Exchange 2010 2016 Migration, OAB Error, moved user, 0x8004010F

Migration Exchange 2010-2013-2016, OAB Error Outlook 2016, Exchange 2016

You want do download an Offline Adressbook OAB with a User which you migrated to Exchange 2016 at some point. You get Error "0x8004010F" while doing the Sync.



You checked all the OAB Settings on both Servers


Server Name Internal Url External Url

BUTSCHCAS1 OAB (Default Web Site)

BUTSCHEXC2 OAB (Default Web Site)

BUTSCHEXC1 OAB (Default Web Site)

Get-OfflineAddressBook | fl name,virtualdirectories

Name : Standard Offlineadressliste

VirtualDirectories : {BUTSCHCAS1\OAB (Default Web Site)}

Name : Standard Offlineadressliste (Ex2013)

VirtualDirectories : {}


The VirtualDirectories : {} is correct. Do not change.

This will assure that the request goes the FRONTEND (Default Web Site) or BACKEND part of the IIS Setup of Exchange 2016. Leave that.

If you messed around with Virtualdiretories of OAB > Reset it back what it was (Will only do this on 2016)


The offline address book "\Standard Offlineadressliste (Ex2013)" has virtual directories specified. Run the following

command to remove those virtual directories before attempting to set the GlobalWebDistributionEnabled parameter to


Set-OfflineAddressBook "\Standard Offlineadressliste (Ex2013)" -VirtualDirectories $null

Fix on all 2016 you have:

Get-OfflineAddressBook | Where {$_.ExchangeVersion.ExchangeBuild.Major -Eq 15} | Set-OfflineAddressBook -GlobalWebDistributionEnabled $True -VirtualDirectories $null


You checked all but still some pre-migrated or test users are unable to download the Offline Adressbook OAB from the 2016.

Check with Autokonfiguration

*uncheck checkbox GUESS both

* Run Test

* Check XML search <OABURL>

If you find the <OABURL>*** Line > good

If you do not find the <OABURL>*** Line > bad, you have the error we talk about

If you do not see this line in XML something is wrong and the reason you see the error led you here.


Move the User who has the problem 2016 side into another mailboxdatabase this will reset, per user, the OAB and maybe correct it.

new-moverequest -identity user02 -targetdatabase "mdb01" -baditemlimit 49 -Priority Emergency

Check again after move. Close and open Outlook >

Make Sure your Domain Controller (If more than one > Are synced).

Maybe Clear all APP-POOL's Cache > recycle under IIS of Exchange 2016 (If needed).

Re-open Outlook.exe

  • Incrementall will first fail
  • Re-sync FULL OAB (Not incremental > Remove checkbox)

Works now perfect

Check now and you will see that NOW you have the line we talked about

McAfee Security for Exchange 8.6, Display Bug warning Dat out of date

EPO integrated McAfee Security for Exchange 8.6 SP2

If you have a fully integrated Mcafee Security for Exchange which you manage the POLICY and SETTINGS from the EPO (Not on the Exchange itself)

you may see an error in the GUI where it says "Your Anti-Virus DAT may be out of DATE".

That is just the warning if check the DAT it's fine and up to date.

DAT Update Button in GUI on Exchange itself does not seem to update

The server actually has the latest DAT. As example on the left side below you see 9730 which is the DAT from 31.08.2020 as example.

Just the Update function does not understand the server received the DAT from the EPO instead from WAN.

Often Exchange behind Load Balancer like Kemp or F5 have limited WAN Internet access.

Some Tips:

  • On smaller Exchange > Sometimes you can solve this by changing the Schedule like from 08:00 to 08:01 (Just add a minute) And update > Maybe fine
  • If not behind Load Balancer > You may have to check your WAN access from the Exchange Server and if he can get the DAT from Mcafee
  • If you download the DAT manual from Mcafee and try to install you will see that you already have the newest version.

Screenshot from 1. September 2020

Check in EPO under Products

If you can't get it to working for whatever reason, PUSH the DAT from McAfee EPO direct to the Exchange Server

where McAfee Security for Exchange runs. The Error in the GUI will stay.

Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)


Activesync with Exchange 2013 does not work, ADMINSHOLDER Flag (an old bad friend)

ERROR YOU SEE: Access+is+denied.%0d%0aActive+directory+response%3a+00000005%3a+SecErr%3a+DSID-03152612%2c+problem+4003+(INSUFF%5FACCESS%5FRIGHTS)%2c+data+0%0a_

We just had a user with Activesync with a user migrated from 2007 to 2013. The user was fresh made on 2007 and migrated forth and back a few times.

