An overview what Swiss hospitals get in these days?

If you still don't get it and understand how critical this point is:

• Budget is NOT the limit to use an attachment Analyze sandbox or not.
• Modern version of Cerber SPREAD through Share Credentials from Microsoft Windows and jump to all clients. A customer with 13'000 clients was infected in Asia in a few hours.
• If you are above 100+ employees or if you think your business is important BUY a Sandbox for Mail Analyze and use Mcafee TIE/ATD for Files.
• If you are too small > No solution. Do not accept attachment anymore! The step to take all Mail Flow and Exchange to the cloud will not help you! Spend massive money in security or take the risk that you close your business once because of Ransomware

http://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/505845/ (June 2016)

Updated: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.

Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan's platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/200216-Ransomware-Locky-Trojan-Germany-high-infection-rates.aspx

https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html

The malware was sent from THOSE company's listed. The sender address where spoofed/Forged.

This is an often question we had seen and there is a KB which gives a good overview which folders are from what version of Exchange.

Sadly The Microsoft Script ".\AddReplicaToPFRecursive.ps1 -server "SBSERVER2" -TopPublicFolder "\non_ipm_subtree" -ServerToAdd "SBSERVER2"" does not handle that KB or has the knowledge what to replicate and not.

We had a case where the OLD Exchange 2010 "System Folders" under "\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1" was replicated from 2010 to a replaced DAG member 2010. The customer also had

Mcafee Security for Exchange 8.5 P1 running which lets you exclude Public Folder for Mailbox Scanning but NOT on the HUB function. Because we had a file filter for .JS the replication files triggered an alert.

Here is the alert because of the JS extension of replication of old Exchange 2000 public folder structure:

Exchange OLE DB Provider

https://msdn.microsoft.com/en-us/library/aa142634(v=exchg.65).aspx

EXOLEDB Introduction

EXOLEDB creates a number of system folders under the NON_IPM_SUBTREE during the Accept Clients phase of message database (MDB) initialization. Some of the folders remain for historic reasons, but most have useful purposes. If the folders are deleted, it can affect the server. None of these folders should be replicated. The folders that are created include the following:

• \NON_IPM_SUBTREE\schema-root\
• \NON_IPM_SUBTREE\schema-root\Default
• \NON_IPM_SUBTREE\schema-root\Microsoft\
• \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1
• \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb
• \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\controls
• \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\img
• \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\views
• \NON_IPM_SUBTREE\StoreEvents\
• \NON_IPM_SUBTREE\StoreEvents\GlobalEvents
• \NON_IPM_SUBTREE\StoreEvents\Internal
• \NON_IPM_SUBTREE\OWAScratchPad

In all cases, subfolders named with the GUID correspond to the MDB object with the same GUID.

The first folders created are the schema folders.

Schema-Root

The following list introduces the schema-root:

• \NON_IPM_SUBTREE\schema-root\

  This was introduced in Exchange 2000 Server.

• \NON_IPM_SUBTREE\schema-root\Default

  This was introduced in Exchange 2000 Server Service Pack 1 (SP1).

• \NON_IPM_SUBTREE\schema-root\Microsoft\

  This was introduced in Exchange 2000 Server SP1.

• \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1

  This was introduced in Exchange 2000 Server SP1.

The following shows a typical schema path for a public MDB:

• File://.BackOfficeStorage/<domain>/<TLHName>/NON_IPM_SUBTREE/schema-root/microsoft/exchangeV1

The private MDB schema path is under the system attendant mailbox.

