Exchange 2010 activesync doesn’t work domain admin group members

By default members of an AD protected group like domain admins or enterprise admin cannot use microsoft activesync with a exchange 2010 server. They get a error like this: “Result: ActiveSync encountered a problem on the server. Support code: 0×85010014″.

Solution 1: Remove the protected group memberships for this account, more information about protected groups can be found here.

Solution 2: Goto active directory users and computers, turn on advanced features on the view menu. Go to the user account, security tab and tick the advanced button. After that you have to enable Include inheritable permissions from this object’s parent. Now activesync will work.

 

Performing a Remote Mobile Wipe with Exchange server 2010

  • Open the Exchange Management Console (EMC)
  • Expand Microsoft Exchange On-Premises.
  • Expand Recipient Configuration.
  • Click Mailbox.
  • Right click to user and select Manage Mobile Phone .

1

In the Manage Mobile Phone Wizard, verify that device is selected that need to be wiped. If it isn’t, single-click to select it.

  • Under Action, click the radio button next to Perform a remote wipe to clear mobile phone data.
  • Click the Clear button.

2

  • Click Yes when prompted to confirm “Are you sure you want to clear the device for {device name}.”

3

The wizard will proceed to the completion screen where you should be presented with a message indicating the successful remote wipe command has been queued. Look closely and you’ll also notice the actual PowerShell cmdlet that’s executed by the GUI. Recall that Exchange 2010 is built to leverage the “power” of PowerShell; the GUI really just acts as a point and click front-end for the shell. Remote wipes are no exception, as they can be handled quite succinctly via two Exchange cmdlets: Get-ActiveSyncDevice and Clear-ActiveSyncDevice. Let’s jump right into that now.

Transferring Certificates from Exchange 2003/2007 to Exchange 2010

Transferring Certificates from Exchange 2003/2007
to Exchange 2010

Problem

As a rule most of my clients use self signed certificates, (even though you can buy certs cheap as chips these days). If you have paid for a certificate I can see why you would want to transfer it to the new Exchange box, though if your using self signed certificates, it’s a simpler task to create a new one. But I was asked, and what you guys ask for, I will work out how to do 🙂

Solution

Export Certificate from Exchange 2007

1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command,

Get-ExchangeCertificate

2. Take a note of the certificates thumbprint (copy it to notepad).

Note: The Letters mean
I – IMAP
P – POP
U – Unified Messaging
W – WEB (IIS)
S – SMTP

3. To export the certificate, (Note: Put in your certificate thumbprint).

Export-ExchangeCertificate
-Thumbprint 1D5B46DBA10E2669327498BFB9F56146A47256CC
-BinaryEncoded:$true -Path c:\exported.pfx
-Password:(Get-Credential).password4. Enter your domain credentials.

5. Your exported certificate is now on the root of C: and called exported.pfx

 

Export Certificate from Exchange 2003

1. Click Start > mmc {enter} > File > Add/Remove Snap-in.

2. Add > Certificates > Add > Select “Computer account” > Next.

3. Accept the default of “Local computer” > Finish > Close > OK.

4. Expand Certificates > Personal > Certificates > locate the cert you are using for OWA etc.

5. Check the expiration date if you are unsure.

6. In the certificates console right click your certificate > All Tasks > Export.

7. At the welcome page > Next > “Select Yes Export the Private Key” > Next > Next > Leave password blank > Next > Chose where to save it > Save.

8. Next > Finish > It should say that it was successful.

 

 

Import your Certificate into Exchange 2010

1. Copy your exported.pfx file to the root of the Exchange servers C: Drive.

2. Launch Exchange Management Shell > Issue the following command,

Import-ExchangeCertificate
-FileData ([Byte[]]$(Get-Content -Path c:\exported.pfx -Encoding Byte
-ReadCount 0)) -Password:(Get-Credential).passwordOr in you exported the certificate form Exchange 2003

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\exported.pfx -Encoding Byte -ReadCount 0))

Exchange 2003 Certificate Import (without a password prompt).

