Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Exchange Server
Exchange content updates
What's new in Exchange Server
What's discontinued in Exchange Server
Updates for Exchange Server
Exchange Server build numbers and release dates
Exchange Server release notes
Architecture
Mailbox servers
Manage databases
Manage mailbox moves
Prep mailboxes for cross-forest moves
Prep mailboxes for cross-forest moves in PowerShell
MRS Proxy endpoint
Recreate arbitration mailboxes
Edge Transport servers
Edge Subscriptions
Edge Subscription procedures
Configure without EdgeSync
Address rewriting
Address rewriting procedures
Import address rewrite entries
Client Access
Exchange admin center
Disable Exchange admin center access
Autodiscover
Load Balancing
Kerberos auth for load balanced Client Access
Certificates
Certificate procedures
Create CA certificate requests
Complete pending certificate requests
Assign certificates to services
Create self-signed certificates
Renew certificates
Export certificates
Import certificates
Client message size limits
Availability service
Availability service for cross-forest topologies
Plan and deploy
Exchange Server system requirements
Exchange prerequisites
Install Office Online Server
Active Directory
AD Access
AD Schema changes in Exchange Server
AD Changes
Prepare AD and domains
Deploy new installations
Install Mailbox role
Install Edge Transport role
Unattended installs
Delegate installations
Create Azure test environments
Install Cumulative Updates
Exchange Server supportability matrix
Virtualization
Integration with SharePoint and Skype
Configure OAuth
Post-installation tasks
Enter product key
Configure mail flow and client access
Verify installation
Install management tools
Configure IM integration with OWA
Change OAB generation schedule
Configure certificate based auth
Deployment ref
Readiness checks
ms.exch.setupreadiness.ADAMDataPathExists
ms.exch.setupreadiness.AdInitErrorRule
ms.exch.setupreadiness.RsatClusteringCmdInterfaceInstalled
ms.exch.setupreadiness.CannotAccessAD
ms.exch.setupreadiness.ComputerNotPartofDomain
ms.exch.setupreadiness.DelegatedBridgeheadFirstInstall
ms.exch.setupreadiness.DelegatedCafeFirstInstall
ms.exch.setupreadiness.DelegatedClientAccessFirstInstall
ms.exch.setupreadiness.DelegatedMailboxFirstInstall
ms.exch.setupreadiness.DelegatedUnifiedMessagingFirstInstall
ms.exch.setupreadiness.ForestLevelNotWin2003Native
ms.exch.setupreadiness.GlobalServerInstall
ms.exch.setupreadiness.GlobalUpdateRequired
Host record not in DNS
ms.exch.setupreadiness.InstallOnDCInADSplitPermissionMode
ms.exch.setupreadiness.LoggedOntoDomain
ms.exch.setupreadiness.RebootPending
User not member of Schema Admins
ms.exch.setupreadiness.UcmaRedistMsi
ms.exch.setupreadiness.UnwillingToRemoveMailboxDatabase
ms.exch.setupreadiness.WarningInstallExchangeRolesOnDomainController
ms.exch.setupreadiness.Win7RpcHttpAssocCookieGuidUpdateNotInstalled
ms.exch.setupreadiness.DelegatedFrontendTransportFirstInstall
ms.exch.setupreadiness.NoE14ServerWarning
ms.exch.setupreadiness.PendingRebootWindowsComponents
ms.exch.setupreadiness.Exchange2000or2003PresentInOrg
ms.exch.setupreadiness.ValidOSVersion
ms.exch.setupreadiness.PowerShellExecutionPolicyCheckSet
ms.exch.setupreadiness.FqdnMissing
ms.exch.setupreadiness.WarnMapiHttpNotEnabled
ms.exch.setupreadiness.E16E12CoexistenceMinVersionRequirement
ms.exch.setupreadiness.E16E14CoexistenceMinVersionRequirement
ms.exch.setupreadiness.E16E15CoexistenceMinVersionRequirement
ms.exch.setupreadiness.NoE15ServerWarning
ms.exch.setupreadiness.Win2k12RefsUpdateNotInstalled
ms.exch.setupreadiness.Win2k12RollupUpdateNotInstalled
ms.exch.setupreadiness.Win2k12UrefsUpdateNotInstalled
ms.exch.setupreadiness.Win2k16LSARollupUpdateNotInstalled
ms.exch.setupreadiness.IsServerCoreInstalled
Editions and versions
Language support
Storage configuration
Network ports
Services overview
Exchange 2019 preferred architecture
Permissions
Role groups
Role group members
Role assignment policies
Policy assignments for mailboxes
Feature permissions
RBAC permissions
Policy and compliance permissions
Antispam and antimalware permissions
Mail flow permissions
Recipient permissions
Address book permissions
Sharing and collaboration permissions
Client and mobile device permissions
UM permissions
HA permissions
Infrastructure permissions
Server health permissions
Recipients
Create user mailboxes
User mailboxes
Email addresses
Email forwarding
Message delivery restrictions
Mailbox message size limits
Storage quotas
Deleted Item retention and Recoverable Items quotas
Convert mailboxes
Single item recovery
Recover deleted messages
Linked mailboxes
Distribution groups
Mail-enabled security groups
Dynamic distribution groups
View dynamic distribution group members
Mail contacts
Mail users
Room mailboxes
Equipment mailboxes
Disconnected mailboxes
Disable or delete mailboxes
Connect disabled mailboxes
Restore deleted mailboxes
Permanently delete mailboxes
Mailbox custom attributes
Mailbox permissions
Mailbox moves
Mailbox import and export
Import procedures
Export procedures
Clients
MAPI over HTTP
Configure MAPI over HTTP
MAPI mailbox access
Exchange ActiveSync
ActiveSync mailbox access
Mobile device mailbox policies
Mobile devices
Configure email access
Remote wipe
POP3 and IMAP4
Configure POP3
Configure IMAP4
Configure mailbox access
Configure authenticated SMTP
Outlook for iOS and Android
Use hybrid Modern Auth
Use Basic auth
Account setup
Passwords and security
Manage devices
Default virtual directory settings
Outlook on the web
Mailbox access
Virtual directories
HTTP to HTTPS redirection
Mailbox policies
Themes
Customize Outlook on the web
AD FS claims-based auth
Client Access Rules
Procedures for Client Access Rules
Mail flow
Accepted domains
Accepted domain procedures
Connectors
Receive connectors
Custom Receive connectors
Modify SMTP banners
Allow anonymous relay
Send connectors
Internet mail Send connectors
Outbound smart host routing
Proxy outbound mail
Protocol logging
Configure protocol logging
Mail routing
Connector selection
Recipient resolution
Transport high availability
Shadow redundancy
Safety Net
Transport logs
Message tracking
Configure message tracking
Search message tracking logs
Delivery reports
Track messages with delivery reports
Connectivity logging
Configure connectivity logging
Queues
Queue procedures
Queue properties
Export messages
Message procedures
Message properties
Queue Viewer
Queued message properties
Queues and messages in PowerShell
Relocate queue database
Message intervals
Configure message intervals
Non-delivery reports and bounce messages
NDR procedures
Content conversion
Message encoding
TNEF conversion
Message size limits
Message rate limits
Back pressure
Test SMTP with telnet
Collaboration
Site mailboxes
Public folders
FAQ
Limits
Deployment considerations
Migrate to Office 365 Groups
Procedures
Configure legacy public folders for hybrid
Batch migration from previous versions
Migrate to Exchange Online
Roll back Exchange Online migration
Migrate Exchange 2010 public folders to Exchange Online
Batch migration to Office 365 Groups
Migrate from Exchange 2013
New organizations
Create public folder mailboxes
Create public folders
Mail enable or disable
View statistics
Shared mailboxes
Create shared mailboxes
Email addresses and address books
Email address policies
EAP procedures
Offline address books
OAB procedures
Address lists
Address list procedures
Address book policies
ABP scenarios
ABP procedures
Policy and compliance
In-Place Archiving
Manage archives
Holds
In-Place Holds
Litigation Holds
Place all mailboxes on hold
Preserve Bcc recipients and group members
eDiscovery
Assign permissions
Create searches
Copy results to discovery mailboxes
Export results to PST
Message properties and search operators
Search public folders
Compliance Search
Delete messages
MRM
Retention tags and retention policies
Retention age
Create retention policies
Apply retention policies to mailboxes
Configure Managed Folder Assistant
Admin audit logging
Log structure
Manage admin audit logging
Mailbox audit logging
Enable or disable
Non-owner mailbox access reports
Data loss prevention
Sensitive information types
Information Rights Management
Journaling
Journaling procedures
Mail flow rules
Conditions and exceptions
Actions
Signatures
Mail flow rule procedures
Recoverable Items folder
Clean up deleted items
SMIME
High availability
HA changes
Database availability groups
Active Manager
DAC mode
Database copies
AutoReseed
MetaCacheDatabase setup
Plan HA
Deploy HA
Manage HA
Manage DAGs
Create DAGs
Pre-stage DAG CNOs
Azure VMs as DAG witness servers
Remove DAGs
Configure DAG AutoReseed
Configure DAG network properties
Create DAG networks
DAG memberships
Configure DAG properties
Manage database copies
Add db copies
Configure db properties
Move db copies
Configure activation policies
Update db copies
Suspend resume db copies
Activate db copies
Activate lagged db copies
Remove db copies
Monitor DAGs
Switchovers and failovers
Datacenter switchovers
Server switchovers
Disaster recovery
Windows Server Backup
Backup with Windows Server Backup
Restore with Windows Server Backup
Recover Exchange servers
Recover DAG member servers
Recovery databases
Create recovery dbs
Restore data using recovery dbs
Database portability
Dial tone portability
Dial tone recovery
Managed availability
Health sets
Configure overrides
Server health
Workload management
Antispam and antimalware
Antispam protection
Antispam on Mailbox servers
Antispam stamps
View antispam stamps in Outlook
Configure antispam settings
Content filtering
Content filtering procedures
Safelist aggregation
Safelist aggregation procedures
Spam quarantine
Configure quarantine mailboxes
Show quarantined message original senders
Release quarantined messages
SCL
Sender filtering
Sender filtering procedures
Sender ID
Sender ID procedures
Sender reputation
Sender reputation procedures
Attachment filtering
Attachment filtering procedures
Connection filtering
Connection filtering procedures
Recipient filtering
Recipient filtering procedures
Antimalware protection
Antimalware procedures
Download antimalware updates
Windows antivirus software
Unified Messaging in Exchange Server 2016
About documentation
Accessibility
Third-party copyrights
Exchange admin center keyboard shortcuts
Privacy statement
Welcome to Microsoft Exchange Server! Here's some fundamental and essential information to help you dig in.
Set up Outlook
What's new
Looking for information on prior versions of Exchange Server? Documentation for Exchange Server 2010 and Exchange Server
2013 is also available on TechNet.
Exchange content updates
8/23/2019 • 6 minutes to read • Edit Online
This topic lists Exchange Server and Exchange Online topics that have been changed over the last several weeks.
Exchange Server 2019 brings a new set of technologies, features, and services to Exchange Server, the messaging
platform that provides email, scheduling, and tools for custom collaboration and messaging service applications.
Its goal is to support people and organizations as their work habits evolve from a communication focus to a
collaboration focus. At the same time, Exchange 2019 helps lower the total cost of ownership whether you deploy
Exchange 2019 on-premises or provision your mailboxes in the cloud.
Choose the section below that matches the version of Exchange that you're upgrading from. If you want to know
about features that have been removed or replaced in Exchange 2019, see What's discontinued in Exchange
Server.
For more information about deploying Exchange 2019, see Planning and deployment for Exchange Server.
NOTE
Supported Web browsers for Outlook on the web in Exchange 2019 are Microsoft Edge, Internet Explorer 11, and the most
recent versions of Mozilla Firefox, Google Chrome, and Apple Safari.
The former Outlook Web App user interface has been updated and optimized for tablets and smart phones, in
addition to desktop and laptop computers. New Exchange 2019 features include:
Platform -specific experiences for phones for both iOS and Android.
Premium Android experience using Chrome on devices running Android version 4.2 or later.
Email improvements, including a new single-line view of the Inbox with an optimized reading pane,
archiving, emojis, and the ability to undo mailbox actions like deleting a message or moving a message.
Contact linking the ability for users to add contacts from their LinkedIn accounts.
Calendar has an updated look and new features, including email reminders for Calendar events, ability to
propose a new time in meeting invitations, improved search, and birthday calendars.
Search suggestions and refiners for an improved search experience that helps users find the information
they want, faster. Search suggestions try to anticipate what the user's looking for and returns results that
might be what the user is looking for. Search refiners will help a user more easily find the information
they're looking for by providing contextually-aware filters. Filters might include date ranges, related senders,
and so on.
New themes Thirteen new themes with graphic designs.
Options for individual mailboxes have been overhauled.
Link preview which enables users to paste a link into messages, and Outlook on the web automatically
generates a rich preview to give recipients a peek into the contents of the destination. This works with video
links as well.
Inline video player saves the user time by keeping them in the context of their conversations. An inline
preview of a video automatically appears after inserting a video URL.
Pins and Flags which allow users to keep essential emails at the top of their inbox (Pins) and mark others
for follow -up (Flags). Pins are now folder specific, great for anyone who uses folders to organize their email.
Quickly find and manage flagged items with inbox filters or the new Task module, accessible from the app
launcher.
Performance improvements in a number of areas across Outlook on the web, including creating calendar
events, composing, loading messages in the reading pane, popouts, search, startup, and switching folders.
New Outlook on the web action pane that allows you to quickly click those actions you most commonly
use such as New, Reply all, and Delete. A few new actions have been added as well including Archive,
Sweep, and Undo.
MAPI over HTTP
MAPI over HTTP is now the default protocol that Outlook uses to communicate with Exchange. MAPI over HTTP
improves the reliability and stability of the Outlook and Exchange connections by moving the transport layer to the
industry-standard HTTP model. This allows a higher level of visibility of transport errors and enhanced
recoverability. Additional functionality includes support for an explicit pause-and-resume function, which enables
supported clients to change networks or resume from hibernation while maintaining the same server context.
Note: MAPI over HTTP isn't enabled in organizations where the following conditions are both true:
You're installing Exchange 2019 in an organization that already has Exchange 2013 servers installed.
MAPI over HTTP wasn't enabled in Exchange 2013.
While MAPI over HTTP is now the default communication protocol between Outlook and Exchange, clients that
don't support it will fall back to Outlook Anywhere (RPC over HTTP ).
For more information, see MAPI over HTTP in Exchange Server.
Document collaboration
Exchange 2019, along with SharePoint Server 2019, enables Outlook on the web users to link to and share
documents that are stored in OneDrive for Business in an on-premises SharePoint server instead of attaching files
to messages. Users in an on-premises environment can collaborate on files in the same manner that's used in
Office 365.
For more information about SharePoint Server 2019, see New and improved features in SharePoint Server 2019.
When an Exchange 2019 user receives a Word, Excel, or PowerPoint file in an email attachment, and the file is
stored in OneDrive for Business or on-premises SharePoint, the user will now have the option of viewing and
editing that file in Outlook on the web alongside the message. To do this, you'll need a separate computer in your
on-premises organization that's running Office Online Server. For more information, see Install Office Online
Server in an Exchange organization.
Exchange 2019 also brings the following improvements to document collaboration:
Saving files to OneDrive for Business.
Uploading a file to OneDrive for Business.
Most Recently Used lists populated with both local and online files.
Office 365 hybrid
The Hybrid Configuration Wizard (HCW ) that was included with Exchange 2013 is moving to become a cloud-
based application. When you choose to configure a hybrid deployment in Exchange 2019, you'll be prompted to
download and install the wizard as a small app. The wizard will function the same in previous versions of
Exchange, with a few new benefits:
The wizard can be updated quickly to support changes in the Office 365 service.
The wizard can be updated to account for issues detected when customers try to configure a hybrid
deployment.
Improved troubleshooting and diagnostics to help you resolve issues that you run into when running the
wizard.
The same wizard will be used by everyone configuring a hybrid deployment who's running Exchange 2013
or later.
In addition to Hybrid Configuration Wizard improvements, multi-forest hybrid deployments are being simplified
with Azure Active Directory Connect (AADConnect). AADConnect introduces management agents that will make
it significantly easier to synchronize multiple on-premises Active Directory forests with a single Office 365 tenant.