EXOLEDB supports multiple schemas, or property type definitions. These folders support the Exchange Web Store development platform. The idea was that folder items could reference various versions of the schema and exist alongside each other. At one point in Exchange 2000 Server, schema files were in the schema root folder, and changes to the schema effectively propagated to all items. Because this lead to problems in the application development workspace, where each item needed to be handled to remove or add props as appropriate, Microsoft adopted a versioning method. Under schema-root, Microsoft creates subfolders with application and version elements to allow effectively seamless upgrades. EXOLEDB watches the schema folders for changes, so that it can propagate the entries, dump the schema cache, and repopulate as processing occurs. The \schemaroot\default folder is where normal folder items obtain their schema, and the schema-root folder is flagged as pointing to the ExchangeV1 folder. EXOLEDB populates the schema entries from the .xml files, which are processed by an event sink, EXSCHEMA.EXE. The schema event sink binding cannot be deleted or removed, because it does not have an entry in the EventBindings folder like most events.

EXCHWEB, Views, IMG, and Controls

The following list introduces EXCHWEB, views, IMG, and controls:

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\controls

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\img

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\views

Introduced in Exchange 2000 Server SP1, these items were not populated in Exchange 2000 Server Service Pack 3 (SP3), and they are not populated in Exchange Server 2003.

For the local store to open items that reference Microsoft Outlook® Web Access control functionality, the files must be in a folder that can be synchronized. These folders once contained copies of the Web data for Outlook Web Access to allow LIS stored items to open, but have never actually been used outside of LIS.

Next, EXOLEDB starts the event binding system, which creates StoreEvents.

StoreEvents

All store event folders described in the following list have been present since Exchange 2000 Server:

• \NON_IPM_SUBTREE\StoreEvents\
• \NON_IPM_SUBTREE\StoreEvents\GlobalEvents
• \NON_IPM_SUBTREE\StoreEvents\Internal

This is the event binding folder, where EXOLEDB stores information on events built to a specific MDB. At startup, EXOLEDB must enumerate the events here, which can lead to long store startup times with large event sink numbers. Exchange Server 2003 performance in this area is greatly improved, but time to mount an MDB is still affected by the number of rows. Each binding is validated for class, having a valid event method, such as onsave or ontimer, valid clsid, and sink parameters. Events with a match class of ANY can only be registered in the GlobalEvents subfolder.

After creating the schema folders and starting the event bindings system, EXOLEDB creates the Outlook Web Access scratch pad.

OWAScratchPad

The OWAScratchPad was introduced in Exchange 2000 Server SP1. It appears as follows:

• \NON_IPM_SUBTREE\OWAScratchPad

Posts have to start out somewhere to have attachments, and for public store logons, that place is the Outlook Web Access scratch pad. Because Distributed Authoring and Versioning (DAV) does not cross MDB operations, you need a point on every mailbox where you can always write posts to, so that you can support adding attachments. The posts are staged in the OWAScratchPad until all attachments are added, or they are saved. The size limit on the Outlook Web Access scratch pad controls the size of attachments that can be added through Outlook Web Access. Attempts to post larger messages should result in the following error:

• This item exceeds the maximum size defined for this folder and cannot be saved. Contact your administrator to have the folder limits increased.

The size of OWAScratchPad is always reset to 1 megabyte (MB) at EXOLEDB initialization if the registry key HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA REG_DWORD value "Message Size Limit" is not set. This is required for Microsoft SharePoint® Portal Server, because EXOLEDB has no idea if you are running in magma mode.

Outlook Web Access posts to the scratch pad are done in flat URL format, meaning they directly reference the folder and message. This is to support deep vroots where the friendly URL might be too long.

EXOLEDB Folders FAQ

Consider the following frequently asked questions (FAQs).

What causes duplicate system folders?

There are two categories for this question:

• Active Directory objects   When a store is deleted, you have no way to tell Active Directory that the public folder objects went away. Then, when folders are re-created, they do not get attached to the corresponding Directory Service objects. New Directory Service objects are created.
• Actual folders   If the folders are set to replicate, and the store in question is deleted, EXOLEDB will re-create the folders on startup, and replication can then create a second duplicate of any such folders. This causes problems with event bindings. Deleting the duplicate folders through friendly URLs is dangerous, because the two will often have duplicate friendly URLs.

Why do folders get strange names?

When the number of system folders with the same number grows, a random number is appended to the Directory Service proxy to make it unique, resulting in names like controls12345678.