Exchange 2007 and 2010 Certificate Import

4. Then to enable the certificate use the following command > and Press “A” to confirm.

Get-ExchangeCertificate -DomainName mail.domainc.com | Enable-ExchangeCertificate -Services IIS,SMTP

5. Now your OWA, Active-Sync etc, will be using the imported certificate.

 

References – Credits – Or External Links
Technet

MikePfeiffer.net

Thanks to Rick Faria for pointing out this info was missing from the site 🙂

Upgrading Exchange 2010 to new hardware (Exch2010 to Exch 2010)

  1. 1.   Move the mailboxes.

Creating Move Requests using the Exchange Management Console

Launch the Exchange Management Console and navigate to Recipient Configuration/Mailbox.

Select a mailbox, or hold the CTRL key to select multiple mailboxes to move as a group.

Selecting mailboxes to move in the Exchange Management Console

In the Actions pane click on New Local Move Request.  Local Move Requests are for moves within the same Exchange organization.

Start a new Local Move Request

All of the mailboxes selected for the New Local Move Request wizard will be moved to the same target mailbox database.  Click the Browse button to choose a target mailbox database.

Browse to select a target mailbox database

Select the mailbox database to move the pilot group to and then click OK.  Click Next to continue.

Choose the target mailbox database

Leave the Move Settings as the default settings and click Next to continue.  If you encounter issues with corrupt items you may need to create a new move request for those mailboxes and choose to skip corrupted messages.

Configure the settings for the mailbox move requests

Review the list of mailboxes that will be moved and then click New to create the move requests.

Review the mailboxes to be moved

Click Finish to close the wizard.

The move requests are created and will be processed by the Exchange server.  You can view the status of the move requests in the Exchange Management Console under Recipient Configuration/Move Request.

View the status of the mailbox move requests

Right-click a move request and choose Properties to see the status of that move request.

View the progress of a mailbox move request

 

  1. 2.   Move the public and system folders.

 

This is really tough task, when you want to move public folder database from one server to another server in exchanger server 2007, Exchanger Server 2010,
before starting the activity you have to create one public folder on server,

 

Stpe-1:  After creating the public folder you have to execute the command
.\MoveAllReplicas.ps1 -Server Server1 -NewServer server2
but before executing this command you have to set the directory,
Cd program files>microsoft>exchange server>v14>scripts then execute.\MoveAllReplicas.ps1 -Server Server1 -NewServer server2

after executing your public folder will move,

 

Stpe-2: verify public folder is moved or not-
run the following command 
Get-PublicFolderStatistics -Server

 

if that is showing nothing means your public folder is moved to destination server.

Stpe-3: To get a listing of all system folders on this database, run the command

Get-publicfolder \NON_IPM_SUBTREE -recurse |ft Name,Replicas

 

Stpe-4: then you have to set public folder default on that server where you have moved,
follow the following steps,

  1. In the console tree, navigate to Organization Configuration > Mailbox.
  2. In the result pane, select the mailbox database for which you want to change the default public folder database.
  3. In the action pane, under the mailbox database name, click Properties.
  4. In Properties, click the Client Settings tab.
  5. Next to the Default public folder database box, click Browse.
  6. In Select Public Folder Database, select the public folder database from the list of public folder databases, and then click OK.
  7. Click OK

Stpe-5: Remove old public folder

  1. 3.   Move the connectors.

You can change the source transport server on your send connector(s) to the new server.

For the receive connectors, yes create any additional/custom ones on the new server and direct those hosts that use them to the new server (hopefully they’ve been using a DNS alias for this so you can just update that one DNS alias. If not, consider doing that from this point forward

You’ll also need to look at any external URLs for services such as OWA, ActiveSync, and how you’ve published those to the internet

 

4.Change all CNAME records (webmail, autodiscover) to point to new server.

