsh http add sslcert ipport= certhash=xxxxx appid="{xxxxx}"
  • Once you've successfully added the binding, reboot your exchange server, and all will be well.

Monday, April 4, 2016

Exchange 2013 ECP error 500 - Unexpected Error

Recently I discovered one of my clients ECP wasn't loading.
This obviously wasn't effecting mail flow, and ultimately it didn't cause any problems, as we still had EMS access. But some of the technicians who work with me cannot use PowerShell, so I took it upon myself to resolve the issue.

The resolution was to recreate the ECP Virtual Directory. Steps are below.

1) Remove the current ECP.
It's worth noting at this point, that doing this is the same process as it was in Exchange 2010, but you may run into some issues, specifically if you only have the one Exchange server with CAS and Database roles.

From EMS, run the following command Remove-EcpVirtualDirectory -Identity "SERVER\ecp (Default Web Site)"

This command removes the ECP virtual directory located within the default IIS website installed on the Exchange server that you specify with SERVER, but it also removes the ECP VD from the Exchange Back End web site, on the same server.

If you still see ECP under either Default Web Site or Exchange Back End, remove it manually.

2) Re-Create new ECP VD.
The command to create a new ECP VD is New-EcpVirtualDirectory -WebSiteName "Default Web Site" -InternalURL https://servername/ecp -ExternalURL https://mail.domain.com/ecp
At this point, my personal preference is to have Internal and External URLs the same, as it removes the certificate error internally. Not critical, but just something nice for sys admins to deal with.

When I attempted this initially, it returned an error to state that the folder already existed. So I had to open C:\Windows\system32\inetsrv\config\applicationhost.config in Notepad, and remove all configuration lines referring to ECP

Once the command is run successfully, I noticed in IIS that the Exchange Back End ECP VD was still missing. To correct this, I ran New-EcpVirtualDirectory -WebSiteName "Exchange Back End" -InternalURL https://servername/ecp -ExternalURL https://mail.domain.com/ecp

This command returned the following error "The AD configuration for virtual directory 'ecp' already exists"

I fired up ADSIEdit.msc and connected to Configuration, and located the folder in question here:
Services > Microsoft Exchange > First Organization > Administrative Groups > Exchange Administrative Group > Servers > Server Name > Protocols > HTTP

Do not delete it.
Open IIS, and Add Application under Exchange Back End site,
Alias: ecp
Application Pool: MSExchangeECPAppPool
Physical Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\ecp
Select ECP > Authentication.
Ensure that both Anonymous Authentication and Windows Authentication are enabled.

Additional note:
During this process, I also ran into an issue where when I entered in valid credentials to the ECP page, it would redirect me to the logon page of ECP again. Entering invalid credentials, would show the expected error.

To resolve this, all I had to do was enabled Windows Authentication on the ECP site under Exchange Back End.