Why can I not delete folders?

If you were to delete the folders, EXOLEDB would put them back. Also, most of these folders have uses that will adversely affect the operation of the server if not present.

How do I fix missing schema folders?

If schema folders are missing, that is, not present under the ipm subtree, setting the following registry key to a REG_DWORD value of 0, causes the schema to be repopulated:

HKLM\System\CurrentControlSet\MSExchangeIS\Parameters\Schema\<MDBGUID>

What permissions are used on schema folders?

EXOLEDB automatically grants everyone read access to schema folders. This access control list (ACL) could be modified, but would be deleted if schema propagation were re-triggered.

Do you need to replicate those folders when servers are decommissioned?

You do not have to replicate folder content as part of the replicate system folders procedures.

For More Information

For more information, see the following Exchange blog entry:

List or change Inboxrules employee have > Automatic E-Mail forwards to private or external E-Mail systems.

Problem:

In Exchange 2010 users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don't have a DLP (Data Lost Prevention).

There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mailcopy external may get targeted. See below at end for a solution or at least a direction to go.

You do not see those in Exchange 2010/2013/2016 Web console or GUI. However you can see those with Powershell.

This is what we talk about in Exchange2010 GUI.

Here is how to find out which users in the Organization have such a forward or Redirect active.

Powershell command:

Forwards

foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }

Delegates

foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }

Another query which does not catch all

Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward

Prevent with RBAC from (Sike Fogarty - BPOS Support)

Source: https://blogs.technet.microsoft.com/lystavlen/2012/04/10/how-to-prevent-internal-users-from-autoforwaring-mails-to-external-recipients/

1. New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
   Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
   Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter

   Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.

   Assign the Role Assignment Policy to the user(s) desired.

    

   How to change or remove the INBOX Forwarder user created:

   List the user if you know the name (See above if you don't)

   Get-InboxRule -Mailbox user-alias |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo

   Example:

   Get-InboxRule -Mailbox m.butsch |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo

    

   

   Remove the Inbox rule you want:

   Remove-InboxRule -Mailbox user-alias -Identity "NAME_YOU_SEE_ABOVE_WITH_OTHER_QUERY"

   Remove-InboxRule -Mailbox m.butsch -Identity "Send to NSA automatic"

    

    

Activesync with Exchange 2013 does not work, ADMINSHOLDER or ADMINCOUNT Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

Events:

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

https://testconnectivity.microsoft.com/

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx

Resolution:

FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.

Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Solution:

REMOVE the ADMINCOUNT = 1 FLAG with ADSEDIT on DC

Change to <NOT SET> with CLEAR BUTTON on the account whjich has problems with IPHONE / ANDROID or any Activesync Device.

Open the User in ADUAC Console

Activesync should work now again

Important: You have 15 Minutes TO do both steps a) ADSEDIT b) And Security Inheritance correct.

Here are some steps and scripts we used for Exchange 2007 > 2013 Transition (Migration > It's the same ;-)

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

https://testconnectivity.microsoft.com/

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

Good explanation from John Pollicelli

https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

https://technet.microsoft.com/de-de/magazine/2009.09.sdadminholder.aspx

http://www.butsch.ch/post/Migrated-NT42000-users-are-unable-to-ActiveSync-with-Exchange-Code-0x85010014.aspx

http://www.butsch.ch/post/Exchange-2003-3e-2007-3e-2010-User-Move-Request-fails-ADMINCOUNT3d1-INSUFF_ACCESS_RIGHTS.aspx

Resolution:

FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.

The Red part below (RED-X)

Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.

• Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

  Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN

• Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

  Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN

• Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

  Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN

  Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.

   

Exchange 2007 > 2013 Transition/Migration, POPUP on Outlook 2010 or Public Folder can't be open from 2007

Error1: When you click a Public Folder which lies on 2007 in Outlook.exe

"Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance."