For more information about AADConnect, see Integrating your on-premises identities with Azure Active Directory.
Exchange ActiveSync clients will be seamlessly redirected to Office 365 when a user's mailbox is moved to
Exchange Online. To support this, ActiveSync clients need to support HTTP 451 redirect. When a client is
redirected, the profile on the device is updated with the URL of the Exchange Online service. This means the client
will no longer attempt to contact the on-premises Exchange server when trying to find the mailbox.
Messaging policy and compliance
There are several new and updated message policy and compliance features in Exchange 2019.
Data loss prevention
To comply with business standards and industry regulations, organizations need to protect sensitive information
and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from
leaking outside your organization include credit card numbers, social security numbers, health records, or other
personally identifiable information (PII). With a DLP policy and mail flow rules (also known as transport rules) in
Exchange 2019, you can now identify, monitor, and protect 80 different types of sensitive information with new
conditions and actions:
With the new condition Any attachment has these properties, including any of these words, a mail
flow rule can match messages where the specified property of the attached Office document contains
specified words. This condition makes it easy to integrate your Exchange mail flow rules and DLP policies
with SharePoint, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party
classification system.
With the new action Notify the recipient with a message, a mail flow rule can send a notification to the
recipient with the text you specify. For example, you can inform the recipient that the message was rejected
by a mail flow rule, or that it was marked as spam and will be delivered to their Junk Email folder.
The action Generate incident report and send it to has been updated to enable the notification of
multiple recipients by allowing a group address to be configured as the recipient.
To learn more about DLP, see Data loss prevention in Exchange Server.
In-place Archiving, retention, and eDiscovery
Exchange 2019 includes the following improvements to In-Place Archiving, retention, and eDiscovery to help your
organization meet its compliance needs:
Public folder support for In-Place eDiscovery and In-Place Hold: Exchange 2019 integrates public
folders into the In-Place eDiscovery and Hold workflow. You can use In-Place eDiscovery to search public
folders in your organization, and you can put an In-Place Hold on public folders. And similar to placing a
mailbox on hold, you can place a query-based and a time-based hold on public folders. Currently, you can
only search and place a hold on all public folders. In later releases, you'll be able to choose specific public
folders to search and place on hold. For more information, see Search and place a hold on public folders
using In-Place eDiscovery.
Compliance Search: Compliance Search is a new eDiscovery search tool in Exchange 2019 with new and
improved scaling and performance capabilities. You can use it to search very large numbers of mailboxes in
a single search. In fact, there's no limit on the number of mailboxes that can be included in a single search,
so you can search all mailboxes in your organization at once. There's also no limit on the number of
searches that can run at the same time. For In-Place eDiscovery in Exchange 2019, the limits are the same
as in Exchange 2013: you can search up to 10,000 mailboxes in a single search and your organization can
run a maximum of two In-Place eDiscovery searches at the same time.
In Exchange 2019, Compliance Search is only available by using the Exchange Management Shell. For
information about using the Compliance Search cmdlets, see the following topics:
Get-ComplianceSearch
New -ComplianceSearch
Remove-ComplianceSearch
Set-ComplianceSearch
Start-ComplianceSearch
Stop-ComplianceSearch
NOTE
To have access to the Compliance Search cmdlets, an administrator or eDiscovery manager must be assigned
the Mailbox Search management role or be a member of the Discovery Management role group.
For more information, see Messaging policy and compliance in Exchange Server.
Improved performance and scalability
In Exchange 2019, the search architecture has been redesigned. Previously, search was a synchronous operation
that was not very fault-tolerant. The new architecture is asynchronous and decentralized. It distributes the work
across multiple servers and keeps retrying if any servers are too busy. This means that we can return results more
reliability, and faster.
Another advantage of the new architecture is that search scalability is improved. The number of mailboxes you can
search at once using the console has increased from 5k to 10k for both mailboxes and archive mailboxes, allowing
you to search a total of 20k mailboxes at the same time.
Microsoft Exchange Server 2016 brings a new set of technologies, features, and services to Exchange Server, the
messaging platform that provides email, scheduling, and tools for custom collaboration and messaging service
applications. Its goal is to support people and organizations as their work habits evolve from a communication
focus to a collaboration focus. At the same time, Exchange 2016 helps lower the total cost of ownership whether
you deploy Exchange 2016 on-premises or provision your mailboxes in the cloud.
Choose the section below that matches the version of Exchange that you're upgrading from. If you want to know
about features that have been removed or replaced in Exchange 2016, see What's discontinued in Exchange
Server.
For more information about deploying Exchange 2016, see Planning and deployment.
Outlook Web App is now known as Outlook on the web, which continues to let users access their Exchange
mailbox from almost any web browser.
NOTE
Supported Web browsers for Outlook on the web in Exchange 2016 are Microsoft Edge, Internet Explorer 11, and the most
recent versions of Mozilla Firefox, Google Chrome, and Apple Safari.
The former Outlook Web App user interface has been updated and optimized for tablets and smart phones, in
addition to desktop and laptop computers. New Exchange 2016 features include:
Platform -specific experiences for phones for both iOS and Android.
Premium Android experience using Chrome on devices running Android version 4.2 or later.
Email improvements, including a new single-line view of the Inbox with an optimized reading pane,
archiving, emojis, and the ability to undo mailbox actions like deleting a message or moving a message.
Contact linking the ability for users to add contacts from their LinkedIn accounts.
Calendar has an updated look and new features, including email reminders for Calendar events, ability to
propose a new time in meeting invitations, improved search, and birthday calendars.
Search suggestions and refiners for an improved search experience that helps users find the information
they want, faster. Search suggestions try to anticipate what the user's looking for and returns results that
might be what the user is looking for. Search refiners will help a user more easily find the information
they're looking for by providing contextually-aware filters. Filters might include date ranges, related senders,
and so on.
New themes Thirteen new themes with graphic designs.
Options for individual mailboxes have been overhauled.
Link preview which enables users to paste a link into messages, and Outlook on the web automatically
generates a rich preview to give recipients a peek into the contents of the destination. This works with video
links as well.
Inline video player saves the user time by keeping them in the context of their conversations. An inline
preview of a video automatically appears after inserting a video URL.
Pins and Flags which allow users to keep essential emails at the top of their inbox (Pins) and mark others
for follow -up (Flags). Pins are now folder specific, great for anyone who uses folders to organize their email.
Quickly find and manage flagged items with inbox filters or the new Task module, accessible from the app
launcher.
Performance improvements in a number of areas across Outlook on the web, including creating calendar
events, composing, loading messages in the reading pane, popouts, search, startup, and switching folders.
New Outlook on the web action pane that allows you to quickly click those actions you most commonly
use such as New, Reply all, and Delete. A few new actions have been added as well including Archive,
Sweep, and Undo.
MAPI over HTTP
MAPI over HTTP is now the default protocol that Outlook uses to communicate with Exchange. MAPI over HTTP
improves the reliability and stability of the Outlook and Exchange connections by moving the transport layer to the
industry-standard HTTP model. This allows a higher level of visibility of transport errors and enhanced
recoverability. Additional functionality includes support for an explicit pause-and-resume function, which enables
supported clients to change networks or resume from hibernation while maintaining the same server context.
Note: MAPI over HTTP isn't enabled in organizations where the following conditions are both true:
You're installing Exchange 2016 in an organization that already has Exchange 2013 servers installed.
MAPI over HTTP wasn't enabled in Exchange 2013.
While MAPI over HTTP is now the default communication protocol between Outlook and Exchange, clients that
don't support it will fall back to Outlook Anywhere (RPC over HTTP ).
For more information, see MAPI over HTTP in Exchange 2016.
Document collaboration
Exchange 2016, along with SharePoint Server 2016, enables Outlook on the web users to link to and share
documents that are stored in OneDrive for Business in an on-premises SharePoint server instead of attaching files
to messages. Users in an on-premises environment can collaborate on files in the same manner that's used in
Office 365.
For more information about SharePoint Server 2016, see New and improved features in SharePoint Server 2016.
When an Exchange 2016 user receives a Word, Excel, or PowerPoint file in an email attachment, and the file is
stored in OneDrive for Business or on-premises SharePoint, the user will now have the option of viewing and
editing that file in Outlook on the web alongside the message. To do this, you'll need a separate computer in your
on-premises organization that's running Office Online Server. For more information, see Install Office Online
Server in an Exchange 2016 organization.
Exchange 2016 also brings the following improvements to document collaboration:
Saving files to OneDrive for Business.
Uploading a file to OneDrive for Business.
Most Recently Used lists populated with both local and online files.
Office 365 hybrid
The Hybrid Configuration Wizard (HCW ) that was included with Exchange 2013 is moving to become a cloud-
based application. When you choose to configure a hybrid deployment in Exchange 2016, you'll be prompted to
download and install the wizard as a small app. The wizard will function the same in previous versions of
Exchange, with a few new benefits:
The wizard can be updated quickly to support changes in the Office 365 service.
The wizard can be updated to account for issues detected when customers try to configure a hybrid
deployment.
Improved troubleshooting and diagnostics to help you resolve issues that you run into when running the
wizard.
The same wizard will be used by everyone configuring a hybrid deployment who's running Exchange 2013
or Exchange 2016.
In addition to Hybrid Configuration Wizard improvements, multi-forest hybrid deployments are being simplified
with Azure Active Directory Connect (AADConnect). AADConnect introduces management agents that will make
it significantly easier to synchronize multiple on-premises Active Directory forests with a single Office 365 tenant.
For more information about AADConnect, see Integrating your on-premises identities with Azure Active Directory.
Exchange ActiveSync clients will be seamlessly redirected to Office 365 when a user's mailbox is moved to
Exchange Online. To support this, ActiveSync clients need to support HTTP 451 redirect. When a client is
redirected, the profile on the device is updated with the URL of the Exchange Online service. This means the client
will no longer attempt to contact the on-premises Exchange server when trying to find the mailbox.
Messaging policy and compliance
There are several new and updated message policy and compliance features in Exchange 2016.
Data loss prevention
To comply with business standards and industry regulations, organizations need to protect sensitive information
and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from
leaking outside your organization include credit card numbers, social security numbers, health records, or other
personally identifiable information (PII). With a DLP policy and mail flow rules (also known as transport rules) in
Exchange 2016, you can now identify, monitor, and protect 80 different types of sensitive information with new
conditions and actions:
With the new condition Any attachment has these properties, including any of these words, a mail
flow rule can match messages where the specified property of the attached Office document contains
specified words. This condition makes it easy to integrate your Exchange mail flow rules and DLP policies
with SharePoint, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party
classification system.
With the new action Notify the recipient with a message, a mail flow rule can send a notification to the
recipient with the text you specify. For example, you can inform the recipient that the message was rejected
by a mail flow rule, or that it was marked as spam and will be delivered to their Junk Email folder.
The action Generate incident report and send it to has been updated to enable the notification of
multiple recipients by allowing a group address to be configured as the recipient.
To learn more about DLP, see Data loss prevention in Exchange 2016.
In-place Archiving, retention, and eDiscovery
Exchange 2016 includes the following improvements to In-Place Archiving, retention, and eDiscovery to help your
organization meet its compliance needs:
Public folder support for In-Place eDiscovery and In-Place Hold: Exchange 2016 integrates public
folders into the In-Place eDiscovery and Hold workflow. You can use In-Place eDiscovery to search public
folders in your organization, and you can put an In-Place Hold on public folders. And similar to placing a
mailbox on hold, you can place a query-based and a time-based hold on public folders. Currently, you can
only search and place a hold on all public folders. In later releases, you'll be able to choose specific public
folders to search and place on hold. For more information, see Search and place a hold on public folders
using In-Place eDiscovery.
Compliance Search: Compliance Search is a new eDiscovery search tool in Exchange 2016 with new and
improved scaling and performance capabilities. You can use it to search very large numbers of mailboxes in
a single search. In fact, there's no limit on the number of mailboxes that can be included in a single search,
so you can search all mailboxes in your organization at once. There's also no limit on the number of
searches that can run at the same time. For In-Place eDiscovery in Exchange 2016, the limits are the same
as in Exchange 2013: you can search up to 10,000 mailboxes in a single search and your organization can
run a maximum of two In-Place eDiscovery searches at the same time.
In Exchange 2016, Compliance Search is only available by using the Exchange Management Shell. For
information about using the Compliance Search cmdlets, see the following topics:
Get-ComplianceSearch
New -ComplianceSearch
Remove-ComplianceSearch
Set-ComplianceSearch
Start-ComplianceSearch
Stop-ComplianceSearch
NOTE
To have access to the Compliance Search cmdlets, an administrator or eDiscovery manager must be assigned
the Mailbox Search management role or be a member of the Discovery Management role group.
For more information, see Messaging policy and compliance in Exchange 2016.
Improved performance and scalability
In Exchange 2016, the search architecture has been redesigned. Previously, search was a synchronous operation
that was not very fault-tolerant. The new architecture is asynchronous and decentralized. It distributes the work
across multiple servers and keeps retrying if any servers are too busy. This means that we can return results more
reliability, and faster.
Another advantage of the new architecture is that search scalability is improved. The number of mailboxes you can
search at once using the console has increased from 5k to 10k for both mailboxes and archive mailboxes, allowing
you to search a total of 20k mailboxes at the same time.
Data loss prevention (DLP ) capabilities help you protect your sensitive data and inform users of internal
compliance policies. DLP can also help keep your organization safe from users who might mistakenly send
sensitive information to unauthorized people. DLP helps you identify, monitor, and protect sensitive data through
deep content analysis. Exchange 2016 offers built-in DLP policies based on regulatory standards such as
personally identifiable information (PII) and payment card industry data security standards (PCI), and is extensible
to support other policies important to your business. With a DLP policy in Exchange 2016, you can now identify,
monitor, and protect 80 different types of sensitive information. For more information, see Sensitive information
types in Exchange 2016. Additionally, the new policy tips in Outlook 2016 inform users about policy violations
before sensitive data is sent.
To learn more, see Data loss prevention in Exchange 2016
Mail flow rules (transport rules )
You can use Exchange mail flow rules (also known as transport rules) to look for specific conditions in messages
that pass through your organization and take action on them. For example, your organization might require that
certain types of messages are blocked or rejected in order to meet legal or compliance requirements, or to
implement specific business needs. Mail flow rules are similar to the Inbox rules that are available in Outlook. The
main difference between mail flow rules and Inbox rules is that mail flow rules take action on messages while
they're in transit as opposed to after the message is delivered. Mail flow rules also contain a richer set of
conditions, exceptions, and actions, which gives you the flexibility to implement many types of messaging policies.
These features are new to mail flow rules in Exchange 2016:
Exchange mail flow rules can now identify 80 different types of sensitive information, including 30 new
sensitive information types focusing on identifiers from South America, Europe, and Asia. These 80 built-in
types are included, but you can also develop your own type from scratch. For more information on these
sensitive information types, see Sensitive information types in Exchange 2016.
With the new condition Any attachment has these properties, including any of these words, a mail
flow rule can match messages where the specified property of the attached Office document contains
specified words. This condition makes it easy to integrate your Exchange mail flow rules and DLP policies
with SharePoint, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party
classification system.
With the new action Notify the recipient with a message, a mail flow rule can send a notification to the
recipient with the text you specify. For example, you can inform the recipient that the message was rejected
by a mail flow rule, or that it was marked as spam and will be delivered to their Junk Email folder.
The action Generate incident report and send it to has been updated to enable the notification of
multiple recipients by allowing a group address to be configured as the recipient
Additional mail flow rules predicates and actions.
For more information, see Mail flow rules in Exchange 2016.
Azure Rights Management connector
The Azure Rights Management connector (also known as the Microsoft Rights Management connector or RMS
connector) is an optional application that helps you enhance data protection for your Exchange 2016 server by
connecting to the cloud-based Azure Rights Management service (also known as Microsoft Rights Management
or Azure RMS ). Once you install the RMS connector, it provides continuous data protection throughout the life
span of the information and because these services are customizable, you can define the level of protection you
need. For example, you can limit email message access to specific users or set view -only rights for certain
messages.
For more information, see Deploying the Azure Rights Management connector.
