Install Exchange 2010 rollups on DAG servers

By Steven Jordan on 4/17/2014

Takeaway:  Steps on how to apply Windows updates to the Exchange Data Availability Group (DAG) servers.  Take care when applying Exchange service pack rollups on Patch Tuesday.

  1. Prevent the server from activating databases.  N.B., Exchange continues to keep databases current; however it will not activate if other DAG members become unavailable.

  2. Get-MailboxDatabaseCopyStatus –Server (hostname) | Suspend-MailboxDatabaseCopy –ActivationOnly –Confirm:$false
  3. Migrate all active databases to another DAG member

  4. Move-ActiveMailboxDatabse -Server (hostname) -ActivateOnServer (Other DAG Member) 

  5. Check activation status with PowerShell:

  6. Get-MailboxDatabaseCopyStatus –Server (hostname) | Select Name, ActivationSuspended, MailboxServer
    Get-MailboxDatabase | Select Name, ActivationPreference, Server
  7. It's safe to install the Exchange roll-ups when activation is suspended. Proceed with patching.

  8. Re-enable the database after patching is complete. N.B., This server only becomes active if the other DAG member becomes unavailable.
  9. Get-MailboxDatabaseCopyStatus –Server (hostname) | Resume-MailboxDatabaseCopy
  10. Repeat the process for the remaining DAG servers: (a) prevent activation, (b) migrate active database to another DAG member, (c) install the roll-ups, (d) resume activation.
That's It!

Outlook S/MIME Email Encryption

Takeaway:  This article provides an email encryption walk-through.  There comes a time when every organization requires secure email.  Setup email encryption organization-wide or per individual with these simple steps.

PGP:  There are a number of expensive encryption products available but organizations that use Outlook can (and should) use the built-in tools made freely available by Microsoft.  The same technology that protects web sites provides encrypted email -SSL certificates. 

To be fair, there are alternatives to SSL email encryption.  For instance, Pretty Good Privacy (PGP) is an open source encryption protocol.  PGP has a good (pun) reputation with third-party Outlook plugin support.  PGP's greatest flaw is that it is not widely accepted.  Why bother with email encryption that business partners don't support?

I suspect SSL based encryption is popular because of its native Outlook support.  It's worth mentioning that any S/MIME email client supports SSL based encryption (e.g., Firefox and Mac Mail).  In addition, SSL certificates allow for email encryption and also validates a sender's identity.

SSL:   Outlook validates certificate authenticity using a public key infrastructure (PKI).  Trusted root certificate authorities (CAs) issue X.509 (i.e, SSL) certificates to individuals and businesses.  Most web browsers and email clients trust X.509 certificates issued by the handful of public root CAs (e.g., GoDaddy).
Fig. 1.  Individuals and businesses obtain X.509 (i.e., SSL) certificates from root CAs,

Digital Signatures:  SSL certificates consist of a private key and a public key.  The private key is the basis for digital personal identity.  Private keys ensure integrity and confidentiality; and must remain a guarded secret.  Digital signatures use private keys (i.e., digital IDs) to sign outbound email messages.

When Outlook signs a message it first creates a message digest based on mathematical functions (i.e., hashing).  The message digest is a unique and summary of the original data.  Outlook then uses the private key to encrypt the message digest.  The encrypted message digest is the digital signature.

N.B., the message digest is not the same thing as the message. The message digest is encrypted in the digital signature but the message contents remain unencrypted (huh?).  Keep in mind that the private key encrypts the message digest.  The receiving side uses the public key to decrypt the message digest.  Recall, the private key is a well kept secret -only the sender can sign messages with it.  This process establishes the sender's identity and validates the authenticity.  We can be reasonably sure the sender is, who they claim to be, when they include a digital signature.