Event 401 is logged in IIS log file on 2007 side

Error2: Even if you have selected the option not to DOWNLOAD and other resources or public folder you Recieve constant authentication POPUPS "Windows Security" with username password. Outlook.exe shows password need at some point. Even if you chose remember my Credentials.

Quick Reason:

You have to change the Authentication for "Outlook Anywhere" on old 2007 side to NTLM.

A general reason is that Exchange 2013 works OVER "Outlook Anywhere" all the time. To make it correct you could enable "Outlook anywhere" backwards/afterwards on the old Exchange 2007. Warning: However this function will run from 10-60 Minutes depending on your Exchange 2007. Read and search more if it not enabled on the old Exchange 2007 and you want to do that while the old 2007 is productive. Most blogs don't mention that and most of them do 2007>2010>2013 and some 2007>2013 direct. However they assume you have "Outlook anywhere" on 2007 already on before you begin the swing Transition (Migration).

Explained:

Exchange 2007 and 2013 Coexistence:

• Exchange 2013 runs with Outlook Anywhere
• If you have Outlook Anywhere on 2007 change the a) Authentication b) Internal and External URL to something else than on the 2013
• Both Authentication settings for the "Outlook Anywhere" Option have to be the same. As example "NTLM" only.

   

• You have an Exchange 2007 existing running and a fresh 2013 setup
• Exchange 2013 is ready and ALL Virtual directories are changed in Powershell
• The SAN/UC Certificate with a) The old exchange name sample old.company.ch, Autodiscover.company.ch and newserver.company.ch is ordered imported and activated
• Just ONE User was moved from 2007 > 2013, rest of them still on 2007 side
• Autodiscover is setup correct in DNS also the old name (important can be whatever some use the term legacy [It does not have to be legacy.customer.ch!]) and also a new names for the new exchange 2010.

Check Logfiles on Exchange 2007 under:

C:\inetpub\logs\LogFiles\W3SVC1\*.*

Search for string "/rpc/rpcproxy.dll"

This is the Health check the Exchange 2013 does:

RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 192.168.20.198 HttpProxy.ClientAccessServer2010Ping 401 2 5 0

Controll the Settings on the Exchange 2007.

get-OutlookAnywhere -Server "servername2007" | fl identity, IISAuthenticationMethods

Set-OutlookAnywhere -Identity " servername2007\Rpc (Default Web Site)" -IISAuthenticationMethods Ntlm

Or in GUI on the Exchange 2007

Do an IISRESET

If that does not work > Also recycle the IIS folders and Reboot the 2007.

Open IIS Konsole

Go to "Application Pools"

• On right side "Select" Recycle
• From "Defaultpool" downwards to "MSexchagesyncappool" press Recycle RIGHT side in IIS console

IIS Logfile after the change should be with a 500 value.

2016-04-26 14:20:35 192.168.20.13 RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 192.168.20.198 HttpProxy.ClientAccessServer2010Ping 500 0 64 45021

Change on client side

IF account still under 2007 and using ONLY Outlook Anywhere you then have to change something in outlook.exe on each client THAT is laptop or workgroup and not domain joined. If Autodiscover and the EXPR-Record are correct this should work by itself.

• Dell Netvault Backup Agent 9.2.0.17
• SME for Exchange 6.1
• Netapp Snapdrive 7.0.2.6322

You have LEFTOVER SYMBOL Link on all drives or OLD NVBUShadowcopy Directory on LUNS you handle with Netvault Backup.

Solution 1a)

Stuck left over drives from failed backup in Netapp Plugin:

Solution 1b)

In cmd.exe

Diskshadow

List shadows all

Search for corresponding leftover folder like "E:\NvbuShadowCopy_2052"

Delete it:

Delete shadows id {e08f4105-1d42-4d53-afdd-838247c03529}

https://support.software.dell.com/netvault-backup/kb/92760

Problem:

You have to renew an Exchanger SAN/UC-Certificate and you can't do this anymore after 2015 because it contains a NON EXTERNAL First Level Extension like ".LOCAL".