In-place Archiving, retention, and eDiscovery
Exchange 2016 includes the following improvements to In-Place Archiving, retention, and eDiscovery to help your
organization meet its compliance needs:
In-Place Hold: In-Place Hold is a unified hold model that allows you to meet legal hold requirements in
the following scenarios:
Preserve the results of the query (query-based hold), which allows for scoped immutability across
mailboxes.
Place a time-based hold to meet retention requirements (for example, retain all items in a mailbox for
seven years, a scenario that required the use of Single Item Recovery/Deleted Item Retention in
Exchange 2010).
Place a mailbox on indefinite hold (similar to litigation hold in Exchange 2010).
Place a user on multiple holds to meet different case requirements.
In-Place eDiscovery: In-Place eDiscovery allows authorized users to search mailbox data across all
mailboxes and In-Place Archives in an Exchange 2016 organization and copy messages to a discovery
mailbox for review. In Exchange 2016, In-Place eDiscovery allows discovery managers to perform more
efficient searches and hold.
Federated search allows you to search and preserve data across multiple data repositories. With
Exchange 2016, you can perform in-place eDiscovery searches across Exchange, SharePoint, and
Skype for Business. You can use the eDiscovery Center in SharePoint 2013 to perform In-Place
eDiscovery search and hold.
Query-based In-Place Hold allows you to save the results of the query, which allows for scoped
immutability across mailboxes.
Export search results Discovery Managers can export mailbox content to a .pst file from the
SharePoint 2013 eDiscovery Console. Mailbox export request cmdlets are no longer required to
export a mailbox to a .pst file.
Keyword statistics: Search statistics are offered on a per search term basis. This enables a Discovery
Manager to quickly make intelligent decisions about how to further refine the search query to
provide better results. eDiscovery search results are sorted by relevance.
KQL syntax: Discovery Managers can use Keyword Query Language (KQL ) syntax in search queries.
KQL is similar to the Advanced Query Syntax (AQS ), that was used for discovery searches in
Exchange 2010.
In-Place eDiscovery and Hold wizard: Discovery Managers can use the In-Place eDiscovery and
Hold wizard to perform eDiscovery and hold operations.
NOTE
If SharePoint 2013 isn't available, a subset of the eDiscovery functionality is available in the Exchange admin
center.
Public folder support for In-Place eDiscovery and In-Place Hold: Exchange 2016 has
integrated public folders into the In-Place eDiscovery and Hold workflow. You can use In-Place
eDiscovery to search public folders in your organization, and you can put a In-Place Hold on public
folders. And similar to placing a mailbox on hold, you can place a query-based and a time-based hold
on public folders. Currently, you can only search and place a hold on all public folders. In later
releases, you'll be able to choose specific public folders to search and place on hold. For more
information, see Search and place a hold on public folders using In-Place eDiscovery.
Compliance Search: Compliance Search is a new eDiscovery search tool in Exchange 2016 with
new and improved scaling and performance capabilities. You can use it to search very large numbers
of mailboxes in a single search. In fact, there's no limit on the number of mailboxes that can be
included in a single search, so you can search all mailboxes in your organization at once. There's also
no limit on the number of searches that can run at the same time. For In-Place eDiscovery in
Exchange 2016, the limits are the same as in Exchange 2013: you can search up to 10,000 mailboxes
in a single search and your organization can run a maximum of two In-Place eDiscovery searches at
the same time.
In Exchange 2016, Compliance Search is only available by using the Exchange Management Shell.
For information about using the Compliance Search cmdlets, see the following topics:
Get-ComplianceSearch
New -ComplianceSearch
Remove-ComplianceSearch
Set-ComplianceSearch
Start-ComplianceSearch
Stop-ComplianceSearch
NOTE
To have access to the Compliance Search cmdlets, an administrator or eDiscovery manager must be assigned
the Mailbox Search management role or be a member of the Discovery Management role group.
Search across primary and archive mailboxes in Outlook on the web: Users can search across their
primary and archive mailboxes in Outlook on the web. Two separate searches are no longer necessary.
Archive Skype for Business content: Exchange 2016 supports archiving of Skype for Business content in
a user's mailbox. You can place Skype for Business content on hold using In-Place Hold and use In-Place
eDiscovery to search Skype for Business content archived in Exchange.
For more information, see Messaging policy and compliance in Exchange 2016.
Auditing
Outlook Web App is now known as Outlook on the web, which continues to let users access their Exchange
mailbox from almost any web browser.
NOTE
Supported Web browsers for Outlook on the web in Exchange 2016 are Microsoft Edge, Internet Explorer 11, and the most
recent versions of Mozilla Firefox, Google Chrome, and Apple Safari.
In Exchange 2016, the former Outlook Web App user interface is updated and optimized for tablets and smart
phones, in addition to desktop and laptop computers. New Exchange 2016 features include:
Platform -specific experiences for phones for both iOS and Android.
Premium Android experience using Chrome on devices running Android version 4.2 or later.
Apps for Outlook which allow users and administrators to extend the capabilities of Outlook on the web.
Email improvements, including a new single-line view of the Inbox with an optimized reading pane,
archiving, emojis, and the ability to undo mailbox actions like deleting a message or moving a message.
Contact linking the ability for users to add contacts from their LinkedIn accounts.
Calendar has an updated look and new features, including email reminders for Calendar events, ability to
propose a new time in meeting invitations, improved search, and birthday calendars.
Search suggestions and refiners for an improved search experience that helps users find the information
they want, faster. Search suggestions try to anticipate what the user's looking for and returns results that
might be what the user is looking for. Search refiners will help a user more easily find the information
they're looking for by providing contextually-aware filters. Filters might include date ranges, related senders,
and so on.
Themes Exchange 2016 provides over 50 built-in themes.
Options for individual mailboxes have been overhauled.
Link preview which enables users to paste a link into messages, and Outlook on the web automatically
generates a rich preview to give recipients a peek into the contents of the destination. This works with video
links as well.
Inline video player saves the user time by keeping them in the context of their conversations. An inline
preview of a video automatically appears after inserting a video URL.
Link preview which enables users to paste a link into messages, and Outlook on the web automatically
generates a rich preview to give recipients a peek into the contents of the destination. This works with video
links as well.
Pins and Flags which allow users to keep essential emails at the top of their inbox (Pins) and mark others
for follow -up (Flags). Pins are now folder specific, great for anyone who uses folders to organize their email.
Quickly find and manage flagged items with inbox filters or the new Task module, accessible from the app
launcher.
Performance improvements in a number of areas across Outlook on the web, including creating calendar
events, composing, loading messages in the reading pane, popouts, search, startup, and switching folders.
New Outlook on the web action pane that allows you to quickly click those actions you most commonly
use such as New, Reply all, and Delete. A few new actions have been added as well including Archive,
Sweep, and Undo.
Offline Outlook on the web
Internet Explorer 11 and Windows Store apps using JavaScript support the Application Cache API (or AppCache)
as defined in the HTML5 specification, which allows you to create offline web applications. AppCache enables
webpages to cache (or save) resources locally, including images, script libraries, style sheets, and so on. In addition,
AppCache allows URLs to be served from cached content using standard Uniform Resource Identifier (URI)
notation. The following is a list of the browsers that support AppCache:
Microsoft Edge
Internet Explorer 11 or later versions
Google Chrome 44 or later versions
Mozilla Firefox 39 or later versions
Apple Safari 8 or later (only on OS X/iOS ) versions
MAPI over HTTP
MAPI over HTTP is now the default protocol that Outlook uses to communicate with Exchange. MAPI over HTTP
improves the reliability and stability of the Outlook and Exchange connections by moving the transport layer to the
industry-standard HTTP model. This allows a higher level of visibility of transport errors and enhanced
recoverability. Additional functionality includes support for an explicit pause-and-resume function, which enables
supported clients to change networks or resume from hibernation while maintaining the same server context.
Note: MAPI over HTTP isn't enabled in organizations where the following conditions are both true:
You're installing Exchange 2016 in an organization that already has Exchange 2013 servers installed.
MAPI over HTTP wasn't enabled in Exchange 2013.
While MAPI over HTTP is now the default communication protocol between Outlook and Exchange, clients that
don't support it will fall back to Outlook Anywhere (RPC over HTTP ). RPC (RPC over TCP ) is no longer supported.
For more information, see MAPI over HTTP in Exchange 2016.
Document collaboration
Exchange 2016, along with SharePoint Server 2016, enables Outlook on the web users to link to and share
documents that are stored in OneDrive for Business in an on-premises SharePoint server instead of attaching files
to messages. Users in an on-premises environment can collaborate on files in the same manner that's used in
Office 365.
For more information about SharePoint Server 2016, see New and improved features in SharePoint Server 2016.
When an Exchange 2016 user receives a Word, Excel, or PowerPoint file in an email attachment, and the file is
stored in OneDrive for Business or on-premises SharePoint, the user will now have the option of viewing and
editing that file in Outlook on the web alongside the message. To do this, you'll need a separate computer in your
on-premises organization that's running Office Online Server. For more information, see Install Office Online
Server in an Exchange 2016 organization.
Exchange 2016 also brings the following improvements to document collaboration:
Saving files to OneDrive for Business.
Uploading a file to OneDrive for Business.
Most Recently Used lists populated with both local and online files.
Batch mailbox moves
Exchange 2016 makes use of batch moves. The move architecture is built on top of MRS (Mailbox Replication
service) moves with enhanced management capability. The batch move architecture features the following
enhancements:
Ability to move multiple mailboxes in large batches.
Email notification during move with reporting.
Automatic retry and automatic prioritization of moves.
Primary and personal archive mailboxes can be moved together or separately.
Option for manual move request finalization, which allows you to review a move before you complete it.
Periodic incremental syncs to migrate the changes.
For more information, see Manage on-premises mailbox moves in Exchange 2016.
High availability and site resilience
The high availability model of the mailbox component has not changed significantly since Exchange 2010. The unit
of high availability is still the database availability group (DAG ). The DAG still uses Windows Server failover
clustering. Continuous replication still supports both file mode and block mode replication. However, there have
been some improvements. Failover times have been reduced as a result of transaction log code improvements and
deeper checkpoint on the passive databases. The Exchange Store service has been re-written in managed code.
Now, each database runs under its own process, which isolates store issues to a single database.
Exchange 2016 uses DAGs and mailbox database copies, along with other features such as single item recovery,
retention policies, and lagged database copies, to provide high availability, site resilience, and Exchange native data
protection. The high availability platform, the Exchange Information Store and the Extensible Storage Engine (ESE ),
have all been enhanced to provide greater availability, easier management, and to reduce costs. These
enhancements include:
Managed availability: With managed availability, internal monitoring and recovery-oriented features are
tightly integrated to help prevent failures, proactively restore services, and initiate server failovers
automatically or alert administrators to take action. The focus is on monitoring and managing the end user
experience rather than just server and component uptime to help keep the service continuously available.
Managed Store: See the Managed Store section.
Support for multiple databases per disk: Exchange 2016 includes enhancements that enable you to
support multiple databases (mixtures of active and passive copies) on the same disk, thereby leveraging
larger disks in terms of capacity and IOPS as efficiently as possible.
Automatic reseed: Enables you to quickly restore database redundancy after disk failure. If a disk fails, the
database copy stored on that disk is copied from the active database copy to a spare disk on the same
server. If multiple database copies were stored on the failed disk, they can all be automatically re-seeded on
a spare disk. This enables faster reseeds, as the active databases are likely to be on multiple servers and the
data is copied in parallel.
Automatic recovery from storage failures: This feature continues the innovation that was introduced in
Exchange 2010 to allow the system to recover from failures that affect resiliency or redundancy. In addition
to the Exchange 2010 bugcheck behaviors, Exchange 2016 includes additional recovery behaviors for long
I/O times, excessive memory consumption by MSExchangeRepl.exe , and severe cases where the system is in
such a bad state that threads can't be scheduled.
Lagged copy enhancements: Lagged copies can now use automatic log play down to care for themselves
(to a certain extent). Lagged copies will automatically play down log files in a variety of situations, such as
single page restore and low disk space scenarios. If the system detects that page patching is required for a
lagged copy, the logs will be automatically replayed into the lagged copy. Lagged copies will also invoke this
auto replay feature when a low disk space threshold has been reached, and when the lagged copy has been
detected as the only available copy for a specific period of time. In addition, lagged copies can leverage
Safety Net, making recovery or activation much easier. Safety Net is improved functionality in Exchange
2016 based on the transport dumpster of Exchange 2010.
Single copy alert enhancements: The single copy alert that was introduced in Exchange 2010 is no
longer a separate scheduled script. It's now integrated into the managed availability components within the
system and is a native function within Exchange.
DAG network auto-configuration: DAGs networks can be automatically configured by the system based
on configuration settings. In addition to manual configuration options, DAGs can also distinguish between
MAPI and Replication networks and configure DAG networks automatically.
For more information about these features, see High Availability and Site Resilience and Changes to high
availability and site resilience over previous versions.
Managed Store
In Exchange 2016, Managed Store is the name of the Information Store processes,
Microsoft.Exchange.Store.Service.exe and Microsoft.Exchange.Store.Worker.exe . The new Managed Store is
written in C# and is tightly integrated with the Microsoft Exchange Replication service ( MSExchangeRepl.exe ) to
provide higher availability through improved resiliency. In addition, the Managed Store allows more granular
management of resource consumption, and has improved diagnostics for faster root cause analysis.
The Managed Store works with the Microsoft Exchange Replication service to manage mailbox databases, which
continue to use the Extensible Storage Engine (ESE ) database engine. Exchange 2016 includes significant changes
to the mailbox database schema that provide many optimizations over previous versions of Exchange. The
Microsoft Exchange Replication service is also responsible for all service availability related to Mailbox servers.
These architectural changes enable faster database failover and better physical disk failure handling.
The Managed Store uses the same search platform as SharePoint Server 2016 to provide more robust indexing
and searching when compared to Microsoft Search engine that was used in previous versions of Exchange.
For more information, see High Availability and Site Resilience.
Exchange workload management
An Exchange workload is an Exchange server feature, protocol, or service that has been explicitly defined for the
purposes of Exchange system resource management. Each Exchange workload consumes system resources such
as CPU, mailbox database operations, or Active Directory requests to execute user requests or run background
work. Examples of Exchange workloads include Outlook on the web, Exchange ActiveSync, mailbox migration, and
mailbox assistants.
There are two ways to manage Exchange workloads in Exchange 2016:
Monitor the health of system resources: Managing workloads based on the health of system resources.
Control how resources are consumed by individual users: Controlling how resources are consumed by
individual users was possible in Exchange 2010 (user throttling), and this capability has been expanded for
Exchange 2016.
For more information about these features, see User workload management in Exchange 2016.
What's discontinued in Exchange Server
8/23/2019 • 7 minutes to read • Edit Online
This topic discusses the components, features, and functionality that's been removed, discontinued, or replaced in
Exchange 2019.
Unified Messaging (UM) Unified Messaging has been removed from Exchange 2019.
We recommend that Exchange 2019 organizations transition
to Skype for Business Cloud Voice Mail.
Unified Messaging (UM) Unified Messaging has been removed from Exchange 2019.
We recommend that Exchange 2019 organizations transition
to Skype for Business Cloud Voice Mail.
Client Access server role The Client Access server role has been replaced by Client
Access services that run on the Mailbox server role. The
Mailbox server role now performs all functionality that was
previously included with the Client Access server role. For
more information about the new Mailbox server role, see
Exchange Server architecture.
MAPI/CDO library The MAPI/CDO library has been replaced by Exchange Web
Services (EWS), Exchange ActiveSync (EAS), and
Representational State Transfer (REST)* APIs. If an application
uses the MAPI/CDO library, it needs to move to EWS, EAS, or
the REST APIs to communicate with Exchange 2019.
Client Access server role The Client Access server role has been replaced by Client
Access services that run on the Mailbox server role. The
Mailbox server role now performs all functionality that was
previously included with the Client Access server role. For
more information about the new Mailbox server role, see
Exchange Server architecture.
MAPI/CDO library The MAPI/CDO library has been replaced by Exchange Web
Services (EWS), Exchange ActiveSync (EAS), and
Representational State Transfer (REST)* APIs. If an application
uses the MAPI/CDO library, it needs to move to EWS, EAS, or
the REST APIs to communicate with Exchange 2016.