 

 

5. Change all SMTP devices to route to the new server.

 

 

 

 

 

 

 

6. Change OAB Generation server.

 

7. Remove the databases from the old server.

 

1>Run Get-Mailbox -Database “Database Name” –Arbitration command to find all the arbitration mailboxes

<2>If there are some arbitration mailboxes, move them to different databases and then delete the database again

Get-Mailbox -Database “Mailbox Database” –Arbitration | New-MoveRequest –TargetDatabase “New Mailbox Database”

<3>If all above don’t work, you can use ADSIEDIT tool to delete mailbox database:

1.        Open Adsiedit.msc

2.        Connect to the configuration partition.

3.        Expand Configuration-Services-Microsoft Exchange-<Organization Name>-Administrative Groups-Servers-<Messaging Server name>-Information Stores.

4.        Delete the appropriate database.

 

7.Uninstall Exchange Server.

 

8. Shut down the old server.

How to set Outlook to download only E-mail headers

This enables to you browse through your e-mails without actually having to download all the e-mails and their attachments in their entirety, which can often be a lengthy task.

To configure Outlook to download only the e-mail headers, do the following:

    1.    On the Send / Receive tab, in the Send & Receive group, choose Send/Receive Groups:

Send and Receive in Outlook 2010

    2.    In the Send/Receive Group list, choose Define Send/Receive Groups… (or pressCtrl+Alt+S):

Send/Receive Groups in Outlook 2010

    3.    Select a group to modify and click Edit….

    4.    From the Accounts section on the left side of the dialog box, you can select the mail account that you want to modify the settings for.

Send/Receive Settings

    4.    Select a folder from the list of folders in the Folder Options section and then choose the option Download headers only.

It is possible to have different setting for each folder in an account, so, for example, you could set Outlook to download only headers in a folder that you know gets a large volume of e-mails.

Removing managed mailboxes from an Outlook profile

Following a server migration, an administrator had user’s mailboxes showing up in his profile. This was the result of giving himself Full Access permission to the mailboxes during the migration.

When a user has Full Access permission to another user’s mailbox, Outlook 2007 and above automatically opens the mailbox in the profile. (The mailboxes were not listed as secondary mailboxes in Account Settings.)

The administrator removed Full Access permission for the mailboxes but this didn’t remove the accounts from his profile.

Following an Exchange server upgrade, I have several users mailboxes in my profile. I cannot close the mailboxes. The accounts are not listed as additional mailboxes in my profile. I removed Full Access permissions. Any idea of how to get rid of these extra mailboxes?

Edit the user account in ADUCYou need to edit the user accounts in the Active Directory and remove your name from theMsExchDelegateListLink attribute.

  1. Open Active Directory Users and Computers
  2. Go to View menu and select Advanced Features
  3. Open the user account that is showing in your mailbox (in the screenshot, my mailbox is in Mary’s profile)
  4. Open the Properties dialog
  5. Click Attribute Editor tab
  6. Locate MsExchDelegateListLink
  7. Click Edit
  8. Remove your name from the attribute
  9. Close the dialogs

Keep FullAccess Mailboxes from being AutoMapped

Not everyone likes automapping of mailboxes, It’s great for the end-user: the mailboxes they have permission to open are automatically added to their profile, avoiding the need to go into the profile and add the secondary mailbox manually. But not everyone wants to see the shared mailbox in their profile.

It’s possible to give a user full access to a mailbox without automapping by adding –AutoMapping $False parameter to the Add-MailboxPermission cmdlet.

 

Add-MailboxPermission "shared-mailbox" -User "alias" -AccessRightsFullAccess –AutoMapping $False

Exclude DC from DSAccess of Exchange Server

By default, DSAccess or ADAccess chooses the primary domain controller (PDC) emulator operations master role computer to handle requests in Microsoft Exchange. This action may result in poor performance if other non-Exchange programs are making heavy use of the PDC emulator.

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Microsoft Exchange 2000 Server and later versions

To resolve this problem in Exchange 2000 Server and later versions, add the MinUserDC registry value to exclude the PDC emulator from the server list that Exchange can use.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To add the MinUserDC registry value, follow these steps:

  1. Start Registry Editor.
  2. Locate and then click the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeDSAccess\Profiles\Default

    Note In Exchange Server 2007 and in Exchange Server 2010, locate the MSExchangeADAccess subkey instead of the MSExchangeDSAccess subkey.

