Exchange 2010 activesync doesn’t work domain admin group members

By default members of an AD protected group like domain admins or enterprise admin cannot use microsoft activesync with a exchange 2010 server. They get a error like this: “Result: ActiveSync encountered a problem on the server. Support code: 0×85010014″.

Solution 1: Remove the protected group memberships for this account, more information about protected groups can be found here.

Solution 2: Goto active directory users and computers, turn on advanced features on the view menu. Go to the user account, security tab and tick the advanced button. After that you have to enable Include inheritable permissions from this object’s parent. Now activesync will work.



Performing a Remote Mobile Wipe with Exchange server 2010

  • Open the Exchange Management Console (EMC)
  • Expand Microsoft Exchange On-Premises.
  • Expand Recipient Configuration.
  • Click Mailbox.
  • Right click to user and select Manage Mobile Phone .


In the Manage Mobile Phone Wizard, verify that device is selected that need to be wiped. If it isn’t, single-click to select it.

  • Under Action, click the radio button next to Perform a remote wipe to clear mobile phone data.
  • Click the Clear button.


  • Click Yes when prompted to confirm “Are you sure you want to clear the device for {device name}.”


The wizard will proceed to the completion screen where you should be presented with a message indicating the successful remote wipe command has been queued. Look closely and you’ll also notice the actual PowerShell cmdlet that’s executed by the GUI. Recall that Exchange 2010 is built to leverage the “power” of PowerShell; the GUI really just acts as a point and click front-end for the shell. Remote wipes are no exception, as they can be handled quite succinctly via two Exchange cmdlets: Get-ActiveSyncDevice and Clear-ActiveSyncDevice. Let’s jump right into that now.

Transferring Certificates from Exchange 2003/2007 to Exchange 2010

Transferring Certificates from Exchange 2003/2007
to Exchange 2010


As a rule most of my clients use self signed certificates, (even though you can buy certs cheap as chips these days). If you have paid for a certificate I can see why you would want to transfer it to the new Exchange box, though if your using self signed certificates, it’s a simpler task to create a new one. But I was asked, and what you guys ask for, I will work out how to do 🙂


Export Certificate from Exchange 2007

1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command,


2. Take a note of the certificates thumbprint (copy it to notepad).

Note: The Letters mean
U – Unified Messaging

3. To export the certificate, (Note: Put in your certificate thumbprint).

-Thumbprint 1D5B46DBA10E2669327498BFB9F56146A47256CC
-BinaryEncoded:$true -Path c:\exported.pfx
-Password:(Get-Credential).password4. Enter your domain credentials.

5. Your exported certificate is now on the root of C: and called exported.pfx


Export Certificate from Exchange 2003

1. Click Start > mmc {enter} > File > Add/Remove Snap-in.

2. Add > Certificates > Add > Select “Computer account” > Next.

3. Accept the default of “Local computer” > Finish > Close > OK.

4. Expand Certificates > Personal > Certificates > locate the cert you are using for OWA etc.

5. Check the expiration date if you are unsure.

6. In the certificates console right click your certificate > All Tasks > Export.

7. At the welcome page > Next > “Select Yes Export the Private Key” > Next > Next > Leave password blank > Next > Chose where to save it > Save.

8. Next > Finish > It should say that it was successful.



Import your Certificate into Exchange 2010

1. Copy your exported.pfx file to the root of the Exchange servers C: Drive.

2. Launch Exchange Management Shell > Issue the following command,

-FileData ([Byte[]]$(Get-Content -Path c:\exported.pfx -Encoding Byte
-ReadCount 0)) -Password:(Get-Credential).passwordOr in you exported the certificate form Exchange 2003

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\exported.pfx -Encoding Byte -ReadCount 0))

Exchange 2003 Certificate Import (without a password prompt).

Exchange 2007 and 2010 Certificate Import

4. Then to enable the certificate use the following command > and Press “A” to confirm.

Get-ExchangeCertificate -DomainName | Enable-ExchangeCertificate -Services IIS,SMTP

5. Now your OWA, Active-Sync etc, will be using the imported certificate.


References – Credits – Or External Links

Thanks to Rick Faria for pointing out this info was missing from the site 🙂

Upgrading Exchange 2010 to new hardware (Exch2010 to Exch 2010)

  1. 1.   Move the mailboxes.

Creating Move Requests using the Exchange Management Console

Launch the Exchange Management Console and navigate to Recipient Configuration/Mailbox.

Select a mailbox, or hold the CTRL key to select multiple mailboxes to move as a group.

Selecting mailboxes to move in the Exchange Management Console

In the Actions pane click on New Local Move Request.  Local Move Requests are for moves within the same Exchange organization.

Start a new Local Move Request

All of the mailboxes selected for the New Local Move Request wizard will be moved to the same target mailbox database.  Click the Browse button to choose a target mailbox database.