Hub Transport server role The Hub Transport server role has been replaced by Transport
services which run on the Mailbox server role. The Mailbox
server role includes the Microsoft Exchange Transport,
Microsoft Exchange Mailbox Transport Delivery, the Microsoft
Exchange Mailbox Transport Submission, and the Microsoft
Exchange Frontend Transport service. For more information,
see Mail flow and the transport pipeline.
FEATURE COMMENTS AND MITIGATION
Unified Messaging server role The Unified Messaging server role has been replaced by
Unified Messaging services which run on the Mailbox and
Client Access server roles. The Mailbox server role includes the
Microsoft Exchange Unified Messaging service and the Client
Access server role includes the Microsoft Exchange Unified
Messaging Call Router service. For more information, see
Voice Architecture Changes.
MAPI/CDO library The MAPI/CDO library has been replaced by Exchange Web
Services (EWS), Exchange ActiveSync (EAS), and
Representational State Transfer (REST)* APIs. If an application
uses the MAPI/CDO library, it needs to move to EWS, EAS, or
the REST APIs to communicate with Exchange 2016.
Exchange Management Console and Exchange Control Panel The Exchange Management Console and the Exchange
Control Panel have been replaced by the Exchange admin
center (EAC). EAC uses the same virtual directory (/ecp) as the
Exchange Control Panel. For more information, see Exchange
admin center in Exchange Server.
Client access
FEATURE COMMENTS AND MITIGATION
Outlook 2003 is not supported To connect Microsoft Outlook to Exchange 2016, the use of
the Autodiscover service is required. However, Microsoft
Outlook 2003 doesn't support the use of the Autodiscover
service.
RPC/TCP access for Outlook clients In Exchange 2016, Microsoft Outlook clients can connect
using Outlook Anywhere (RPC/HTTP) or MAPI over HTTP
Outlook 2013 Service Pack 1 and later. If you have Outlook
clients in your organization, using Outlook Anywhere and/or
MAPI over HTTP is required. For more information, see
Outlook Anywhere and MAPI over HTTP in Exchange Server.
Spell check Outlook Web App no longer has built-in spell check services.
Instead, it uses the spell check features in your Web browsers.
Customizable filters Outlook Web App no longer has customizable filtered views
and no longer supports saving filtered views to Favorites.
Customizable filters have been replaced by fixed filters that
can be used to view all messages, unread messages, messages
sent to the user, or flagged messages.
FEATURE COMMENTS AND MITIGATION
Message flags The ability to set a custom date on a message flag isn't
available in Outlook Web App. You can use Outlook to set
custom dates.
Chat contact list The chat contact list that appeared in the folder list in Outlook
Web App for Exchange 2010 is no longer available.
Search folders The ability for users to use Search folders isn't currently
available in Outlook Web App.
Web Parts Outlook on the web no longer includes support for Web
Parts. Customers will need to develop replacement
functionality to meet this need in their environments.
Mail flow
FEATURE COMMENTS AND MITIGATION
Linked connectors The ability to link a Send connector to a Receive connector has
been removed. Specifically, the LinkedReceiveConnector
parameter has been removed from New-SendConnector and
Set-SendConnector.
Antispam agent management in the EMC In Exchange 2010, when you enabled the antispam agents on
a Hub Transport server, you could manage the antispam
agents in the Exchange Management Console (EMC). In
Exchange 2016, when you enable the antispam agents on a
Mailbox server, you can't manage the agents using the EAC.
You can only use the Exchange Management Shell. For
information about how to enable the antispam agents on a
Mailbox server, see Enable antispam functionality on Mailbox
servers.
Connection Filtering agent on Hub Transport servers In Exchange 2010, when you enabled the antispam agents on
a Hub Transport server, the Attachment Filter agent was the
only antispam agent that wasn't available. In Exchange 2016,
when you enable the antispam agents on a Mailbox server,
the Attachment Filter agent and the Connection Filtering
agent aren't available. The Connection Filtering agent provides
IP Allow List and IP Block List capabilities. For information
about how to enable the antispam agents on a Mailbox
server, see Enable antispam functionality on Mailbox servers.
Note: The only way to enable the Connection Filtering agent
is to install an Edge Transport server in the perimeter
network. For more information, see Edge Transport servers.
Managed Folders In Exchange 2010, you use managed folders for messaging
retention management (MRM). In Exchange 2016, managed
folders aren't supported. You must use retention policies for
MRM.
Note: Cmdlets related to managed folders are still available.
You can create managed folders, managed content settings
and managed folder mailbox policies, and apply a managed
folder mailbox policy to a user, but the MRM assistant skips
processing of mailboxes that have a managed folder mailbox
policy applied.
Port Managed Folder wizard In Exchange 2010, you use the Port Managed Folder wizard
to create retention tags based on managed folder and
managed content settings. In Exchange 2016, the Exchange
admin center doesn't include this functionality. You can use
the New-RetentionPolicyTag cmdlet with the
ManagedFolderToUpgrade parameter to create a retention
tag based on a managed folder.
Directory lookups using Automatic Speech Recognition (ASR) In Exchange 2010, Outlook Voice Access users can use speech
inputs using Automatic Speech Recognition (ASR) to search
for users listed in the directory. Speech inputs could be also
used in Outlook Voice Access to navigate menus, messages,
and other options. However, even if an Outlook Voice Access
user is able to use speech inputs, they have to use the
telephone key pad to enter their PIN, and navigate personal
options.
In Exchange 2016, authenticated and non-authenticated
Outlook Voice Access users can't search for users in the
directory using speech inputs or ASR in any language.
However, callers that call into an auto attendant can use
speech inputs in multiple languages to navigate auto
attendant menus and search for users in the directory.
Exchange follows a quarterly delivery model to release Cumulative Updates (CUs) that address customer-
reported issues and to possibly add new functionality and/or features. Critical product updates (packages that
address a Microsoft-released security bulletin or contain a change in time zone definitions) are released as
needed on a monthly basis for the most recently released CU and the preceding CU.
Because each CU is a full installation of Exchange that includes updates and changes from all previous CU's, you
don't need to install any previously released CU's when installing a new Exchange server using the latest released
CU.
For information about the new features you'll get when you upgrade to Exchange 2019 from previous versions of
Exchange, see What's new in Exchange Server.
To get the latest version of Exchange 2016, download and install Cumulative Update 13 for Exchange Server
2016. Because each CU is a full installation of Exchange that includes updates and changes from all previous
CU's, you don't need to install any previous CU's or Exchange 2016 RTM first.
The following table contains links to Exchange Team blog posts ("What's New" information) for this and other
Exchange 2016 CUs.
Exchange 2016 RTM Exchange Server 2016: Forged in the cloud. Now available on-
premises
For information about the new features you'll get when you upgrade to Exchange 2016 from previous versions of
Exchange, see What's new in Exchange Server.
To upgrade to the latest CU after you've downloaded it, see Upgrade Exchange to the latest Cumulative
Update.
For downloads and updates for other versions of Exchange, see Exchange Server Updates: build numbers
and release dates.
Exchange Server build numbers and release dates
8/23/2019 • 13 minutes to read • Edit Online
You can use the information in this topic to verify the version of Exchange that is running in your organization.
This topic is organized in sections that correspond to the major releases of Exchange. Each section lists build
numbers for each Service Pack (SP ), Cumulative Update (CU ), or Update Rollup (RU ) of the specific Exchange
release.
Download links for the latest CU, RU, and SP for Exchange Server 2019, Exchange Server 2016, Exchange Server
2013, Exchange Server 2010, and Exchange Server 2007 are included.
Note: In the following sections, RTM stands for release to manufacturing (the first version of the product).
TIP
Looking for the Exchange 2013 release notes? See Release notes for Exchange 2013.
Welcome to Microsoft Exchange Server 2019! This topic contains important information that you need to know to
successfully deploy Exchange 2019. Please read this topic completely before beginning your deployment.
Known issues in Exchange Server 2019
When you attempt to uninstall Exchange Server from Windows 2019 Server Core using the Exchange Setup
Wizard, the operation will fail. The wizard attempts to launch the Windows Control Panel to uninstall Exchange,
but the Control Panel does not exist in Windows Server Core. To uninstall Exchange from Windows Server Core,
run the following Setup command from the command line:
```
Setup.exe /IAcceptExchangeServerLicenseTerms /mode:Uninstall
```
This issue will be resolved in a future CU update for Exchange Server 2019.
Welcome to Microsoft Exchange Server 2016! This topic contains important information that you need to know to
successfully deploy Exchange 2016. Please read this topic completely before beginning your deployment.
Setup
Installing Exchange using Delegate Admin permissions causes Setup to fail: When a user who is a
member of only the Delegated Setup role group attempts to install Exchange on a pre-provisioned server,
Setup will fail. This happens because the Delegated Setup group lacks the permissions required to create
and configure certain objects in Active Directory.
To work around this issue, do one of the following:
Add the user installing Exchange to the Domain Admins Active Directory security group.
Install Exchange using a user that is a member of the Organization Management role group.
Mailbox
Moving mailboxes from earlier versions of Exchange to Exchange 2016 CU5 or later can fail:
When you attempt to move a mailbox from an earlier version of Exchange to Exchange CU5 or later using a
migration batch request, the move might fail. This can happen if the migration system mailbox isn't located
on an Exchange 2016 server with CU5 or later installed.
Before you can move mailboxes to Exchange 2016 CU5 or later using a migration batch request, you need
to move the migration mailbox to an Exchange server running CU5 or later using the following steps.
1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
2. Run the following command to get a list of mailbox databases that are located on your Exchange
2016 servers. Copy the name of the mailbox database where you want to move the migration
mailbox to the clipboard.
3. Run the following command to move the migration mailbox to your Exchange 2016 server. Paste the
mailbox database name you copied in the previous step after TargetDatabase.
Mailbox servers running different versions of Exchange can be added to the same database
availability group: The Add-DatabaseAvailabilityGroupServer cmdlet and the Exchange admin center
incorrectly allow an Exchange 2013 server to be added to an Exchange 2016-based database availability
group (DAG ), and vice versa. Exchange supports adding only Mailbox servers running the same version
(Exchange 2013 versus Exchange 2016, for example) to a DAG. Additionally, the Exchange admin center
displays both Exchange 2013 and Exchange 2016 servers in the list of servers available to add to a DAG.
This could allow an administrator to inadvertently add a server running an incompatible version of
Exchange to a DAG (for example, adding an Exchange 2013 server to an Exchange 2016-based DAG ).
There is currently no workaround for this issue. Administrators must be diligent when adding a Mailbox
server to a DAG. Add only Exchange 2013 servers to Exchange 2013-based DAGs, and only Exchange 2016
servers to Exchange 2016-based DAGs. You can differentiate each version of Exchange by looking at the
Version column in the list of servers in the Exchange admin center. The following are the server versions
for Exchange 2013 and Exchange 2016:
Exchange 2013 15.0 (Build xxx.xx)
Exchange 2016 15.1 (Build xxx.xx)
Can't connect to archive mailbox when using MAPI over HTTP: In Exchange 2016, MAPI over HTTP
can be enabled per-mailbox. An issue exists that prevents users from accessing their archive mailbox, if one
is configured, when the following are true:
MAPI over HTTP is enabled on the user's mailbox.
MAPI over HTTP is disabled at the organization level.
When these conditions are true, the user won't be able to open their archive mailbox and they'll get
the error The set of folders cannot be opened. The attempt to log on to Microsoft Exchange
has failed.
To work around the issue, do one of the following
Open the archive mailbox using Outlook on the web.
Disable MAPI over HTTP on the mailbox by running the following command.
Notifications Broker service stops after 30 seconds When you start your Exchange server, you might
notice the Notifications Broker service start and then stop after approximately 30 seconds. If you attempt
to start the service manually, it will successfully start and then stop, again after approximately 30 seconds.
No errors or warnings are included in the Event log.
This behavior is expected in on-premises deployments of Exchange 2016. The Notifications Broker
service performs a configuration check on each time the server starts. If there is nothing for the
Notifications Broker service to do, it stops automatically until the next time the server is restarted.
Mail flow
Edge Transport servers can reject mail sent to valid recipients Exchange 2016 Edge Transport servers
may reject messages sent to valid internal recipients when the following are true:
Exchange 2016 Cumulative Update 1 (CU1) is installed on the server.
Recipient validation is enabled on the server.
When an Edge Transport rejects a message because of this issue, the sender will receive a non-
delivery report (NDR ) with the status code 5.1.10, and the error Recipient not found by SMTP
address lookup. The recipient won't receive the message.
To work around the issue, do one of the following:
Disable recipient validation on the affected Edge Transport server(s) by running the following
command.
Disable the recipient validation cache on the affected Edge Transport server(s) by running the
following command.
Cau t i on
Disabling the recipient validation cache causes Exchange to verify that recipients on inbound
messages are valid by querying the local instance of Active Directory Lightweight Directory Services.
This can significantly increase the resources Exchange needs to process messages. Before you
disable the recipient validation cache, verify that your server has sufficient capacity to handle the
additional demand.
Configure your firewall or external mail exchanger (MX) DNS record to send mail to an Edge Transport
server that doesn't have Exchange 2016 Cumulative Update 1 installed. You might need to configure your
firewall to allow TCP port 25 to connect to the new Internet-facing server.
Configure your firewall or external MX DNS record to send mail to an Exchange 2016 Mailbox server. You
might need to configure your firewall to allow TCP port 25 to connect to the new Internet-facing server.
Exchange architecture
8/23/2019 • 6 minutes to read • Edit Online
Exchange use a single building block architecture that provides email services for deployments at all sizes, from
small organizations to the largest multi-national corporations. This architecture is describe in the following
diagram.
NOTE
Unified Messaging is not available in Exchange 2019.
You manage Mailbox servers by using the Exchange admin center (EAC ) and the Exchange Management
Shell. For more information, see Exchange admin center in Exchange Server and Exchange Server
PowerShell (Exchange Management Shell).
Edge Transport servers
Edge Transport servers handle all external mail flow for the Exchange organization.
Edge Transport servers are typically installed in the perimeter network, and are subscribed to the internal
Exchange organization. The EdgeSync synchronization process makes recipient and other configuration
information available to the Edge Transport server as mail enters and leaves the Exchange organization.
Edge Transport servers provide antispam and mail flow rules as mail enters and leaves your Exchange
organization. For more information, see Antispam protection in Exchange Server
You manage Edge Transport servers by using the Exchange Management Shell. For more information, see
Exchange Server PowerShell (Exchange Management Shell).
For more information about Edge Transport servers, see Edge Transport servers.
NOTE
Unified Messaging is not available in Exchange 2019.
In Microsoft Exchange Server 2010, the Mailbox server role hosted both mailbox and public folder databases and
also provided email message storage. In Exchange Server 2016 and Exchange Server 2019, the Mailbox server role
contains transport services for routing mail, mailbox databases, Client access services to accept client connections,
and (in Exchange 2016 only) Unified Messaging (UM ) components.
For more information about Exchange mailbox servers and how they complement other server roles, see Exchange
architecture.
A mailbox database is a unit of granularity where mailboxes are created and stored. A mailbox database is stored
as an Exchange database (.edb) file. In Exchange 2016 and 2019, each mailbox database has its own properties
that you can configure.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Get-MailboxDatabase -IncludePreExchange2013
2. When you're prompted about whether you're sure that you want to perform the action, typeY.
3. When the dialog box appears stating that the database was removed successfully, note the location of the
Exchange database (.edb) file. If you want to remove this file from the hard drive, you must remove it
manually.
How do you know this worked?
To verify that you have successfully removed the mailbox database, do the following:
From the EAC, select Servers > Databases.
Verify that the mailbox database has been removed.
Manage on-premises mailbox moves in Exchange
Server
8/23/2019 • 12 minutes to read • Edit Online
In Exchange Server, users' primary mailboxes and archive mailboxes can reside on different databases. A move
request is the process of moving a mailbox from one mailbox database to another. A local move request is a
mailbox move that occurs within a single Active Directory forest (as opposed to a remote move request that
occurs between Active Directory forests). You use the procedures in this topic for local move requests of primary
mailboxes, archive mailboxes, or both in on-premises. Using the move request functionality, you can move the
primary mailbox and the associated archive to the same database or to separate ones.
The following two services process your move request to move mailboxes:
Exchange Mailbox Replication service (MRS )
Exchange Mailbox Replication Proxy
The procedures in this topic will help you with on-premises mailbox moves. You can use the Exchange
Management Shell and the Exchange admin center (EAC ) to move mailboxes in your on-premises organization.