  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MinUserDC
    Data type: REG_DWORD
    Value data: As required

    Note The MinUserDC entry determines how many total user domain controllers must be available for PDC emulator exclusion to turn on. The value data that is configured for the MinUserDC registry entry is the maximum number of domain controllers to contact before the PDC emulator is contacted. For example, when you set MinUserDC to 4, this configures DSAccess to exclude the PDC emulator only when a total of four domain controllers are available. When this condition is met, the PDC emulator is excluded from use, and DSAccess communicates only with the remaining three domain controllers.

  4. Exit Registry Editor.

Notes

  • You have to apply the registry change that this article describes regardless of the service pack that is installed.
  • In Exchange Server Enterprise Edition, the Profiles subkey and the Default subkey are not available. You must create these subkeys in Exchange Server Enterprise Edition.
  • When you determine a value for MinUserDC, consider the equation n – 1, where n is equal to the total number of domain controllers in the site. This number includes the PDC emulator. Subtract 1 from this number, and the sum should be the value that you enter for MinUserDC.

Method 2: Exchange Server 2007 and Exchange Server 2010

In Exchange Server 2007 and in Exchange Server 2010, you can use a cmdlet to configure the ADAccess component to exclude a particular domain controller or a list of domain controllers from use. To do this, use the Set-ExchangeServer command together with the StaticExcludedDomainControllers option.

The following example shows how to use the Set-ExchangeServer command to exclude one or more domain controllers from use. Additionally, this example shows how to verify the status of the Exchange environment after you run the Set-ExchangeServer command.

In this example, you have the following servers:

Host name Domain Role
E2K7-1 contoso.com Exchange Server 2007
DC-1 contoso.com domain controller together with PDC operations master
DC-2 contoso.com domain controller
DC-3 contoso.com domain controller

To use the Set-ExchangeServer command to exclude the three domain controllers that are listed in this table from use for the DSAccess component, follow these steps:

  1. Start the Exchange Management Shell. To do this, click Start, point to All Programs, point to Microsoft Exchange Server 2007, and then click Exchange Management Shell.
  2. At the command prompt, type the following command, and then press Enter:
    Set-ExchangeServer -identity E2K7-1.contoso.com -StaticExcludedDomainControllers:dc-1.contoso.com,dc-2.contoso.com,dc-3.contoso.com

    This command excludes DC-1, DC-2, and DC-2 from use by the server that is named E2K7-1.

    Note In this command, specify the fully qualified domain names of the individual domain controllers by using a comma-separated list that does not contain spaces between each entry.

  3. To verify the list of excluded domain controllers, type the following command, and then press Enter:
    Get-ExchangeServer -identity E2K7-1.contoso.com -status | fl Name, StaticExcludedDomainControllers

Note If you want to remove the changes that you have made and revert to the default behavior of Exchange, type the following command at the Exchange Management Shell prompt, and then press Enter:

Set-ExchangeServer -identity E2K7-1.contoso.com -StaticExcludedDomainControllers:$null

 

Updating Client Access Servers to Exchange 2010 SP3

Microsoft has released Service Pack 3 for Exchange Server 2010. This is a significant release that delivers some key functionality to customers such as support for Windows Server 2012, support for co-existence with Exchange Server 2013 CU1, and general bug fixes and security updates.

If you are planning to upgrade your Exchange 2010 servers to SP3 you should be aware that there is an Active Directory schema update involved. If that is a concern for your environment, but you still want the bug fixes and security updates, you might consider sticking with Service Pack 2 and applying Update Rollup 6 instead.