Content Encryption:  Why does the private key encrypt the message digest but not the message contents?  The answer is because SSL certificates use asynchronous (i.e., one-way) encryption.  Private-keys decrypt public-key encryption, and public-keys decrypt private-key encryption.   It's pointless to encrypt message contents with a private key when everyone has access to the public key.  Why lock a door if everyone has the key to open it?  

Outlook never encrypts message content with a sender's private or public keys.  Outlook therefore, uses the recipient's public key to encrypt messages content.  This process ensures confidentiality because only the recipient can decrypt the message with their super-secret personal key. 

Outlook Encryption Process
  1. Both parties must exchange digitally signed emails before encryption is possible.  The process stores the senders’ digital signature (i.e., public key), in the recipients’ contact list.
  2. New messages are encrypted just before the message is sent.  The new message window contains an Encrypt, and a Sign button in the Options ribbon.   The encrypt option is only available if the recipient’s digital ID (public certificate) is stored in the contact list.

Fig 2.  Outlook Encryption Process Flow

Updated on 4/6/2014 by Steven Jordan.


Outlook freezes or locks up when using a personal certificate...

Last updated  September 13th, 2013 by Steven Jordan


Outlook 2013 has a bug that prevents message delivery after a certificate is installed from the Outlook Trust Center.  After adding the personal the certificate  Outlook freezes and locks after attempting to send.
Microsoft KB 2813237 indicates applications may freeze on Windows 8 when using password protected certificates.  Applying the hotfix resolved all Outlook certificate problems.  Email delivery, message encryption, and digital signature now work as expected. 
However, there was a negative side effect from the hotfix.   Internet Explorer was unable to authenticate using personal certificates. This problem affects both IE and Google Chrome.  The issue was a problem because I was unable to logon or authenticate to StartSSL.  Short-term solution was to use Firefox which maintains certificates independent of Windows.

 Specific Errors:
"Your digital ID name cannot be found by the underlying security system"
"Your Digital Id Name Cannot Be Found By The Underlying Security"

Uninstall all personal certificates via Internet Options. 
          Control Panel > Internet Options > Content > Certificates
After personal certificates are removed proceed to import the certificate from Internet Options.  If the personal certificate is added through Internet Options (do not install via Outlook 2013) Outlook automatically works with the certificate and IE continues to authenticate with the certificate.  I normally install certificates via the certificate management MMC so the approach was new to me.

How to Edit AD User Fields with ECP / OWA.

Summary:  How to create a management role with ECP / OWA.  This system allows users with a tool and privileges to change AD Users' Identity, Title, Department, Company, and Manager Fields.

Issue:  Manager request to edit additional user fields from the OWA/ ECP site.  Request includes Identity, Title, Department, Company, and Manager fields.

Background:  The manager is currently assigned to the Help Desk role group that allows basic address changes to staff contact information within AD; changes to additional fields are not permitted.

Limitation:  Exchange 2010 ECP provides built-in management roles.  Editing extended role attributes are only possible with PowerShell.


     Create AD Security Group:

  1. Create a new security group in AD (e.g.  ECP_OWA-User_Fields).  Group members will have permission to edit all users' organization fields.
     Create New Management Role:
  1. Create new management role based on Mail Recipients:

          New-ManagementRole -name "Mail Recipients Extended" -Parent "Mail Recipients"
  2. Remove unnecessary management roles:

         Get-managementRoleEntry "Mail Recipients Extended\*" | where { $_.Name –ne "Set-User"} | Remove-ManagementRoleEntry
  3.  Provide extended organization attributes (additional users' organization fields)*:

         Set-ManagementRoleEntry "Mail Recipients Extended\Set-User" -Parameters Identity,Title,Department,Company,Manager

  4. Associate new role with Exchange Mail Recipients role:

         Get-managementRoleEntry "Mail Recipients\Get-*" | Add-ManagementRoleEntry -Role "Mail Recipients Extended"
     Create New Management Role Assignment:
  1. Assign role to group:

         New-ManagementRoleAssignment -name "Edit-User-Title-Dept" -Role "Mail Recipients Extended" –securityGroup “ECP_OWA-User_Fields”
  2. Assign View-Only Recipients to group:

         New-ManagementroleAssignment -role "View-Only Recipients" –SecurityGroup “ECP_OWA-User_Fields”
  3. Assign managers' user accounts to new security group membership in AD.