For more information about the Mailbox replication service and proxy, see Learn more about MRS Proxy. For
more information about mailbox moves, see Mailbox moves in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example creates a new local move request with these settings:
Mailbox: The primary mailbox and archive mailbox (if it exists) for Angela Gruber (agruber@contoso.com).
If you only want to move the primary mailbox, use the PrimaryOnly switch. If you only want to move the
archive mailbox, use the ArchiveOnly switch.
Target database for the primary mailbox: MBX DB02. If we don't use the TargetDatabase parameter,
the automatic distribution logic in Exchange will randomly select a database in the Active Directory site.
Target database for the archive mailbox: MBX DB03. If we don't use the ArchiveTargetDatabase
parameter or the PrimaryOnly switch, the archive mailbox database will be moved to the same database as
the primary mailbox.
If we use the ArchiveOnly switch without using the ArchiveTargetDatabase parameter, the automatic
distribution logic in Exchange will randomly select a database in the Active Directory site.
Priority: Normal , because we aren't using the Priority parameter.
Bad item limit: 10 (the default value in the Exchange Management Shell is 0). Because the value is less
than 51, we don't need to use the AcceptLargeDataLoss switch.
This example uses similar settings, but only moves Angela's primary mailbox.
This example uses similar settings, but only moves Angela's archive mailbox.
Bad item limit: 51 (the default value in the Exchange Management Shell is 0), so we also need to use the
AcceptLargeDataLoss switch.
Get-Mailbox -Database "MBX DB01" | New-MoveRequest -BatchName "MBX DB01 to MBX DB02" -TargetDatabase "MBX
DB02" -Priority High -BadItemLimit 51 -AcceptLargeDataLoss
In the Exchange Management Shell, replace <BatchName> with the batch name value of the move
request, and run this command to verify the basic property values:
Note: If you created the move request in the EAC, the batch name value is
MigrationService:<BatchNameValueFromTheEAC> .
If you created the move request in the EAC, replace <BatchName> with the batch name value you
specified, and run this command in the Exchange Management Shell to verify summary information about
all mailboxes in the move:
If you created the move request in the EAC, replace <EmailAddress> with the email address of the moved
mailbox, and run this command to see detailed information about the specified mailbox:
For more information about preparing your forest for cross-forest moves, see the following topics:
Prepare mailboxes for cross-forest move requests
Prepare Mailboxes for Cross-Forest Moves Using Sample Code
Prepare mailboxes for cross-forest moves using the Exchange Management Shell
For detailed syntax and parameter information, see New -MigrationBatch and New -MoveRequest.
How do you know this worked?
To verify that you have successfully completed your migration, do the following:
From the Exchange Management Shell, run the following command to retrieve mailbox move information.
Mailbox moves and mailbox migrations in Exchange 2016 and Exchange 2019 from one forest to another require
that you prepare the destination forest, which is made easier by Exchange tools and cmdlets. Exchange 2016
supports mailbox moves and migrations using the Exchange Management Shell, specifically the New-
MoveRequest and New-MigrationBatch cmdlets. You can also move the mailbox in the Exchange admin center
(EAC ).
To move an Exchange mailbox from a source forest to the target Exchange 2016 or Exchange 2019 target forest,
the target forest needs to contain a valid mail user (also known as a mail-enabled user) with a specified set of
Active Directory attributes.
In Exchange 2016, you can move an Exchange 2010, Exchange 2013, or Exchange 2016 mailbox from a
source Exchange forest to a target Exchange 2016 forest. If there's at least one Exchange 2016 Mailbox
server in the target forest, the forest is considered an Exchange 2016 forest.
In Exchange 2019, you can move an Exchange 2013, Exchange 2016, or Exchange 2019 mailbox from a
source Exchange forest to a target Exchange 2019 forest. If there's at least one Exchange 2019 Mailbox
server in the target forest, the forest is considered an Exchange 2019 forest.
To prepare for the mailbox move, you need to create mail users (also known as mail-enabled users) with the
required Active Directory attributes in the target forest. There are two recommended approaches for creating mail
users with the necessary attributes:
If you deployed Identity Lifecycle Manager (ILM ) for cross-forest global address list (GAL ) synchronization,
we recommend that you use Microsoft Identity Manager 2016 Service Pack 1. We've created sample code
that you can use to learn how to customize ILM to synchronize the source mailbox user and target mail
user.
For more information, including how to download the sample code, see Prepare mailboxes for cross-forest
moves using sample code.
If you created the target mail user using an Active Directory tool other than ILM or Microsoft Identity
Integration Server (MIIS ), use the Update-Recipient cmdlet with the Identity parameter to generate the
LegacyExchangeDN attribute for the target mail user. We've created a sample PowerShell script that
reads from and writes to Active Directory and calls the Update-Recipient cmdlet.
For more information about using the sample script, see Prepare mailboxes for cross-forest moves using
the Exchange Management Shell.
After creating the target mail user, you can then run the New-MoveRequest or the New-MigrationBatch
cmdlets to move the mailbox to the target Exchange 2016 or Exchange 2019 forest.
For more information about remote move requests, see the following topics:
New -MigrationBatch
New -MoveRequest
For more information about remote mailbox moves and remote legacy moves, see Move Mailboxes to Exchange
2016.
The remainder of this topic describes the mail user Active Directory attributes that are required for a mailbox
move. These attributes are configured for you when you use either the code or the script to prepare for the
mailbox move. However, you can manually copy these attributes using an Active Directory editor.
msExchArchiveGUID and msExchArchiveName Directly copy the corresponding attribute of the source
mailbox.
Optional attributes
The following attributes aren't required for the New-MoveRequest cmdlet to function correctly; however,
synchronizing them provides a better end-to-end user experience after moving the mailbox. Because the GAL in
the target forest displays this target mail user, you should set the following GAL -related attributes.
GAL -related attributes
Linked attributes
A linked attribute is an Active Directory attribute that references other Active Directory objects in the local forest.
You can't directly copy the linked attribute values from a mailbox in the source forest to a mail user in the target
forest. Instead, you do the following steps:
1. Find the Active Directory objects in the source forest that the source mailbox attribute refers to.
2. Find the corresponding Active Directory objects in the target forest.
3. Set the target mail user's attribute to refer to the Active Directory objects in the target forest.
Linked attributes
Manager (and its backlinks) Correspond to the source mailbox's manager attribute.
NOTE
A linked mailbox can only be created if there's a forest trust between the source forest and target forest.
If the source object is disabled and the msExchMasterAccountSid attribute is set to self (resource mailbox,
shared mailbox), don't stamp anything on the target user.
If the source object is disabled and the msExchMasterAccountSid attribute isn't set, the mailbox is invalid.
If the source object is enabled and the msExchMasterAccountSid attribute is set, the mailbox is invalid.
Resource mailbox attributes
If you want to move a resource mailbox to an Exchange forest, you need to set the attributes shown in the
following table on the target mail user.
Resource mailbox attributes
Additional attributes
Resource mailbox attributes
Exchange Server supports mailbox moves and migrations using the Exchange Management Shell New-
MoveRequest and New-MigrationBatch cmdlets. You can also move the mailbox in the Exchange admin center
(EAC ).
In Exchange 2016, you can move an Exchange 2010, Exchange 2013, or Exchange 2016 mailbox from a
source Exchange forest to a target Exchange 2016 forest.
In Exchange 2019, you can move an Exchange 2013, Exchange 2016, or Exchange 2019 mailbox from a
source Exchange forest to a target Exchange 2019 forest.
To run the New-MoveRequest and New-MigrationBatch cmdlets, a mail user must exist in the target Exchange
forest, and the mail user must have a minimum set of required Active Directory attributes.
The sample Exchange PowerShell script described in this topic supports this task by synchronizing mailbox users
from an Exchange source forest to Exchange target forests as mail users (also known as mail-enabled users). The
script copies the Active Directory attributes of the mailbox users in the source forest to the target forest, and then
uses the Update-Recipient cmdlet to turn the target objects into mail users.
For more information about using and writing scripts, see About Scripts. For more information about preparing
for cross-forest moves, see Prepare mailboxes for cross-forest move requests.
Looking for other management tasks related to remote move requests? Check out Manage on-premises mailbox
moves in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
Make sure that you use two separate credentials for the local forest and the remote forest when calling this script.
1. Run the following commands to get the local forest and remote forest credentials.
$LocalCredentials = Get-Credential
$RemoteCredentials = Get-Credential
2. Run the following commands to pass the credential information to the LocalForestCredential and
RemoteForestCredential parameters in the Prepare-MoveRequest.ps1 script.
Examples
This section contains several examples of how you can use the Prepare-MoveRequest.ps1 script.
Example: Single linked mail user
This example provisions a single linked mail user in the local forest, when there is forest trust between the remote
forest and local forest.
1. Run the following commands to get the local forest and remote forest credentials.
$LocalCredentials = Get-Credential
$RemoteCredentials = Get-Credential
2. Run the following command to pass the credential information to the LocalForestCredential and
RemoteForestCredential parameters in the Prepare-MoveRequest.ps1 script.
$UserCredentials = Get-Credential
2. Run the following command to pass the credential information to the RemoteForestCredential parameter in
the Prepare-MoveRequest.ps1 script.
Identity
Ian@contoso.com
John@contoso.com
Cindy@contoso.com
This example calls a .csv file to bulk create the target mail users.
1. Run the following command to get the remote forest credentials.
$UserCredentials = Get-Credential
2. Run the following command to pass the credential information to the RemoteForestCredential parameter in
the Prepare-MoveRequest.ps1 script.
The Mailbox Replication service (MRS ) has a proxy endpoint that's required for cross-forest mailbox moves and
remote move migrations between your on-premises Exchange organization and Office 365. You enable the MRS
proxy endpoint in the Exchange Web Services (EWS ) virtual directory settings in the Client Access (frontend)
services on Exchange 2016 or Exchange 2019 Mailbox servers.
Where you enable the MRS Proxy endpoint depends on the type and direction of the mailbox move:
Cross-forest enterprise moves: For cross-forest moves that are initiated from the target forest (known as
a pull move type), you need to enable the MRS Proxy endpoint on Mailbox servers in the source forest. For
cross-forest moves that are initiated from the source forest (known as a push move type), you need to
enable the MRS Proxy endpoint on Mailbox servers in the target forest.
Remote move migrations between an on-premises Exchange organization and Office 365. For
both onboarding and offboarding remote move migrations, you need to enable the MRS Proxy endpoint on
Mailbox servers in your on-premises Exchange organization.
Note: If you use theExchange admin center (EAC ) to move mailboxes, cross-forest moves and onboarding remote
move migrations are pull move types, because you initiate the request from the target environment. Offboarding
remote move migrations are push move types because you initiate the request from the source environment.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
3. On the properties page that opens, on the General tab, select the Enable MRS Proxy endpoint check
box, and then click Save.
This example enables the MRS Proxy endpoint in Client Access services on the Mailbox server named EXCH-
SRV -01.
This example enables the MRS Proxy endpoint in Client Access services on all Mailbox servers in your Exchange
organization.
Run this command in the Exchange Management Shell, and verify that the MRSProxyEnabled property
for the EWS virtual directory has the value True :
To run this command successfully, the MRS Proxy endpoint must be enabled.
For detailed syntax and parameter information, see Test-MigrationServerAvailability.
Recreate missing arbitration mailboxes
8/23/2019 • 5 minutes to read • Edit Online
Exchange Server contains five special system mailboxes known as arbitration mailboxes. Arbitration mailboxes are
used for storing different types of system data and for managing messaging approval workflow. The following
table lists each type of arbitration mailbox and their responsibilities.
UMGrammar
UMGrammarReady
(Exchange 2016 only)
ARBITRATION MAILBOX NAME DISPLAY NAME PERSISTED CAPABILITIES FUNCTION
If you need to re-create one of more of these arbitration mailboxes, see the instructions that follow.
For example:
For example:
3. In the Exchange Management Shell, set the Persisted Capabilities (msExchCapabilityIdentifiers) for the
mailbox by running the following command:
For example:
For example:
3. In the Exchange Management Shell, set the Persisted Capabilities (msExchCapabilityIdentifiers) for the
mailbox by running the following command:
4. In the Exchange Management Shell, add the required capabilities to the mailbox by running the following
commands:
For example:
3. In the Exchange Management Shell, set the Persisted Capabilities (msExchCapabilityIdentifiers) for the
mailbox by running the following command:
Set-Mailbox -Identity "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" -Arbitration -UMDataStorage
$true -Force
Re -create the Microsoft Exchange 2016 CU8 and later system mailboxes
To re-create the arbitration mailbox SystemMailbox{D0E409A0-AF9B -4720-92FE -AAC869B0D201} and
SystemMailbox{2CE34405-31BE -455D -89D7-A7C7DA7A0DAA}, run the following commands:
1. If the mailboxes are missing, run the following command from a Windows Command Prompt window:
For example:
3. In the Exchange Management Shell, set the Persisted Capabilities (msExchCapabilityIdentifiers) for the
mailbox by running the following command:
View the results of the command to verify that appropriate system mailbox, either by Name or Display Name from
the above table, has been re-created.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Edge Transport servers
8/23/2019 • 3 minutes to read • Edit Online
Edge Transport servers handle all inbound and outbound Internet mail flow by providing mail relay and smart
host services for your Exchange organization. Agents running on the Edge Transport server provide additional
layers of message protection and security. These agents provide protection against spam and apply mail flow
rules (also known as transport rules) to control mail flow. All of these features work together to help minimize the
exposure of your internal Exchange to threats on the Internet.
Because the Edge Transport server is installed in the perimeter network, it's never a member of your
organization's internal Active Directory forest and doesn't have access to Active Directory information. However,
the Edge Transport server requires data that resides in Active Directory: for example, connector information for
mail flow and recipient information for antispam recipient lookup tasks. This data is synchronized to the Edge
Transport server by the Microsoft Exchange EdgeSync service (EdgeSync). EdgeSync is a collection of processes
run on an Exchange 2016 or Exchange 2019 Mailbox server to establish one-way replication of recipient and
configuration information from Active Directory to the Active Directory Lightweight Directory Services (AD LDS )
instance on the Edge Transport server. EdgeSync copies only the information that's required for the Edge
Transport server to perform antispam configuration tasks and to enable end-to-end mail flow. EdgeSync performs
scheduled updates so the information in AD LDS remains current. For more information about Edge
Subscriptions and EdgeSync, see Edge Subscriptions.
You can install more than one Edge Transport server in the perimeter network. Deploying more than one Edge
Transport server provides redundancy and failover capabilities for your inbound message flow. You can load
balance the SMTP traffic to your organization among Edge Transport servers by defining more than one MX
record with the same priority value for your mail domain. You can achieve consistency in the configuration among
multiple Edge Transport servers by using cloned configuration scripts.
The Edge Transport server role lets you manage the following message-processing scenarios.
Antispam protection
In Exchange Server, antispam features provide services to block unsolicited commercial email (spam) at the
network perimeter.
Spammers use a variety of techniques to send spam into your organization. Edge Transport servers help prevent
users from ever receiving spam by providing a collection of agents that work together to provide different layers
of spam filtering and protection. Establishing tarpitting intervals on connectors makes email harvesting attempts
ineffective.
Address rewriting
Address rewriting presents a consistent email address appearance to external recipients. You configure address
rewriting on Edge Transport servers to modify the SMTP addresses on inbound and outbound messages.
Address rewriting is especially useful for newly merged organizations that want to present a consistent email
address appearance.
Edge Subscriptions
8/23/2019 • 15 minutes to read • Edit Online
Edge Subscriptions are used to populate the Active Directory Lightweight Directory Services (AD LDS ) instance
on the Edge Transport server with Active Directory data. Although creating an Edge Subscription is optional,
subscribing an Edge Transport server to the Exchange organization provides a simpler management experience
and enhances antispam features. You need to create an Edge Subscription if you plan to use recipient lookup or
safelist aggregation, or if you plan to help secure SMTP communications with partner domains by using Mutual
Transport Layer Security (MTLS ).
NOTE
Port 50389/TCP is used locally by LDAP to bind to the AD LDS instance. This port doesn't have to be open on the
firewall; it's used locally on the Edge Transport server.