At the time of this writing there are some points in the various release notes that aren’t correct or fully updated yet that Microsoft are still working on or that are worth some clarification:

  • Exchange 2010 SP3 is listed as including all security bug fixes up to SP2 UR5-v2. It actually includes all security and bug fixes up to SP2 UR6.
  • The SP3 release notes state you can only install on Windows Server 2008 SP2 or 2008 R2. You can actually install on Windows Server 2012, although exact pre-requisite guidance may not be available yet.
  • The support for Windows Server 2012 includes both the installation of SP3 on Server 2012, and the interoperability of Exchange 2010 SP3 with Server 2012 domain controllers.
  • The support for Windows Server 2012, which ships with PowerShell 3, does not mean that Exchange 2010 SP3 also supports upgrading to PowerShell 3 on other operating systems.
  • The co-existence support for Exchange 2013 does not apply to Exchange 2013 RTM, but rather Exchange 2013 CU1 (cumulative update 1) due for release in Q1 of 2013 (within about 6 weeks from the time of this writing)

Preparing to Upgrade to Exchange 2010 SP3

You can download Exchange 2010 Service Pack 3 here and extract the files ready to be installed on your servers.

Upgrade your servers in the following order:

  1. Client Access servers (beginning with the internet-facing site)
  2. Hub Transport and Edge Transport servers
  3. Mailbox servers
  4. Unified Messaging servers

You should also plan to update any management tools installations you have on admin workstations or servers, and also check your third party applications that integrate with Exchange in case they also need updated management tools.

I’m going to walk through the upgrade process in some more detail next, and also provide some general guidance afterwards about the Service Pack 3 installation steps as well as what to expect in terms of timing and service interruptions.

Applying the Schema Update

If you have an AD forest topology with multiple domains, or process restrictions that require schema updates to be managed a certain way, you can apply the Exchange 2010 SP3 schema update on a 64-bit domain controller that is in the same AD site as the Schema Master, using an account with Schema Admins and Enterprise Admins rights.

C:\Admin\Ex2010SP3>setup.exe /PrepareAD

Otherwise the schema update will be applied when you upgrade the first Exchange server.

Updating Client Access Servers to Exchange 2010 SP3

Client Access servers are the first server role to update, and you should begin with the internet-facing site if you have multiple sites in your organization.

For Client Access servers that are in a CAS Array you should remove some of the servers (eg half of them) from the load balancer configuration, upgrade them, re-add them to the load balancer, then repeat the process with the remaining Client Access servers in that load balanced array.

For an example of how to do this with Windows NLB see the following article:

For other load balancers refer to your vendor documentation for how to take servers out of the load balanced array for maintenance and updates.

Updating Mailbox Servers to Exchange 2010 SP3

I admit I was concerned when I read the release notes for Exchange 2010 SP3 that state:

The database schema has been updated in Exchange 2010 SP3. As a result, when Mailbox servers are upgraded to Exchange 2010 SP3, the databases are upgraded to the Exchange 2010 SP3 version of the database schema…

During the upgrade, the database is dismounted, and all mailboxes in that database are taken offline.

This seemed to be a major issue to me until I performed the upgrade in my test lab. The statement above is correct for standalone mailbox servers, which is expected.

However for an Exchange 2010 Database Availability Group the upgrade process can be performed with no downtime following the normal process of moving active databases off DAG members while they are being updated.

You can use the standard process as demonstrated here:

However, be aware that once a database has been made active on an Exchange 2010 SP3 member of the DAG, it can’t be made active on a pre-SP3 DAG member again. This means that you will need to roll through your entire DAG upgrading to Service Pack 3 to retain the full availability resilience your DAG is designed to provide.

Upgrading Other Server Roles to Exchange 2010 SP3

For Hub Transport, Edge Transport, and Unified Messaging servers there are no special steps required other than to manage your upgrades in a way that aligns with whatever high availability you have in place or those server roles. For example if you have two Hub Transport servers in a site, upgrade them one at a time.

Exchange 2010 Service Pack 3 Step by Step

The upgrades steps are very straightforward and easy to follow. Extract the SP3 files to a folder and run Setup.exe. When the splash dialog appears click Install Microsoft Exchange Server upgrade.

exchange-2010-sp3-install-01

You’ll need to click through the usual introduction and license agreement.

exchange-2010-sp3-install-02

exchange-2010-sp3-install-03

Next the Readiness Checks will be performed. Any errors will prevent you from proceeding. Warnings will not prevent you from proceeding, but you should pay attention to them anyway as they are often important.