Did show all info he can get and one thing triggered alerts with us. 4003+(INSUFF%5FACCESS%5FRIGHTS)

This was back 2003 > 2007 Migrations but comes again and again. Strange thing is that the test user account is only in a few groups and we never made him LOCALADMIN. But one group still seems to trigger the ADMINSHOLDER flags which should protect special accounts like "IISUSER" or Administrator.

Then we did see why. If the user is member of the group "PRINT OPERATORS" this will be the case.

So GPO, Activesync and many other things will not work. This has been mentioned here:

Good explanation from John Pollicelli


FIX the Inheritance of the account and all will work fine. See our other two posts on how to do that.


The Red part below (RED-X)

Activesync Log from



blUh4pH%2b19L4b%2fRk6uRZ%2bwFDxipa3umOc5NWKd8j3WZE%2f1rztOVQr3A7yqhQbWsCubcT0xJwV4JpO6fVK4ruS7rFkPgTuafoTzZOwv5kvn2wZAkGBr1hGm6NGz8%2fo4vFol0hWLVSJE3%2fX78fmSReawv4CBVixAAzyTR%2bm65WPSw86qwPxjfVseQiOrJ9qzUR8%2bPztEYmDjqvAfiVSNT6ouXwZf8%2fIpLnSalOyvp6n73yvkLu9rfgOsaQxOzJAX1TueDMkuiGV1EsG6HEYy3lD0Mdxo40pR EXCHANGE2013BUTSCH


Cache-Control: private

Content-Type: text/html; charset=utf-8

Set-Cookie: ClientId=IARSMT0ZIEEVVIXDSSW; expires=Thu, 18-May-2017 08:05:50 GMT; path=/; HttpOnly,X-BackEndCookie=S-1-5-21-4456168801-1912567065-1745900225-5325=u56Lnp2ejJqBysnJysyZzJzSz5maztLLnZvO0sabnszSncrHms3JzZ7Jm8zIgYHNz87J0s/J0s7Iq8/Hxc/Jxc7P; expires=Fri, 17-Jun-2016 08:06:10 GMT; path=/Microsoft-Server-ActiveSync; secure; HttpOnly

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET



Get a list of all user who have such a behaviour:

Windows Server 2008R2, blaue Powershell aufmachen

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)"

Es gibt eine einfache Möglichkeit, um festzustellen, welche Benutzer und Gruppen in Ihrer Domäne AdminSDHolder geschützt.Sie können Abfragen das Attribut AdminCount, um festzustellen, ob ein Objekt durch das AdminSDHolder-Objekt geschützt ist.Die folgenden Beispiele verwenden das ADFind.exe-Tool, das von Joeware gedownloadet werden kann.NET.

  • Suchen alle Objekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "adminCount=1" DN

  • Suchen alle Benutzerobjekte in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "(&(objectcategory=person)(objectclass=user)(admincount=1))" DN

  • Suchen alle Gruppen in einer Domäne, die durch AdminSDHolder geschützt sind, geben Sie:

    Adfind.exe -b DC=domain,DC=com -f "(&(objectclass=group)(admincount=1))" DN

    Hinweis: Ersetzen Sie in den vorherigen Beispielen, DC = Domain, DC = com mit dem definierten Namen Ihrer Domäne.


Exchange 2010 SP3 RU9 / 2013 CU8, ROLLUP and Android problems

A remote mailbox user receives the following error message when he or she tries to configure Exchange Active Sync account on an Android device:

Setup could not finish

Failed to search Exchange server automatically. Enter settings manually


If the MobileSyncRedirectBypass feature is causing the problem, you can turn it off by editing the web.config file for the Autodiscover protocol:

  1. Locate the web.config file for the Autodiscover protocol:
    1. For Exchange Server 2013 MBX, the file is in the following location:


    2. For Exchange Server 2010 CAS, the file is in the following location:


  2. Open the web.config in Notepad, and then change the existing string from "true" to "false."
  3. Save the file.
  4. Run IISRESET /Norecycle.

Follow these steps on all CAS servers that will receive Autodiscover queries from devices.

Exchange 2007/2010/2013 with SPLIT DNS and ONE single Certificate


You have to renew an Exchanger SAN/UC-Certificate and you can't do this anymore after 2015 because it contains a NON EXTERNAL First Level Extension like ".LOCAL".

  1. Rename the Full Windows Domain in a 1 year project and have fun
  2. Integrate a SPLIT DNS as below, Bend all Exchange URL to the same FQDN

Main Technet Link:


I personally don't like this solution since you may in most complex case end up in trouble with some special cases like "RPC-over-HTTP" (Outlook anywhere) and some Autodiscover functions.