If your environment requires specific ports, you can modify the ports used by AD LDS using the
ConfigureAdam.ps1 script provided with Exchange. Modify the ports before you create the Edge
Subscription. If you modify the ports after you create the Edge Subscription, you need to remove the Edge
Subscription and create another one.
Verify that DNS host name resolution is successful from the Edge Transport server to the Mailbox
servers and from the Mailbox servers to the Edge Transport server
Configure the following transport settings for propagation to the Edge Transport server
Internal SMTP servers: Use the InternalSMTPServers parameter on the Set-TransportConfig
cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by
the Sender ID and Connection Filtering agents on the Edge Transport server.
Accepted domains: Configure all authoritative domains, internal relay domains, and external relay
domains.
Remote domains: Configure the settings for the default remote domain object (used for recipients
in all remote domains), and configure remote domain objects as required for recipients in specific
remote domains.
Create and export an Edge Subscription file on the Edge Transport server
When you create an Edge Subscription file by running the New-EdgeSubscription cmdlet on the Edge
Transport server, the following actions occur:
An AD LDS account called the EdgeSync bootstrap replication account (ESBRA) is created. These ESBRA
credentials are used to authenticate the first EdgeSync connection to the Edge Transport server. This
account is configured to expire 24 hours after being created. Therefore, you need to complete the five-step
subscription process described in the previous section within 24 hours. If the ESBRA expires before the
Edge Subscription process is complete, you will need to run the New-EdgeSubscription cmdlet again to
create a new Edge Subscription file.
The ESBRA credentials are retrieved from AD LDS and written to the Edge Subscription file. The public key
for the Edge Transport server's self-signed certificate is also exported to the Edge Subscription file. The
credentials written to the Edge Subscription file are specific to the server that exported the file.
Any previously created configuration objects on the Edge Transport server that will now be replicated to
AD LDS from Active Directory are deleted from AD LDS, and the Exchange Management Shell cmdlets
used to configure those objects are disabled. However, you can still use the Get-* cmdlets to view those
objects. Running the New-EdgeSubscription cmdlet disables the following cmdlets on the Edge
Transport server:
Set-SendConnector
New-SendConnector
Remove-SendConnector
New-AcceptedDomain
Set-AcceptedDomain
Remove-AcceptedDomain
New-RemoteDomain
Set-RemoteDomain
Remove-RemoteDomain
This example creates and exports the Edge Subscription file on the Edge Transport server.
NOTE
When you run the New-EdgeSubscription cmdlet on the Edge Transport server, you receive a prompt to acknowledge the
commands that will be disabled and the configuration that will be overwritten on the Edge Transport server. To bypass this
confirmation, you need to use the Force parameter. This parameter is useful when you script the New-EdgeSubscription
cmdlet. You can also use the Force parameter to overwrite an existing file when you resubscribe an Edge Transport server.
NOTE
The default values of the CreateInternetSendConnector and CreateInboundSendConnector parameters are both $true , so
you don't need to use them in this command.
PROPERTY VALUE
AddressSpaces SMTP:--;1
The -- value in the address space represents all
authoritative and internal relay accepted domains for the
Exchange organization. Any messages the Edge Transport
server receives for these accepted domains are routed to this
Send connector and relayed to the smart hosts.
Enabled True
DNSRoutingEnabled False
SmartHosts --
The -- value in the list of smart hosts represents all Mailbox
servers in the subscribed Active Directory site. Any Mailbox
servers you add to the subscribed Active Directory site after
you establish the Edge Subscription don't participate in the
EdgeSync synchronization process. However, they are
automatically added to the list of smart hosts for the
automatically created inbound Send connector. If more than
one Mailbox server is located in the subscribed Active
Directory site, inbound connections will be load balanced
across the smart hosts.
You can't modify the address space or list of smart hosts at creation time for the automatically created inbound
Send connector. However, you can set the CreateInboundSendConnector parameter to the value $false when
you create an Edge Subscription. This allows you to manually configure a Send connector from the Edge
Transport server to the Exchange organization.
Outbound Send connector to send messages to the Internet
When you run the New-EdgeSubscription cmdlet on the Mailbox server, the CreateInternetSendConnector
parameter is set to the value $true . This creates the Send connector needed to send messages from the
Exchange organization to the Internet. The following table shows the default configuration of this Send connector.
Automatic Internet Send connector configuration
PROPERTY VALUE
AddressSpaces SMTP:*;100
Enabled True
DNSRoutingEnabled True
DomainSecureEnabled True
If more than one Edge Transport server is subscribed to the same Active Directory site, no additional Send
connectors to the Internet are created. Instead, all Edge Subscriptions are added to the same Send connector as
the source server. This load balances outbound connections to the Internet across the subscribed Edge Transport
servers.
The outbound Send connector is configured to send email messages from the Exchange organization to all
remote SMTP domains, using DNS routing to resolve domain names to MX resource records.
After you've subscribed an Edge Transport server to an Active Directory site in your Exchange organization as
described in Edge Subscriptions, you might need to perform maintenance tasks on the Edge Subscription. These
tasks are described in this topic.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Remove-EdgeSubscription <EdgeTransportServerIdentity>
For example, to remove the Edge Subscription on the Edge Transport server named Edge01, run the
following command.
Remove-EdgeSubscription Edge01
2. To remove the Edge Subscription from the Mailbox server, use the following syntax.
Remove-EdgeSubscription <EdgeTransportServerIdentity>
For example, to remove the Edge Subscription for the Edge Transport server named Edge01 on a Mailbox
server in the subscribed Active Directory site, run the following command.
Remove-EdgeSubscription Edge01
We recommend that you use the Edge Subscription process to establish mail flow between your
Exchange organization and an Edge Transport server as described in Edge Subscriptions. However, certain
situations may prevent you from subscribing the Edge Transport server to your Exchange organization. To
manually establish mail flow between your Exchange organization and an unsubscribed Edge Transport server, you
need to manually create and/or modify the following Send connectors and Receive connectors:
On the Edge Transport server:
Create a dedicated Send connector to only send messages to the internet.
Create a dedicated Send connector to only send messages to Mailbox servers in the Exchange organization.1
Create a dedicated Receive connector to only receive messages from Mailbox servers in the Exchange
organization2
Modify the default Receive connector to only accept messages only from the internet.
On a Mailbox server:
Create a dedicated Send connector to relay outgoing messages to the Edge Transport server
1The Send connector that's created by an EdgeSync subscription for delivering email into the Exchange
organization is configured to use Exchange Server (GSSAPI) authentication. The EdgeSync subscription identifies
the Edge Transport server as an Exchange server to the internal Active Directory forest, which also allows Exchange
Server authentication. By definition, there is no EdgeSync subscription in this scenario, so you'll need to improvise:
You can configure Basic authentication over TLS to provide authentication and encryption for email traffic
between the Edge Transport server and the internal Exchange organization. This method has the following
issues:
You need to configure an Active Directory account that belongs to the Exchange Servers universal
security group for authentication on the Send connector that relays messages from the Edge
Transport server to the internal Exchange organization. Be sure to safeguard the account credentials,
and you can configure the account to allow logon only to specific computers. You also need a local
account on the Edge Transport server for authentication on the Send connector that relays messages
from the internal Exchange organization to the Edge Transport server.
Messages coming from these Send connectors will be seen as authenticated SMTP by the destination
Mailbox server. This means the default Receive connector named Client Frontend <ServerName> in
the Front End Transport service will accept the messages on port 587, and the messages are accepted
in the backend Transport service using the default Receive connector named Client Proxy
<ServerName> on port 465.
To provide encryption, you need to use a certificate. The self-signed certificate on the Edge Transport
server won't be recognized by the internal Exchange Organization (again, the EdgeSync subscription
usually takes care of this). You'll need to manually import the self-signed certificate on each Mailbox
or use a certificate from a trusted third-party certification authority.
If you don't want the messages coming from the Edge Transport server to be identified as authenticated
SMTP and therefore using the corresponding client Receive connectors, you can use Externally Secured as
the authentication method, which means email traffic between the Edge Transport server and the internal
Exchange organization isn't authenticated or encrypted by Exchange. If you use this method, you must
configure and use an external encryption method (for example, IPsec or a VPN ).
2Instead of a dedicated Receive connector, you can configure and use the default Receive connector
on the Edge
Transport server for both incoming internet messages and incoming messages from internal Mailbox servers (an
EdgeSync subscription uses this Receive connector for both connections).
For more information about Send connectors, see Send connectors. For more information about Receive
connectors, see Receive connectors.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
New-SendConnector -Name "To Internal Org" -Usage Internal -AddressSpaces "--" -DNSRoutingEnabled $false -
SmartHosts mbxserver01.contoso.com,mbxserver02.contoso.com -SmartHostAuthMechanism BasicAuthRequireTLS -
AuthenticationCredential (Get-Credential)
Set-ReceiveConnector -Identity "Default internal Receive connector ServerName>" -Name "From Internet" -Bindings
10.1.1.1:25
Get-SendConnector | Format-List
Name,Usage,AddressSpaces,SourceTransportServers,DSNRoutingEnabled,SmartHosts,SmartHostAuthMechanism; Get-
ReceiveConnector | Format-List Name,Usage,AuthMechanism,Bindings,RemoteIPRanges
Address rewriting in Exchange Server modifies the email addresses of senders and recipients in messages that
enter or leave your organization through an Edge Transport server. Two transport agents on the Edge Transport
server provide the rewriting functionality: the Address Rewriting Inbound Agent and the Address Rewriting
Outbound Agent. The primary reason for address rewriting on outbound messages is to present a single,
consistent email domain to external recipients. The primary reason for address rewriting on inbound messages is
to deliver messages to the correct recipient.
The address rewrite entry, which you create, specifies the internal addresses (the email addresses you want to
change) and the external addresses (the final email addresses you want). You can specify whether email addresses
are rewritten in inbound and outbound messages, or in outbound messages only. You can create address writing
entries for a single user (chris@contoso.com to support@contoso.com), a single domain (contoso.com to
fabrikam.com), or for multiple subdomains with exceptions (*.fabrikam.com to contoso.com, except
legal.fabrikam.com).
IMPORTANT
Regardless of how you plan to use address rewriting, you need to verify that the resulting email addresses are unique in your
organization so you don't end up with duplicates. Address rewriting doesn't verify the uniqueness of a rewritten email
address.
To configure address rewriting, see Address rewriting procedures on Edge Transport servers.
You can create address rewrite entries on Edge Transport servers that apply to a single recipient, a specific domain
or subdomain, or multiple subdomains. Address rewriting can be outbound only, or inbound and outbound
(bidirectional). When you create address rewrite entries, remember the following:
Verify that the resulting email addresses are unique in your organization.
Only literal strings are supported in the email address values.
The wildcard character (*) is supported only in the internal address (the addresses you want to change).
Valid syntax for using the wildcard character is *.contoso.com. The values *contoso.com or sales.*.com
are not allowed.
When you use the wildcard character, you need to configure the address rewriting as outbound only (you
need to set the OutboundOnly parameter to the value $true ), and outbound only address rewriting
requires that you configure the rewritten email address as a proxy address on the affected recipients.
By default, address rewriting is bidirectional for a single recipient, or for a specific domain or subdomain
(the default value for the OutboundOnly parameter is $false ).
For more information about address rewriting, see Address rewriting on Edge Transport servers.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Get-AddressRewriteEntry
The following example displays the details of the address rewrite entry named Rewrite Contoso.com to
Northwindtraders.com:
This example rewrites the email address of all messages entering and leaving the Exchange organization for
joe@contoso.com. Outbound messages are rewritten so they appear to come from
support@nortwindtraders.com. Inbound messages sent to support@northwindtraders.com are rewritten to
joe@contoso.com for delivery to the recipient (the OutboundOnly parameter is $false by default).
New-AddressRewriteEntry -Name "joe@contoso.com to support@northwindtraders.com" -InternalAddress
joe@contoso.com -ExternalAddress support@northwindtraders.com
This example rewrites the email addresses of all messages entering and leaving the Exchange organization for the
contoso.com domain. Outbound messages are rewritten so they appear to come from the fabrikam.com domain.
Inbound messages sent to fabrikam.com email addresses are rewritten to contoso.com for delivery to the
recipients (the OutboundOnly parameter is $false by default).
This example rewrites the email addresses of all messages leaving the Exchange organization for the
sales.contoso.com subdomain. Outbound messages are rewritten so they appear to come from the contoso.com
domain. Inbound messages sent to contoso.com email addresses aren't rewritten.
This example rewrites the email addresses of all messages leaving the Exchange organization for the contoso.com
domain and all subdomains. Outbound messages are rewritten so they appear to come from the contoso.com
domain. Inbound messages sent to contoso.com recipients can't be rewritten, because a wildcard is used in the
InternalAddress parameter.
This example is just like the previous example, except now messages sent from the legal.contoso.com and
corp.contoso.com subdomains are never rewritten:
2. From a mailbox that's affected by the address rewrite entry, send a test message to an external mailbox.
Verify the test message appears to originate from the rewritten email address.
3. Reply to the test message from the external mailbox. Verify the original mailbox receives the reply.
This example modifies the following properties of the address rewrite entry named "joe@contoso.com to
support@nortwindtraders.com":
Changes the external address to support@northwindtraders.net.
Changes the name of the address rewrite entry to "joe@contoso.com to support@northwindtraders.net".
Changes the value of OutboundOnly to $true . Note that this change requires you to configure
support@northwindtraders.net as a proxy address on Joe's mailbox.
This example changes the internal address value of the address rewrite entry named "Northwind Traders to
Contoso".
This example replaces the existing exception list for the address rewrite entry named Contoso to Northwind
Traders with the values marketing.contoso.com and legal.contoso.com:
To add or remove exception list values without affecting other exception list entries, use the following syntax:
This example adds finanace.contoso.com and removes marketing.contoso.com from the exception list of the
address rewrite entry named Contoso to Northwind Traders:
2. From a mailbox that's affected by the address rewrite entry, send a test message to an external mailbox.
Verify the test message appears to originate from the rewritten email address.
3. From the external mailbox, reply to the test message. Verify the original mailbox receives the reply.
Remove-AddressRewriteEntry <AddressRewriteEntryIdentity>
This example removes the address rewrite entry named "Contoso.com to Northwindtraders.com":
Get-AddressRewriteEntry | Remove-AddressRewriteEntry
This example simulates the removal of address rewrite entries that contain the text "to contoso.com" in the name.
The WhatIf switch allows you to preview the result without committing any changes.
If you're satisfied with the result, run the command again without the WhatIf switch to remove the address rewrite
entries.
You can bulk-create or import address rewriting information into an Edge Transport server by using a comma-
separated value (CSV ) file. The following list describes common scenarios that require you to do this:
You are replacing an address rewriting solution with an Edge Transport server.
You enter into an agreement with a third-party solution provider that requires you to rewrite their email
addresses.
You acquire another organization, and you need to temporarily rewrite the email addresses in the acquired
organization.
You can use a spreadsheet application like Microsoft Excel to create the CSV file. Format the file as described in this
topic and save it as a .csv file.
The first row, or header row, of the CSV file lists the names of the parameters. Each parameter is separated by a
comma. The required and optional parameters are described in the following table.
Each row under the header row represents an individual address rewrite entry. The values in each row need to be in
the same order as the parameter names in the header row. Each value is separated by a comma.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Name,InternalAddress,ExternalAddress,ExceptionList,OutboundOnly
"Wingtip
UK",*.wingtiptoys.co.uk,tailspintoys.com,"legal.wingtiptoys.co.uk,finance.wingtiptoys.co.uk,support.wingtiptoys
.co.uk",True
"Wingtip
USA",*.wingtiptoys.com,tailspintoys.com,"legal.wingtiptoys.com,finance.wingtiptoys.com,support.wingtiptoys.com,
corp.wingtiptoys.com",True
"Wingtip
Canada",*.wingtiptoys.ca,tailspintoys.com,"legal.wingtiptoys.ca,finance.wingtiptoys.ca,support.wingtiptoys.ca",
True
This example imports the address rewrite entries from C:\My Documents\ImportAddressRewriteEntries.csv.