Remember, if you’re upgrading CAS Array or DAG members refer to the guidance above.

Click Upgrade when you’re ready to proceed.

exchange-2010-sp3-install-04

The actual installation time will vary depending on the server roles installed, and whether you’re upgrading from a very recent or much older Service Pack level of Exchange.

exchange-2010-sp3-install-05

When the installation has all completed successfully click the Finish button.

exchange-2010-sp3-install-07

Each of my test lab servers took between 20 and 30 minutes to upgrade, but your performance will no doubt vary.

Exchange Server 2010 Build Numbers and Release Dates

To view the build number for the version of Exchange 2010 that you’re running, run the following command in the Exchange Management Shell:

Get-ExchangeServer | fl name,edition,admindisplayversion
noteNote:
After you install an update rollup for Exchange 2010, the version of Exchange Server isn’t updated to show that the update rollup is installed. This issue occurs because the version number that is displayed by the Exchange Management Console or by other administrative mechanisms is obtained from the Exchange Server Object in Active Directory.

For information about the servicing strategy for Exchange 2010, see Exchange 2010 Servicing. For more information about installing an update rollup for Exchange 2010, seeInstall the Latest Update Rollup for Exchange 2010.

Exchange Server 2010 SP3 build numbers

Product name Release date Build number
Microsoft Exchange Server 2010 Service Pack 3 (SP3) February 12, 2013 14.03.0123.004

Exchange Server 2010 SP2 build numbers

Product name Release date Build number
Update Rollup 6 for Microsoft Exchange Server 2010 Service Pack 2 (SP2) February 12, 2013 14.02.0342.003
Update Rollup 4 v2 for Exchange Server 2010 Service Pack 2 October 9, 2012 14.02.0318.004
Update Rollup 4 for Exchange Server 2010 Service Pack 2 August 13, 2012 14.02.0318.002
Update Rollup 3 for Exchange Server 2010 Service Pack 2 May 29, 2012 14.02.0309.002
Update Rollup 2 for Exchange Server 2010 SP2 April 16, 2012 14.02.0298.004
Update Rollup 1 for Exchange Server 2010 SP2 February 13, 2012 14.02.0283.003
Exchange Server 2010 SP2 December 4, 2011 14.2.247.5

Exchange Server 2010 SP1 build numbers

Product name Release date Build number
Update Rollup 7 v2 for Exchange Server 2010 SP1 October 10, 2012 14.01.0421.002
Update Rollup 7 for Exchange Server 2010 SP1 August 8, 2012 14.01.0421.000
Update Rollup 6 for Exchange Server 2010 SP1 October 27, 2011 14.01.0355.002
Update Rollup 5 for Exchange Server 2010 SP1 August 23, 2011 14.1.339.1
Update Rollup 4 for Exchange Server 2010 SP1 July 27, 2011 14.1.323.6
Update Rollup 3 for Exchange Server 2010 SP1 April 6, 2011 14.01.0289.007
Update Rollup 2 for Exchange Server 2010 SP1 December 9, 2010 14.01.0270.001
Update Rollup 1 for Exchange Server 2010 SP1 October 4, 2010 14.1.255.2
Exchange Server 2010 SP1 August 23, 2010 14.01.0218.015

Exchange Server 2010 RTM build numbers

Product name Release date Build number
Update Rollup 5 for Exchange Server 2010 December 13, 2010 14.0.726.0
Update Rollup 4 for Exchange Server 2010 June 10, 2010 14.0.702.1
Update Rollup 3 for Exchange Server 2010 April 13, 2010 14.0.694.0
Update Rollup 2 for Exchange Server 2010 March 4, 2010 14.0.689.0
Update Rollup 1 for Exchange Server 2010 December 9, 2009 14.0.682.1
Exchange Server 2010 November 9, 2009 14.00.0639.021

 

Connecting the Disconnected in Exchange 2010

In Exchange 2010 (2003 and 2007 as well) we have the option to “remove” the mailbox of a mailbox user (remove is quoted, because the action itself is called Disable). What really happens when you disable a mailbox is that the mailbox is disassociated from the related user object in Active Directory by removing the user object’s Exchange attributes. The mailbox is also said to be ‘orphaned’ because it has no associations with a user object. During the maintenance cycle, the mailbox will be marked for removal.