Implementation allows managers (or help desk) to view and edit the organization fields for all AD users.

Last updated  July 1, 2014 by Steven Jordan


*Additional organizational attributes:

Exchange 2010 SMTP Logs PowerShell Script

Script to export the Exchange 2010 SMTP logs into an easy to "read and work with" Excel file:

1.  Load Exchange Management Shell:

add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010

2.  Export message tracking results to CSV:

get-messagetrackinglog -resultsize unlimited -Sender "" -MessageSubject "This is where the subject goes" | Select Sender,{$_.Recipients},{$_.RecipientStatus},MessageSubject,TimeStamp, EventId, Source, SourceContext,MessageId,InternalMessageId,ClientIP,ClientHostName,ServerIP,ServerHostName,ConnectorId,TotalBytes,RecipientCount,RelatedRecipientAddress,Reference,ReturnPath,MessageInfo | Export-Csv .\MessageTrackingLog.csv 

Last updated  June 13th, 2013 by Steven Jordan.

The Cluster Network Name is Not Online

ProblemFailing node. Failover Cluster Manager gave the following message: 

     The cluster network name is not online.

There was also the following system log error:

Solution:  When attempting to bring nodes online to the failover cluster be sure to check the network cluster client role.  The role must be set to "allow clients to connect through this network"

  *Note:  Please try the Powershell or GUI method before attempting this registry fix. 
Further instructions can be found at: 

Registry fix resolved the issue:

Location:  HKEY Local Machine\Cluster\Networks\NIC GUID\Role


1.  Do not allow cluster network communications on this network
2.  Allow cluster network communications on this network 
3.  Allow clients to connect through this network

The role must be set to "3" to allow the node to participate with cluster.  Once the role is properly set the node will become online and work with the cluster.  

This is widely reported issue with the Microsoft Failover Cluster services and Microsoft Exchange Server 2010 Database Availability Group (DAG) node.

P.S.  This post has been surprisingly popular.  Please leave comments if this helps.  Thanks!  -SMJ

Full Technet URL for this issue can be found at:

Last updated  August 29th, 2012 by Steven Jordan

Distribution Group Management via Outlook Web App

Outlook Web App distribution group management is a handy tool built into Exchange 2010.  The primary benefits allow end users to create and self manage distribution groups.  This tool can also allow help desk access to the email server to assist end users.

To enable the service, first log onto Outlook Web App, with the Administrator account.

1.  Enable “My Distribution Groups” for the default Role Assignment Policy.

Outlook Web App → Options → See All Options → Manage My Organization → Roles & Auditing → User Roles → Default Role Assignment Policy

· This allows users to manage Groups from their Outlook Web App sessions. 
o    Additional group owners may be assigned by current group owners.

· Users may search public groups and request permission to join from the group owners.
o   Restrictions can be changed to allow auto join or leave.

       2.  To assign management of groups to specific users:

Outlook Web App → Options → See All Options → Manage My Organization → Users & Groups → Distribution Groups

·  Edit specific group to make changes to ownership, membership, approvals, etc…

    3.  When logged onto Outlook Web App as a user account (non-admin) Public Group options will be available.
·  Edit Public Groups owned by the user.
·  View groups user belongs to.  Leave group.
·  Search groups.  Request permission to join distribution groups.
·  Sue, Bob, Ned, or whomever can all manage groups with this tool.

Fix "Send As" for a Distribution Group


Email message bounced back.


"Delivery has failed to these recipients or groups".


  • Exchange.
  • Distribution group.
  • Delegation set up with Send As privileges.  

Possible Solution:  

Make sure the distribution list is not hidden.  Doh!