Get-AddressRewriteEntry
To see details about a specific address rewrite entry, replace <AddressRewriteIdentity> with the name of the
address rewrite entry, and run the following command:
In Exchange Server, the Client Access services on Mailbox servers provide authentication and proxy services for
internal and external client connections. The Client Access services are stateless, so data isn't queued or stored in
them. In Exchange Server, the Client Access services are part of the Mailbox server, so you can't configure a
standalone Client Access server like you could in previous versions of Exchange. For more information, see Client
access protocol architecture.
Client connectivity in Exchange 2016 and Exchange 2019 is similar to Exchange 2013, but different from Exchange
2010:
Outlook clients use MAPI over HTTP or Outlook Anywhere (RPC over HTTP ). In Exchange 2016 and
Exchange 2019, MAPI over HTTP is enabled by default.
Exchange 2016 and Exchange 2019 require fewer namespaces for site-resilient solutions than Exchange
2010. For more information, see Namespace Planning in Exchange 2016.
The Exchange admin center (EAC ) is the web-based management console in Exchange Server that's
optimized for on-premises, online, and hybrid Exchange deployments. The EAC was introduced in Exchange
Server 2013, and replaces the Exchange Management Console (EMC ) and the Exchange Control Panel
(ECP ), which were the two management interfaces in Exchange Server 2010.
Looking for the Exchange Online version of this topic? See Exchange admin center in Exchange Online.
Looking for the Exchange Online Protection version of this topic? See Exchange admin center.
Note: External users who connect to Outlook on the web (formerly known as Outlook Web
App) also need access to the EAC to access their own Options page. You can disable external
administrator access to the EAC while still allowing users to access their Options page in
Outlook on the web. For more information, see Turn off access to the Exchange admin center.
The easiest way to find the internal and external URL values for the EAC (without using Servers > Virtual
directories in the EAC itself) is by using the Get-EcpVirtualDirectory cmdlet in the Exchange
Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange
organization, see Open the Exchange Management Shell.
These examples show you how to find the internal and external URL values for the EAC virtual directories
in your organization:
To find the values on all Exchange servers in your organization, run the following command:
Get-EcpVirtualDirectory | Format-List Server,Name,*Url
To find the values on the server named Mailbox01, run the following command:
To find the value for the virtual directory named "ecp (Default Web Site)" on the server named
Mailbox01, run the following command.
If your mailbox is located on an Exchange 2016 Mailbox server, and you want to access the ECP on
the Exchange 2010 Client Access server named CAS01, use the following URL:
https://CAS01/ecp/?ExchClientVer=14 .
1: Cross-premises navigation
The cross-premises navigation allows you to easily switch between your Exchange Online and on-premises
Exchange deployments. If you don't have an Exchange Online organization, the Office 365 link takes you to
a page that compares plans and pricing for Office 365 services.
2: Feature pane
The feature pane is the first level of navigation for most of the tasks that you'll perform in the EAC, and is
organized by the following feature areas:
Recipients: Manage mailboxes, groups, resource mailboxes (room and equipment mailboxes),
contacts, shared mailboxes, and mailbox migrations and moves. For more information, see the
following topics:
Create user mailboxes in Exchange Server and Manage user mailboxes
Manage distribution groups and Manage dynamic distribution groups
Create and manage room mailboxes
Manage mail contacts and Manage mail users
Create shared mailboxes in the Exchange admin center
Permissions: Manage role-based access control (RBAC ) administrator roles, user roles, and Outlook
on the web policies. For more information, see the following topics.
Manage role groups , Manage role group members, and Manage role assignment policies.
Outlook on the web mailbox policies
Compliance management: This is where you'll manage In-Place eDiscovery, In-Place Hold,
auditing (mailbox audit logging and administrator audit logging), data loss prevention (DLP ),
retention policies, retention tags, and journal rules. For more information, see the following topics:
In-Place eDiscovery in Exchange Server and In-Place Hold and Litigation Hold in Exchange
Server
Mailbox audit logging in Exchange Server and Administrator audit logging in Exchange
Server
Data loss prevention in Exchange Server
Retention policies and Retention tags.
Journaling in Exchange Server
Organization: Manage federated sharing, Outlook Apps, and address lists. For more information,
see the following topics:
Sharing
Install or Remove Apps for Outlook for Your Organization
Address lists in Exchange Server
Protection: Manage antimalware protection for your organization. For more information, see
Antimalware protection in Exchange Server.
Mail flow: Manage mail flow rules (also known as transport rules), delivery reports, accepted
domains, remote domains, email address policies, Receive connectors, and Send connectors. For
more information, see the following topics:
Mail flow rules in Exchange Server
Track messages with delivery reports
Address lists in Exchange Server
Accepted domains in Exchange Server
Remote Domains
Email address policies in Exchange Server
Receive connectors
Send connectors
Mobile: Manage the mobile devices that you allow to connect to your organization. You can manage
mobile device access and mobile device mailbox policies. For more information, see the following
topics:
Mobile devices
Mobile device mailbox policies
Public folders: Manage public folders and public folder mailboxes. For more information, see Public
folders.
Unified Messaging: Manage UM dial plans and UM IP gateways. (UM is not available in Exchange
2019.) For more information, see the following topics:
UM Dial Plans
UM IP Gateways
Servers: View and manage server-specific settings, databases, database availability groups (DAGs),
virtual directories, and certificates. For more information, see the following topics:
POP3 and IMAP4 in Exchange Server
Configure the Startup Mode on a Client Access Server and Configure the Startup Mode on a
Mailbox Server
Message retry, resubmit, and expiration intervals
Configure message tracking , Configure connectivity logging in Exchange Server, and
Protocol logging
Manage Outlook Anywhere
Manage mailbox database copies
Manage database availability groups
Virtual Directory Management
Certificate procedures in Exchange Server
Hybrid: Set up and configure a Hybrid organization.
Tools: Check your Exchange server with the Office 365 Best Practices Analyzer. For more
information, see About the Office 365 Best Practices Analyzer for Exchange Server.
3: Tabs
The tabs are your second level of navigation. Typically, each feature pane contains multiple tabs that
represent complete features. However, the Tools and Hybrid panes each contain only one tab: the Checks
tab to install and run the Office 365 Best Practices Analyzer, or the Setup tab that allows you to run the
Hybrid Configuration Wizard, or modify the settings of your existing hybrid deployment.
4: Toolbar
When you click most tabs, you'll see a toolbar. The toolbar has icons that perform specific actions. The
following table describes the most common icons and their actions. To see the action that's associated with
an icon (the icon's title), simply hover over the icon.
5: List view
Tabs that contain many objects display those objects in a list view. The viewable limit in the EAC list view is
approximately 20,000 objects. Paging is included so you can skip to the results that you want to see. In the
Recipients list view, you can also configure page size and export the data to a CSV file.
6: Details pane
When you select an object from the list view, more information about that object is displayed in the details
pane. For some object types, the details pane includes quick management tasks. For example, if you
navigate to Recipients > Mailboxes and select a mailbox from the list view, the details pane (among other
options) displays an option to enable or disable the archive for that mailbox.
Some object types also allow you to bulk edit multiple objects in the details pane. You can select multiple
objects in the list view by selecting an object, holding the Shift key, and selecting an object farther down in
the list, or by holding down the CTRL key as you select each object. If bulk edit is available for the object
types that you selected, you'll see the available options in the details pane. For example, at Recipients >
Mailboxes, when you select multiple mailboxes of the same type, the title of the details pane changes to
Bulk Edit, and you can update contact and organization information, custom attributes, mailbox quotas,
Outlook on the web settings, and more.
7: Notifications
The EAC includes a notification viewer that displays information about:
Expiring and expired certificates.
The status of mailbox moves and migrations (also known as Mailbox Replication Service tasks or
MRS tasks). You can also use the notification viewer to opt-in to receive email notifications about
these tasks.
Exporting mailbox content to .pst files.
To show or hide the notification viewer, click the icon ( ).
Notifications are alerts that are sent to the arbitration mailbox named
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 . The EAC checks this mailbox for alerts every 30
seconds. Notifications remain in the arbitration mailbox until they are removed by the component that sent
them, or until they expire (they should be removed by the Managed Folder Assistant after 30 days).
You can also use the Get-Notification cmdlet in the Exchange Management Shell to view more details
about notifications, and the Set-Notification cmdlet to request notification emails for future alerts.
8: Me tile and Help
The Me tile allows you to sign out of the EAC and sign in as a different user by clicking on the drop-down
menu that's next to your account name.
Click the help icon ( ) to view the help content for the tab that you're currently on. If you click on the drop-
down menu that's next to the help icon, you can perform the following additional actions:
Disable Help bubble: The Help bubble displays contextual help for fields when you create or edit
objects in the EAC. From here, you can globally turn off or turn on the Help bubble for all fields in
the EAC.
Performance console: The Performance console displays many counters that relate to the
performance of the EAC.
Copyright and Privacy: Click these links to read the copyright and privacy information for
Exchange Server.
Supported browsers
The levels of support for operating system and browser combinations that you can use to access the EAC
are described in the following tables.
Notes:
The levels of support for the EAC are:
Supported: All functionality and features are supported and have been fully tested.
Unsupported: The browser and operating system combination isn't supported, or hasn't
been tested. For more information about supported versions of Internet Explorer on
Windows, see Internet Explorer Support Announcement.
n/a: The browser and operating system combination isn't possible. For example, an older
browser on a newer operating system, or vice-versa.
Operating system and browser combinations that aren't listed are unsupported. This includes iOS,
Android, and Windows Phone.
Third-party plug-ins might cause issues with the EAC for supported browsers.
Client operating systems
WEB BROWSER WINDOWS 7 WINDOWS 8.1 WINDOWS 10 MAC OS X LINUX
The Exchange admin center (EAC ) is the primary management interface for Exchange 2013 or later. For more
information, see Exchange admin center in Exchange Server. By default, access to the EAC isn't restricted, and
access to Outlook on the web (formally known as Outlook Web App) on an on an Internet-facing Exchange server
also gives access to the EAC. You still need valid credentials to sign in to the EAC, but organizations may want to
restrict access to the EAC for client connections from the Internet.
In Exchange Server 2019, you can use Client Access Rules to block client access to the EAC. For more information,
see Client Access Rules in Exchange Server.
The EAC virtual directory is named ECP, and is managed by the *- ECPVirtualDirectory cmdlets. When you set
the AdminEnabled parameter to the value $false on the EAC virtual directory, you disable access to the EAC for
internal and external client connections, without affecting access to the Settings > Options page in Outlook on
the web.
But, this configuration introduces a new problem: access to the EAC is completely disabled on the server, even for
administrators on the internal network. To fix this issue, you have two choices:
Configure a second Exchange server that's only accessible from the internal network to handle internal EAC
connections.
On the existing Exchange server, create a new Internet Information Services (IIS ) web site with new virtual
directories for the EAC and Outlook on the web that's only accessible from the internal network.
Note: You need to configure the EAC and Outlook on the web in the new web site, because the EAC
requires the Outlook on the web authentication module from the same web site.
This example turns disables access to the EAC on the server named MBX01.
When you open https://<servername>/ecp or from the internal network, your own Settings > Options page in
Outlook on the web opens instead of the EAC.
If the value is False , replace <Server> with the name of the server, and run the following command:
Option 2: Create a new web site on the existing Exchange server, and configure the EAC and Outlook on the
web in the new web site for the internal network
The required steps are:
1. Add a second IP address to the Exchange server.
2. Create a new web site in IIS that uses the second IP address, and assign file and folder permissions.
3. Copy the contents of the default web sites to the new web site.
4. Create new EAC and Outlook on the web virtual directories for the new web site.
5. Restart IIS for the changes to take effect.
IMPORTANT
When you install an Exchange Server Cumulative Update (CU), the CU won't update files in the new web site and virtual
directories. After you apply the CU, you need to completely remove the new web site, virtual directories, and content in the
folders and then re-create the new web site, virtual directories, and content in the folders.
2. In the properties of the network adapter, select Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
3. In the Internet Protocol Version 4 (TCP/IPv4) Properties window that opens, on the General tab, click
Advanced.
4. In the Advanced TCP/IP Settings window that opens, on the IP Settings tab, in the IP addresses
section, click Add and enter the IP address.
Note: If you add a second network adapter, in the Advanced TCP/IP Settings window, on the DNS tab,
un-check Register this connection's address in DNS.
Step 2b: Create a new web site in IIS that uses the second IP address, and assign file and folder permissions
1. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to
press Windows key + Q, type inetmgr, and select Internet Information Services (IIS ) Manager in the
results.
2. In the Connections pane, expand the server, select Sites, and in the Actions pane, click Add Website.
3. In the Add Website window that appears, configure the following settings:
Site name: EAC_Secondary
Binding
Type: https
IP address: Select the second IP address that you added in the previous step.
Port: 443
SSL certificate: Choose the certificate that you want to use (for example, the default Exchange
certificate named Microsoft Exchange).
When you're finished, click OK.
b. In the File Explorer window that opens, create the following folders in C:\inetpub\EAC_Secondary :
ecp
owa
a. In IIS Manger, select the EAC_Secondary web site, and in the Actions pane, click Edit Permissions.
b. In the EAC_Secondary Properties window that opens, click the Security tab, and then click Edit.
c. In the Permissions for EAC_Secondary window that opens, click Add.
d. In the Select Users, Computers, Service Accounts or Groups window that opens, perform the
following steps:
i. Click Locations, and in the Locations dialog box that opens, select the local server, and then click OK.
ii. In the Enter the object names to select field, type IIS_IUSRS, click Check Names, and then click OK.
e. Back on the Permissions for EAC_Secondary window, select IIS_IUSRS, and in the Allow column,
select Read & Execute (which automatically selects the List Folder Contents and Read permissions), and
then click OK twice.
Step 2c: Copy the contents of the default web sites to the new web site
Copy all files and folders from the Default Web Site ( C:\inetpub\wwwroot ) to C:\inetpub\EAC_Secondary . You
can skip the following files that can't be copied:
MacCertification.asmx
MobileDeviceCertification.asmx
decomission.asmx
editissuancelicense.asmx
Step 2d: Use the Exchange Management Shell to create new EAC and Outlook on the web virtual directories for the new web site
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the
Exchange Management Shell.
Replace <Server> with the name of your server, and run the following commands to create the new EAC and
Outlook on the web virtual directories for the new web site.
The Autodiscover service minimizes user configuration and deployment steps by providing clients access to
Exchange features. For Exchange Web Services (EWS ) clients, Autodiscover is typically used to find the EWS
endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols.
Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple
forest scenarios.
Exchange 2016 introduced changes to services that were previously handled by the multiple servers. The Mailbox
server now provides Client Access services, so you can't configure a standalone Client Access server like you could
in previous versions of Exchange. Autodiscover service in Exchange 2016 and Exchange 2019 is possible because:
Exchange creates a virtual directory named autodiscover under the default web site in Internet Information
Services (IIS ).
Active Directory stores and provides authoritative URLs for domain-joined computers.
Client Access services on Mailbox servers provide authentication and proxy services for internal and
external client connections.
Outlook configures services with only the user name and password.
NOTE
If you are a user looking for help with connecting your Outlook client to your Exchange server, see Outlook email setup.
IMPORTANT
You need to be assigned permissions before you can run the Set-ClientAccessService cmdlet. To find the permissions
required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange
cmdlet.
Autodiscover makes it easy to retrieve the information that you need to connect to mailboxes on Exchange servers.
SCP objects locate those Autodiscover servers or endpoints appropriate for the user you're retrieving settings for.
And SCP objects in AD DS provide an easy way for domain-joined clients to look up Autodiscover servers.
Exchange publishes two types of SCP objects for the Autodiscover service:
SCP pointers: Contains information that points to specific LDAP servers that should be used to locate
Autodiscover SCP objects for the user's domain. SCP pointers are stamped with the following GUID:
67661d7F -8FC4-4fa7-BFAC -E1D7794C1F68.
SCP URLs: Contains URLs for Autodiscover endpoints. SCP URLs are stamped with the following GUID:
77378F46-2C66-4aa9-A6A6-3E7A48B19596
The SCP object contains the authoritative list of Autodiscover service URLs for the forest. To learn more about
locating Autodiscover service endpoints, see Generate a list of Autodiscover endpoints.
Client connectivity in Exchange 2016 and Exchange 2019 is like Exchange 2013 and differs from Exchange 2010.