Mailbox Retention

After disabling a mailbox it will still be present in the mailbox store and it is marked for removal. During maintenance, the MSExchangeIS process will check for mailboxes marked for removal and which are past their retention period. The retention period is a configurable setting and by default it is set to 30 days, meaning you can recover deleted mailboxes within 30 days.

In order to configure the mailbox retention setting from the Exchange Management Console in Exchange 2010, navigate to Organization Configuration > Mailbox and then select the database in the Database Management tab. Select its Properties and configure the “Keep deleted mailboxes for (days)” setting on the Limits tab:

Now on to the fun part. For starters, we will have a user with a mailbox and without a personal archive, like in the pre-Exchange 2010 era. Nothing new here, from the Exchange Management Shell we can disable the mailbox by selecting it and selecting Disable.

Disable-Mailbox <UserID>

Do not make the mistake of using the Remove-Mailbox cmdlet, which is similar to the possible confusion in the Exchange Management Console as mentioned earlier. A useful addition to the Remove-Mailbox cmdlet when compared to the Remove action found in the Exchange Management Console is that you can use Remove-Mailbox in conjunction with the Permanent parameter to immediately remove the mailbox, without having to wait through the “Deleted Mailbox Retention” period. It is not possible to recover the mailbox once you have done this.

You can also use the Remove-Mailbox cmdlet to permanently remove disconnected mailboxes without needing to wait for the retention period to expire. To use this we need to specify the mailbox Database as well as the ExchangeGuid:

Remove-Mailbox –Database <DatabaseID> –StoreMailboxIdentity <ExchangeGuid>

Disconnected mailboxes appear in the Disconnected Mailbox view in Exchange Management Console (if the naming were consistent, this would be called Disabled Mailbox). We can right click on a disconnected mailbox, select Connect and choose a matching user or a different user to which to connect the mailbox. A matching user will be based on matching values in the LegacyExchangeDN or DisplayName properties. When selecting a different user the requirement is that the user must not already have a mailbox connected.

Note that disconnected mailboxes may not show up immediately because of delays caused by replication or if the status of the mailbox hasn’t been updated in the store yet. To scan Active Directory for disconnected mailboxes and update the status in the store accordingly, you can use the Clean-MailboxDatabase cmdlet, e.g.

Get-MailboxDatabase | Clean-MailboxDatabase

Perhaps unnecessary to say, but don’t select Remove to remove a mailbox. The Remove option will not only disconnect the mailbox but will also delete the associated user object. You will not be the first to accidentally remove the user object when you only intended to remove the mailbox selecting the Remove option. After all, you are in a Mailbox view so Remove implies removing a mailbox. The action Disable is also improper naming since it doesn’t disable the mailbox but marks the mailbox for deletion. After the retention period it will be deleted permanently. That’s not what “Disable” implies. After all, disabled user accounts are not deleted from the Active Directory after their tombstone expires.

To disable a mailbox from the Exchange Management Shell use the Disable-Mailbox:

Cleanup

Finally, if you want to clean up (i.e. purge) all disconnected mailboxes and archives in an organization and don’t want to wait for their retention period to expire, use the following cmdlets:

$disMbx= Get-MailboxDatabase | Get-MailboxStatistics | where { $_.DisconnectDate –ne $null }$disMbx | % { Remove-Mailbox –Database $mbx.DatabaseName –StoreMailboxIdentity $mbx.MailboxGuid}

The first operation retrieves all disconnected mailboxes in the organization and assigns the variable $disMbx to it. The second operation loops through all entries in $disMbx and removes them one by one (the percentage symbol is an alias for foreach-object). Needless to say, perform this action only after creating a proper backup of your Exchange environment.