Browse to select a target mailbox database

Select the mailbox database to move the pilot group to and then click OK.  Click Next to continue.

Choose the target mailbox database

Leave the Move Settings as the default settings and click Next to continue.  If you encounter issues with corrupt items you may need to create a new move request for those mailboxes and choose to skip corrupted messages.

Configure the settings for the mailbox move requests

Review the list of mailboxes that will be moved and then click New to create the move requests.

Review the mailboxes to be moved

Click Finish to close the wizard.

The move requests are created and will be processed by the Exchange server.  You can view the status of the move requests in the Exchange Management Console under Recipient Configuration/Move Request.

View the status of the mailbox move requests

Right-click a move request and choose Properties to see the status of that move request.

View the progress of a mailbox move request


  1. 2.   Move the public and system folders.


This is really tough task, when you want to move public folder database from one server to another server in exchanger server 2007, Exchanger Server 2010,
before starting the activity you have to create one public folder on server,


Stpe-1:  After creating the public folder you have to execute the command
.\MoveAllReplicas.ps1 -Server Server1 -NewServer server2
but before executing this command you have to set the directory,
Cd program files>microsoft>exchange server>v14>scripts then execute.\MoveAllReplicas.ps1 -Server Server1 -NewServer server2

after executing your public folder will move,


Stpe-2: verify public folder is moved or not-
run the following command 
Get-PublicFolderStatistics -Server


if that is showing nothing means your public folder is moved to destination server.

Stpe-3: To get a listing of all system folders on this database, run the command

Get-publicfolder \NON_IPM_SUBTREE -recurse |ft Name,Replicas


Stpe-4: then you have to set public folder default on that server where you have moved,
follow the following steps,

  1. In the console tree, navigate to Organization Configuration > Mailbox.
  2. In the result pane, select the mailbox database for which you want to change the default public folder database.
  3. In the action pane, under the mailbox database name, click Properties.
  4. In Properties, click the Client Settings tab.
  5. Next to the Default public folder database box, click Browse.
  6. In Select Public Folder Database, select the public folder database from the list of public folder databases, and then click OK.
  7. Click OK

Stpe-5: Remove old public folder

  1. 3.   Move the connectors.

You can change the source transport server on your send connector(s) to the new server.

For the receive connectors, yes create any additional/custom ones on the new server and direct those hosts that use them to the new server (hopefully they’ve been using a DNS alias for this so you can just update that one DNS alias. If not, consider doing that from this point forward

You’ll also need to look at any external URLs for services such as OWA, ActiveSync, and how you’ve published those to the internet


4.Change all CNAME records (webmail, autodiscover) to point to new server.



5. Change all SMTP devices to route to the new server.








6. Change OAB Generation server.


7. Remove the databases from the old server.


1>Run Get-Mailbox -Database “Database Name” –Arbitration command to find all the arbitration mailboxes

<2>If there are some arbitration mailboxes, move them to different databases and then delete the database again

Get-Mailbox -Database “Mailbox Database” –Arbitration | New-MoveRequest –TargetDatabase “New Mailbox Database”

<3>If all above don’t work, you can use ADSIEDIT tool to delete mailbox database:

1.        Open Adsiedit.msc

2.        Connect to the configuration partition.

3.        Expand Configuration-Services-Microsoft Exchange-<Organization Name>-Administrative Groups-Servers-<Messaging Server name>-Information Stores.

4.        Delete the appropriate database.


7.Uninstall Exchange Server.


8. Shut down the old server.

How to set Outlook to download only E-mail headers

This enables to you browse through your e-mails without actually having to download all the e-mails and their attachments in their entirety, which can often be a lengthy task.

To configure Outlook to download only the e-mail headers, do the following:

    1.    On the Send / Receive tab, in the Send & Receive group, choose Send/Receive Groups:

Send and Receive in Outlook 2010

    2.    In the Send/Receive Group list, choose Define Send/Receive Groups… (or pressCtrl+Alt+S):

Send/Receive Groups in Outlook 2010

    3.    Select a group to modify and click Edit….

    4.    From the Accounts section on the left side of the dialog box, you can select the mail account that you want to modify the settings for.

Send/Receive Settings

    4.    Select a folder from the list of folders in the Folder Options section and then choose the option Download headers only.

It is possible to have different setting for each folder in an account, so, for example, you could set Outlook to download only headers in a folder that you know gets a large volume of e-mails.

Removing managed mailboxes from an Outlook profile

Following a server migration, an administrator had user’s mailboxes showing up in his profile. This was the result of giving himself Full Access permission to the mailboxes during the migration.

When a user has Full Access permission to another user’s mailbox, Outlook 2007 and above automatically opens the mailbox in the profile. (The mailboxes were not listed as secondary mailboxes in Account Settings.)

The administrator removed Full Access permission for the mailboxes but this didn’t remove the accounts from his profile.