1. Rename the Full Windows Domain in a 1 year project and have fun
2. Integrate a SPLIT DNS as below, Bend all Exchange URL to the same FQDN

Main Technet Link:

http://support.microsoft.com/kb/940726/en-us

I personally don't like this solution since you may in most complex case end up in trouble with some special cases like "RPC-over-HTTP" (Outlook anywhere) and some Autodiscover functions.

On the other side don't like Wildcard Certs for this because if you have that the other departments want to use the same Certificate and at the end everyone uses it. Worst it lays around on laptops and Servers then if you don't Controll it strict.

Currently still March 2015 this is the only solution quick and fast if you customer has a First Level Windows Domain with .LOCAL. Most it's urgent because Cert has expired.

Just to mention that there is another way but this needs planning and time

Enterprise way:

Internal Domain: Cover these with your own internal Certificate Authority (Ask if you have one, make a project separate for that because it's sensitive and complex) .

External Domain: Use a Cert Provider SAN/UC-Certificate as we had before for all external FQDN

This enterprise mix however leads us to splitting the CAS/OWA Directories on separates SITES within the IIS (Because of only 1 Cert per IIS-Site) or we make single separate CAS Server for internal and external (Which Microsoft does not want us).

On the other side if we have Load Balancers for the CAS mostly those separate CAS are not in the Load Balancer HA team.

Timeline for SAN/UC Certs with Local ending or non-external First level (www.technet.local)

http://www.butsch.ch/post/Exchange-Certificates-Aenderung-CAS-Outlook-mit-local-Domain.aspx

Such a SAN Certificate which includes LOCAL is not valid anymore after some date. And you can't reorder it. (Screenshot)

Powershell: Get-exchangecertificate | fl

In Green BOX there are the First Level Domains .LOCAL Domains that you can't COVERY anymore in ONE Cert in 2015.

INTERNAL DNS NAME:    customer.local (The Active Directory Domain)

EXTERNAL DNS NAME:    customer.ch (Your Webserver, FTP, MX-E-Mail Domain from external)

Third level DOMAIN: async.customer.ch

Why can't I renew?

Because we can't make a UC/SAN-certificate after November 2015 anymore we have to convert the DNS into SPLIT DNS setup. That means we copy the Extern DNS into Internal DNS. Even if you CAN renew it WILL only run until November 2015 with some Cert Issuer.

http://www.butsch.ch/post/Exchange-Certificates-Aenderung-CAS-Outlook-mit-local-Domain.aspx

Make the SPLIT DNS

See links at end for more help on the SPLIT DNS.

SPLIT DNS Copy External ZONE File to internal Active Directory DNS

1. Get the info from External ZONE file from the Provider ISP like customer.ch. Ask them you need an extract (copy) of the ZONE file for your external Domain.
2. Do a new Active Directory integrated Forward ZONE File with same name "customer.ch" internal
3. Make the A-Records internal so INTERNAL users can reach www and ftp also from internal (These are shown on the right side). Make "FTP", "WWW" point to same IP as the external. (If you don't do that your INTERNAL users will not be able to reach the External Website or Cloud Service you use with your ISP)
4. The ASYNC in OUR sample POINTS to the IP of the Exchange 2010 CAS
5. On the External DNS the ASYNC points to our Firewall and then to the Exchange 2010 CAS

This is how this may look.

Get the NEW SINGLE FQDN Certificate

• Next if you are sure this works Generate the Certificate Request (http://www.butsch.ch/post/Generate-SAN-UC-Certificate-SSL-on-Exchange-2010.aspx)
• Keep in MIND you need NO SAN/UC just one SINGLE Certificate with ONE FQDN for all
• Send Request to provider
• Integrate the Certificate you get in Exchange (But Don't activate it)

We need to change all FQDN that Exchange uses for different Service now to the SAME FQDN the SINGLE Domain Cert runs on.