On the other side don't like Wildcard Certs for this because if you have that the other departments want to use the same Certificate and at the end everyone uses it. Worst it lays around on laptops and Servers then if you don't Controll it strict.

Currently still March 2015 this is the only solution quick and fast if you customer has a First Level Windows Domain with .LOCAL. Most it's urgent because Cert has expired.


Just to mention that there is another way but this needs planning and time

Enterprise way:

Internal Domain: Cover these with your own internal Certificate Authority (Ask if you have one, make a project separate for that because it's sensitive and complex) .

External Domain: Use a Cert Provider SAN/UC-Certificate as we had before for all external FQDN

This enterprise mix however leads us to splitting the CAS/OWA Directories on separates SITES within the IIS (Because of only 1 Cert per IIS-Site) or we make single separate CAS Server for internal and external (Which Microsoft does not want us).

On the other side if we have Load Balancers for the CAS mostly those separate CAS are not in the Load Balancer HA team.



Timeline for SAN/UC Certs with Local ending or non-external First level (www.technet.local)

Such a SAN Certificate which includes LOCAL is not valid anymore after some date. And you can't reorder it. (Screenshot)

Powershell: Get-exchangecertificate | fl

In Green BOX there are the First Level Domains .LOCAL Domains that you can't COVERY anymore in ONE Cert in 2015.

INTERNAL DNS NAME:    customer.local (The Active Directory Domain)

EXTERNAL DNS NAME: (Your Webserver, FTP, MX-E-Mail Domain from external)

Third level DOMAIN:

Why can't I renew?


Because we can't make a UC/SAN-certificate after November 2015 anymore we have to convert the DNS into SPLIT DNS setup. That means we copy the Extern DNS into Internal DNS. Even if you CAN renew it WILL only run until November 2015 with some Cert Issuer.

Make the SPLIT DNS


See links at end for more help on the SPLIT DNS.

SPLIT DNS Copy External ZONE File to internal Active Directory DNS

  1. Get the info from External ZONE file from the Provider ISP like Ask them you need an extract (copy) of the ZONE file for your external Domain.
  2. Do a new Active Directory integrated Forward ZONE File with same name "" internal
  3. Make the A-Records internal so INTERNAL users can reach www and ftp also from internal (These are shown on the right side). Make "FTP", "WWW" point to same IP as the external. (If you don't do that your INTERNAL users will not be able to reach the External Website or Cloud Service you use with your ISP)
  4. The ASYNC in OUR sample POINTS to the IP of the Exchange 2010 CAS
  5. On the External DNS the ASYNC points to our Firewall and then to the Exchange 2010 CAS

This is how this may look.

Get the NEW SINGLE FQDN Certificate



We need to change all FQDN that Exchange uses for different Service now to the SAME FQDN the SINGLE Domain Cert runs on.

FQDN Single Domain Certificate was ordered for:

OLD Entry in Exchange somewhere:





Analyze the values you need to change by Powershell





get-ClientAccessServer | fl Identity,AutodiscoverServiceInternalUri


Identity : CAS1

AutoDiscoverServiceInternalUri : https://async.customer.local/Autodiscover/Autodiscover.xml


Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri



get-WebServicesVirtualDirectory | fl Identity, InternalUrl , ExternalUrl


InternalUrl : https://cas1.customer.local/EWS/Exchange.asmx

ExternalUrl : https://mobile.customer.local/ews/exchange.asmx


Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl

Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -ExternalUrl



get-OABVirtualDirectory | fl Identity, InternalUrl, ExternalUrl


InternalUrl : http://cas1.customer.local/OAB

ExternalUrl : https://mobile.customer.local/OAB


Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "CAS1\OAB (Default Web Site)" -ExternalUrl


If you don't have UTM Service (Unified Messaging leave that)

Change Values in Exchange 2010 GUI


Change all other things in Exchange 2010 GUI on the tabs below to corresponding values.

Some you may have changed above already. Check them twice.




  • Do this for all possible location Web app/Activesync/Offline etc.
  • DO this for INTERNAL and EXTERNAL (Set the SAME value)
  • Do not change AYNTHING behind the FQDN name as example
  • AT the end Restart Exchange or do a CMD.exe then IISRESET






Activate the Certificate in Exchange 2010 GUI or Powershell and RESET IIS


Activate the new SINGLE Certificate in Exchange for IIS.


Get-exchangecertificate | fl

Get the GUID sample: 020564B683E9D540DA0DF20A

enable-exchangecertificate -identity 020562B683E5D540DA0DF20A -Services "IIS"


AT the end Restart Exchange:





SPLIT DNS, Windows Server 2008: The Definitive Guide


Exchange PRO

Main Technet Link