Following an Exchange server upgrade, I have several users mailboxes in my profile. I cannot close the mailboxes. The accounts are not listed as additional mailboxes in my profile. I removed Full Access permissions. Any idea of how to get rid of these extra mailboxes?

Edit the user account in ADUCYou need to edit the user accounts in the Active Directory and remove your name from theMsExchDelegateListLink attribute.

  1. Open Active Directory Users and Computers
  2. Go to View menu and select Advanced Features
  3. Open the user account that is showing in your mailbox (in the screenshot, my mailbox is in Mary’s profile)
  4. Open the Properties dialog
  5. Click Attribute Editor tab
  6. Locate MsExchDelegateListLink
  7. Click Edit
  8. Remove your name from the attribute
  9. Close the dialogs

Keep FullAccess Mailboxes from being AutoMapped

Not everyone likes automapping of mailboxes, It’s great for the end-user: the mailboxes they have permission to open are automatically added to their profile, avoiding the need to go into the profile and add the secondary mailbox manually. But not everyone wants to see the shared mailbox in their profile.

It’s possible to give a user full access to a mailbox without automapping by adding –AutoMapping $False parameter to the Add-MailboxPermission cmdlet.


Add-MailboxPermission "shared-mailbox" -User "alias" -AccessRightsFullAccess –AutoMapping $False

Exclude DC from DSAccess of Exchange Server

By default, DSAccess or ADAccess chooses the primary domain controller (PDC) emulator operations master role computer to handle requests in Microsoft Exchange. This action may result in poor performance if other non-Exchange programs are making heavy use of the PDC emulator.

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Microsoft Exchange 2000 Server and later versions

To resolve this problem in Exchange 2000 Server and later versions, add the MinUserDC registry value to exclude the PDC emulator from the server list that Exchange can use.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To add the MinUserDC registry value, follow these steps:

  1. Start Registry Editor.
  2. Locate and then click the following subkey in the registry:

    Note In Exchange Server 2007 and in Exchange Server 2010, locate the MSExchangeADAccess subkey instead of the MSExchangeDSAccess subkey.

  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value name: MinUserDC
    Data type: REG_DWORD
    Value data: As required

    Note The MinUserDC entry determines how many total user domain controllers must be available for PDC emulator exclusion to turn on. The value data that is configured for the MinUserDC registry entry is the maximum number of domain controllers to contact before the PDC emulator is contacted. For example, when you set MinUserDC to 4, this configures DSAccess to exclude the PDC emulator only when a total of four domain controllers are available. When this condition is met, the PDC emulator is excluded from use, and DSAccess communicates only with the remaining three domain controllers.

  4. Exit Registry Editor.


  • You have to apply the registry change that this article describes regardless of the service pack that is installed.
  • In Exchange Server Enterprise Edition, the Profiles subkey and the Default subkey are not available. You must create these subkeys in Exchange Server Enterprise Edition.
  • When you determine a value for MinUserDC, consider the equation n – 1, where n is equal to the total number of domain controllers in the site. This number includes the PDC emulator. Subtract 1 from this number, and the sum should be the value that you enter for MinUserDC.

Method 2: Exchange Server 2007 and Exchange Server 2010

In Exchange Server 2007 and in Exchange Server 2010, you can use a cmdlet to configure the ADAccess component to exclude a particular domain controller or a list of domain controllers from use. To do this, use the Set-ExchangeServer command together with the StaticExcludedDomainControllers option.

The following example shows how to use the Set-ExchangeServer command to exclude one or more domain controllers from use. Additionally, this example shows how to verify the status of the Exchange environment after you run the Set-ExchangeServer command.

In this example, you have the following servers:

Host name Domain Role
E2K7-1 Exchange Server 2007
DC-1 domain controller together with PDC operations master
DC-2 domain controller
DC-3 domain controller

To use the Set-ExchangeServer command to exclude the three domain controllers that are listed in this table from use for the DSAccess component, follow these steps:

  1. Start the Exchange Management Shell. To do this, click Start, point to All Programs, point to Microsoft Exchange Server 2007, and then click Exchange Management Shell.
  2. At the command prompt, type the following command, and then press Enter:
    Set-ExchangeServer -identity,,

    This command excludes DC-1, DC-2, and DC-2 from use by the server that is named E2K7-1.

    Note In this command, specify the fully qualified domain names of the individual domain controllers by using a comma-separated list that does not contain spaces between each entry.

  3. To verify the list of excluded domain controllers, type the following command, and then press Enter:
    Get-ExchangeServer -identity -status | fl Name, StaticExcludedDomainControllers

Note If you want to remove the changes that you have made and revert to the default behavior of Exchange, type the following command at the Exchange Management Shell prompt, and then press Enter:

Set-ExchangeServer -identity -StaticExcludedDomainControllers:$null