FQDN Single Domain Certificate was ordered for: async.customer.ch

OLD Entry in Exchange somewhere:

https://async.cutsomer.local/OAB

NEW:

https://async.cutsomer.ch/OAB

Analyze the values you need to change by Powershell

• Read the Values (WAS) from Powershell Exchange for The things below and note them DOWN on a documentation
• Adapt the VALUES after term SET NEW with your new FQDN https://mynameiwant.mycustomerdomainexternal.ch/

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE1

get-ClientAccessServer | fl Identity,AutodiscoverServiceInternalUri

WAS:

Identity : CAS1

AutoDiscoverServiceInternalUri : https://async.customer.local/Autodiscover/Autodiscover.xml

SET NEW:

Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE2

get-WebServicesVirtualDirectory | fl Identity, InternalUrl , ExternalUrl

WAS:

InternalUrl : https://cas1.customer.local/EWS/Exchange.asmx

ExternalUrl : https://mobile.customer.local/ews/exchange.asmx

SET NEW:

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl https://async.customer.ch/EWS/Exchange.asmx

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -ExternalUrl https://async.customer.ch/EWS/Exchange.asmx

-------------------------------------------------------------------------------------------------------------------------------------

CHANGE3

get-OABVirtualDirectory | fl Identity, InternalUrl, ExternalUrl

WAS:

InternalUrl : http://cas1.customer.local/OAB

ExternalUrl : https://mobile.customer.local/OAB

SET NEW:

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -InternalUrl http://async.customer.ch/OAB

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -ExternalUrl http://async.customer.ch/OAB

-------------------------------------------------------------------------------------------------------------------------------------

If you don't have UTM Service (Unified Messaging leave that)

Change Values in Exchange 2010 GUI

Change all other things in Exchange 2010 GUI on the tabs below to corresponding values.

Some you may have changed above already. Check them twice.

• Do this for all possible location Web app/Activesync/Offline etc.
• DO this for INTERNAL and EXTERNAL (Set the SAME value)
• Do not change AYNTHING behind the FQDN name as example
• AT the end Restart Exchange or do a CMD.exe then IISRESET

OLD:

https://async.cutsomer.local/OAB

NEW:

https://async.cutsomer.ch/OAB

Activate the Certificate in Exchange 2010 GUI or Powershell and RESET IIS

Activate the new SINGLE Certificate in Exchange for IIS.

Get-exchangecertificate | fl

Get the GUID sample: 020564B683E9D540DA0DF20A

enable-exchangecertificate -identity 020562B683E5D540DA0DF20A -Services "IIS"

AT the end Restart Exchange:

CMD.exe then IISRESET

References:

SPLIT DNS, Windows Server 2008: The Definitive Guide

https://books.google.de/books?id=H7RgtZEgUvsC&pg=PA137&dq=split+dns&hl=de&sa=X&ei=a9H2VMrNJ4TXyQPBkoFg&ved=0CCcQ6AEwAQ#v=onepage&q=split%20dns&f=false

SPLIT DNS with ISA

http://www.isaserver.org/img/upl/isabokit/9dnssupport/9dnssupport.htm#_Toc63649957

Exchange PRO

http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/

Main Technet Link

http://support.microsoft.com/kb/940726/en-us

Malformed Kalender Einträge im Outlook.exe selber suchen.

Diese ist primär bei Kalendern welche in Public Folder sind. Kann aber auch bei regulären Einträgen vorkommen.

Kalender / Liste wählen damit man alle Termine von A-Z sieht:

Kontrolle OB END START DATUM VORHANDEN

Doppelklick auf den TERMIN falls man diesen JETZT sieht

Serientyp:

Zwingend und immer gut > Ein Enddatum setzen

z.B. Fiktiv 2025

Kategorie prüfen ob keine spezielle Kategorie welche der User selber erstellt hat. Nur die im Outlook

vorhandenen am besten nehmen. (keine selber machen)

Links von uns:

http://www.butsch.ch/post/Exchange-Public-Folder-Migration-Search-for-Recurring-meeting-with-no-End-date.aspx