In Exchange 2016 and 2019, MAPI over HTTP is enabled by default, when previously Outlook clients used
Outlook Anywhere (RPC over HTTP ). Exchange 2016 and 2019 require fewer name spaces for site-resilient
solutions than Exchange 2010, reducing to two from the previously required seven namespaces. To read more
about namespace and Exchange Server, see the blog Namespace Planning in Exchange 2016.
Depending on whether you configured the Autodiscover service on a separate site, the Autodiscover service URL
will be either of the following values, where //<SMTP-address-domain> is the primary SMTP domain address:
https://<SMTP-address-domain>/autodiscover/autodiscover.xml
https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml
For example, if the user's email address is tony@contoso.com, the primary SMTP domain address is contoso.com.
Client applications use the Autodiscover service when the application starts for the first time. For example when
an Exchange Web Services (EWS ) application starts for the first time, the application configures itself using the
Autodiscover service. For a user's computer joined to the contoso.com domain and in the Longview regional
Active Directory site, the application generates the list of these Autodiscover service endpoints:
ENDPOINT GENERATED BY
For more information about SCP objects, see Publishing Services in Active Directory
Autodiscover in DNS
Exchange introduced namespace requirements for Autodiscover in Exchange 2010 and certificates required
several of them. In a server resilience scenario, all of these elements were required:
Primary datacenter IP namespace
Secondary datacenter IP namespace
Primary Outlook Web App failback namespace
Secondary Outlook Web App failback namespace
Transport namespace (for SMTP )
Primary datacenter RPC Client Access namespace
Secondary datacenter RPC Client Access namespace
Server resiliency scenarios have been improved, reducing the five namespaces to two. This is because Exchange no
longer needs the RPC Client Access namespaces and Client Access services proxy requests to the Mailbox server
that is hosting the active Mailbox database. A Mailbox server in one Active Directory site can proxy a session to a
another Active Directory site's Mailbox server.
What this means is that unique namespaces are no longer required for each datacenter. For example, instead of
mail.contoso.com and mail2.contoso.com, you only need a single namespace, mail.contoso.com, for the datacenter
pair. Additionally, failback namespaces are no longer needed in Database Availability Groups (DAG ) activation
scenarios.
Autodiscover is simple to set up for your domain because it only requires that you create a CNAME resource
record in your external (public) DNS. CNAME records let you hide the implementation details of your network
from the clients that connect to it. Used internally in your network, CNAME records allow users to use the simpler
URI mail.domain.com instead of host.examplemachinename.domain.com.
A CNAME or canonical name record is the DNS equivalent to a Windows shortcut or an Apple Mac alias. A
CNAME record is an alias for an Address (A) record that maps an IP address to the target server. If, for example,
your domain is contoso.com, you create a CNAME record for autodiscover.contoso.com. The name in the CNAME
record must match a name in a certificate. CNAME records work only for hostnames. CNAMEs work externally,
but they don't replace the URL in the browser bar. When the certificate is checked against the URL, you get a
failure with a warning, but you can still access the service.
A typical CNAME record looks like this:
Name: autodiscover
TTL: 3600
RR Type: CNAME
Target: The externally accessible FQDN of the Mailbox server (for example, mail.contoso.com)
In this example, autodiscover.contoso.com resolves to mail.contoso.com. For more information, see Step 4:
Configure external URLs in Configure mail flow and client access on Exchange servers.
We recommend that you create an Autodiscover CNAME record for every domain on your account, including
domain aliases and accepted domains. You need to create either a CNAME or SRV record where your domain is
hosted. Only then you can synchronize your offline address book, show free/busy information and enable the Out
of office feature in Outlook.
Service (SRV ) resource records let you specify the location of the servers for a specific service, protocol, and DNS
domain. For example, if you have two Web servers in your domain, you can create SRV resource records
indicating which hosts serve as Web servers. Resolvers can then retrieve all the SRV resource records for the Web
servers.
A typical SRV record looks like this:
Service: _autodiscover
Protocol: ._tcp
Port Number: 443
Host: mail.contoso.com
Priority: 0
Weight: 0
In this example, the Outlook server namespace is mail.contoso.com.
Read more about CNAME and SRV records in the Outlook team blog, Namespace planning in Exchange 2016.
NOTE
Depending on your DNS provider's requirements, you may need to add the fully qualified domain name (FQDN) as your
hostname. In that case, if your domain is contoso.com, then your hostname would be autodiscover.contoso.com, not
autodiscover.com.
You need to set up a special DNS record for your domain name that points to the server providing Autodiscover
services so that Exchange accounts function correctly in Outlook. For external access, or using DNS, the client
locates the Autodiscover service on the Internet by using the primary SMTP domain address from the user's email
address.
The Autodiscover service uses one of these four methods to configure the email client. The first two work for
small, single SMTP namespace organizations. The last two serve multiple-SMTP namespaces.
Connect to: https://contoso.com/AutoDiscover/AutoDiscover.xml
Connect to: https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml
Autodiscover redirect URL for redirection: http://autodiscover.contoso.com/autodiscover/autodiscover.xml
Search for DNS SRV record
Some of the hostnames and URLs can be configured by using the Exchange admin center (EAC ) and the Exchange
Management Shell, while others require that you use PowerShell. You can learn more about that in Configure mail
flow and client access.
Through the Autodiscover service, Outlook finds a new connection point made up of the user's mailbox. That is,
Autodiscover uses the identification made up of a GUID, plus @, and the domain portion of the user's primary
SMTP address. The Autodiscover service returns the following information to the client:
User's display name
Separate connection settings for internal and external connectivity
Location of the user's mailbox (the Mailbox server that currently holds the active copy of the mailbox)
URLs for various Outlook features that govern functionality such as free/busy information, Unified
Messaging (UM ) in Exchange 2016 (but not in Exchange 2019), and the offline address book (OAB )
Outlook Anywhere server settings
You'll need to make sure that you have configured the correct external URLs for the virtual directories of the
following services. The examples in the table that follows show values required for the contoso.com email domain.
In addition, you may need to set IIS Authentication Methods. You can learn more about that in Setting Up
Standard Authentication Methods for Outlook Web App.
Offline Address Book Get-OabVirtualDirectory | Set- OAB virtual directories used in IIS
OabVirtualDirectory -ExternalURL
https://mail.companycontoso.com/oab
Outlook Anywhere (RPC over HTTP) Get-OutlookAnywhere | Set- Outlook Anywhere virtual directories in
OutlookAnywhere -ExternalHostname IIS
mail.contoso.com -
ExternalClientsRequireSsl $true
Click the Service name in the preceding table for more information about how to obtain or reconfigure these
URLs.
When a user's Exchange information changes, Outlook uses the Autodiscover service to automatically reconfigure
the user's profile. For example, if a user's mailbox is moved. or the client can't connect to the user's mailbox or to
available Exchange features, Outlook will contact the Autodiscover service and automatically update the user's
profile to include the information that's required to connect to the mailbox and Exchange features.
Other clients
Autodiscover service the preferred method to locate all services in Skype for Business Server 2015 . When a
connection is successful, the Autodiscover service returns all the Web Services URLs for the user's home pool,
including the Mobility Service (known as Mcx by the virtual directory created for the service in IIS ), Lync Web App
and Web scheduler URLs. However, both the internal Mobility Service URL and the external Mobility Service URL
is associated with the external Web Services FQDN. Therefore, regardless of whether a mobile device is internal or
external to the network, the device always connects to the Mobility Service externally through reverse proxy. The
Autodiscover service also returns references to Internal/UCWA, External/UCWA and UCWA. These entries refer to
the Unified Communications Web API (UCWA) web component.
NOTE
You can confirm your Autodiscover service by using the Microsoft Remote Connectivity Analyzer. When the connectivity is
successful, also select and run the Outlook Connectivity test. If that fails, you may need to configure the external URLs in
Exchange. The results from the Microsoft Remote Connectivity Analyzer should explain why connectivity failed. Generally, a
connectivity failure means that you don't have the correct external URLs configured for the virtual directories of the various
Outlook services.
You can run the Exchange ActiveSync Autodiscover and Outlook Autodiscover tests in the Microsoft Remote
Connectivity Analyzer. If the user is using a local wireless network to connect to Exchange Online, the user should
run both tests to make sure that the local network allows for connections to the ActiveSync endpoints.
You can get help for planning and deploying Autodiscover services as part of your Exchange deployment in
Planning and deployment for Exchange Server.
Load balancing in Exchange Server
8/23/2019 • 12 minutes to read • Edit Online
Load balancing in Exchange 2016 and later build on the Microsoft high availability and network resiliency platform
delivered in Exchange 2013. When this is combined with the availability of third-party load balancing solutions
(both hardware and software), there are multiple options for implementing load balancing in your Exchange
organization.
Exchange architecture changes introduced in Exchange 2013 brought about the Mailbox server and Client Access
server roles. Compare this to Exchange 2010, where Client Access, Mailbox, Hub Transport, and Unified Messages
ran on separate servers.
Using minimal server roles, Exchange 2016 and 2019 deliver:
Simplified deployment with the Mailbox server running Client Access services and Edge Transport server
roles.
Mail flow managed in the transport pipeline, which is the collection of services, connections, queues, and
components that route messages to the Transport service categoriser on the Mailbox server.
High availability by deploying load balancers to distribute client traffic.
The HTTP protocol standard introduced with Exchange 2013 means that session affinity is no longer required in
Exchange 2016 and Exchange 2019. Session affinity allows a persistent connection for messaging-enabled services
so that a user doesn't have to reenter their user name and password multiple times.
Previously, Exchange 2007 and Exchange 2010 supported RPC over HTTP for Outlook Anywhere. Exchange 2013
introduced MAPI over HTTP, although it wasn't enabled by default. It's now enabled by default in Exchange 2016
and Exchange 2019.
With the HTTP protocol in use, all native clients connect using HTTP and HTTPs in Exchange Server. This standard
protocol removes the need for affinity, which was previously required to avoid a new prompting for user
credentials whenever load balancing redirected the connection to a different server.
Edge Transport Manages all inbound and outbound Internet mail flow using:
• mail relay
• smart hosting
• agents that provide additional antispam service
• agents that apply transport to control mail flow
Not a member of the Active Directory forest
Although not required, the Edge Transport server sits in the perimeter network , just as in earlier Exchange
versions, to provide secure inbound and outbound mail flow for your Exchange organization.
Read more about the transport service in the topic, Understanding the Transport service on Edge Transport
servers.
Be aware that DAGs use Microsoft Clustering Services. These services can't be enabled on the same server as
Windows Network Load Balancing (NLB ). Accordingly, Windows NLB is not an option when using DAGs. There
are third-party software and virtual appliance solutions in this case.
Using DNS is the simplest option for load balancing your Exchange traffic . With DNS load balancing, you only
have to provide your clients with the IP address of every Mailbox server. After that, DNS round robin distributes
that traffic to your Mailbox servers. The HTTP client is smart enough to connect to another server should one
Exchange server fail completely.
Simplicity comes at a price, however. In this case, DNS round robin isn't truly load-balancing the traffic, because
there isn't a way programmatically to make sure that each server gets a fair share of the traffic. Also, there is no
service level monitoring so that when a single service fails, clients are not automatically redirected to an available
service. For example, if Outlook on the web is in failure mode, the clients see an error page.
DNS load balancing requires more external IP addresses when you publish externally. That means that each
individual Exchange server in your organization would require an external IP address.
There are more elegant solutions to load balancing your traffic, such as hardware that uses Transport Layer 4 or
Application Layer 7 to help distribute client traffic. Load balancers monitor each Exchange client-facing service, and
in the event of service failure, load balancers can direct traffic to another server and take the problem server offline.
Additionally, some level of load distribution makes sure that no single Mailbox server is proxying the majority of
client access.
Load balancing services can use Layer 4 or Layer 7, or a combination, to manage traffic. There are benefits and
drawbacks to each solution.
Layer 4 load balancers work at the Transport layer to direct traffic without examining the contents.
Because they don't examine the traffic contents, Layer 4 load balancers save time in transit. However, this
comes with trade-offs. Layer 4 load balancers know only the IP address, protocol, and TCP port. Knowing
only a single IP address, the load balancer can monitor only a single service.
Layer 4 load balancing benefits include:
Requires fewer resources (no content examination).
Distributes traffic at the Transport layer.
The risk with a Layer 4 solution is that if a service fails but the server is still available, clients can
connect to the failed service. This means that a resilient Layer 4 implementation requires multiple IP
addresses configured with separate HTTP namespaces per service, for example, owa.contoso.com,
eas.contoso.com, mapi.contoso.com, which allows for service-level monitoring.
Layer 7 load balancers work at the Application layer and can inspect the traffic content and direct it
accordingly.
Layer 7 load balancers forego the raw performance benefits of Layer 4 load balancing for the simplicity of a
single namespace, for example, mail.contoso.com, and per-service monitoring. Layer 7 load balancers
understand the HTTP path, such as /owa or /Microsoft-Server-ActiveSync, or /mapi, and can direct traffic to
working servers based on monitoring data.
Layer 7 load balancing benefits include:
Needs only a single IP address.
Inspects content and can direct traffic.
Provides notification of failed service that can be taken offline.
Handles load balancer SSL termination.
Distributes traffic at the application layer and understands the destination URL.
SSL should terminate at the load balancer as this offers a centralized place to correct SSL attacks.
The ports that need to be load balanced include some, such as those for IMAP4 or POP3, that may not even be
used in your Exchange organization.
In order for you to use Kerberos authentication with load-balanced Mailbox servers running Client Access services,
you have to complete the configuration steps described in this article.
IMPORTANT
Exchange 2010 and Exchange 2016 can't share the same ASA credential. If your ASA credential was created for Exchange
2010, you have to create a new one for Exchange 2016.
While CNAME records are supported for shared namespaces, Microsoft recommends using A records. This ensures that the
client correctly issues a Kerberos ticket request based on the shared name, and not the server FQDN.
When you set up the ASA credential, keep these guidelines in mind:
Account type: We recommend that you create a computer account instead of a user account. A computer
account doesn't allow interactive logon and may have simpler security policies than a user account. If you
create a computer account, the password doesn't expire, but we recommend you update the password
periodically anyway. You can use local group policy to specify a maximum age for the computer account and
scripts to periodically delete computer accounts that do not meet current policies. Your local security policy
also determines when you have to change the password. Although we recommend you use a computer
account, you can create a user account.
Account name: There are no requirements for the name of the account. You can use any name that
conforms to your naming scheme.
Account group: The account you use for the ASA credential doesn't need special security privileges. If
you're using a computer account then the account needs only to be a member of the Domain Computers
security group. If you're using a user account then the account needs only to be a member of the Domain
Users security group.
Account password: The password you provide when you create the account will be used. So when you
create the account, you should use a complex password and ensure that the password conforms to your
organization's password requirements.
To create the ASA credential as a computer account
1. On a domain-joined computer, run Windows PowerShell or the Exchange Management Shell.
Use the Import-Module cmdlet to import the Active Directory module.
Import-Module ActiveDirectory
2. Use the New-ADComputer cmdlet to create a new Active Directory computer account using this cmdlet
syntax:
Example:
Where EXCH2016ASA is the name of the account, the description Alternate Service Account credentials for
Exchange is whatever you want it to be, and the value for the SamAccountName parameter, in this case
EXCH2016ASA, has to be unique in your directory.
3. Use the Set-ADComputer cmdlet to enable the AES 256 encryption cipher support used by Kerberos
using this cmdlet syntax:
Example:
Where EXCH2016ASA is the name of the account and the attribute to be modified is msDS -
SupportedEncryptionTypes with a decimal value of 28, which enables the following ciphers: RC4-HMAC,
AES128-CTS -HMAC -SHA1-96, AES256-CTS -HMAC -SHA1-96.
For more information about these cmdlets, see Import-Module and New -ADComputer.
Cross-forest scenarios
If you have a cross-forest or resource-forest deployment, and you have users that are outside the Active Directory
forest that contains Exchange, you must configure forest trust relationships between the forests. Also, for each
forest in the deployment, you have to set up a routing rule that enables trust between all name suffixes within the
forest and across forests. For more information about managing cross-forest trusts, see Managing forest trusts.
Based on the FQDNs that are used by the internal Outlook clients in the preceding figure, you have to associate
the following SPNs with the ASA credential:
http/mail.corp.tailspintoys.com
http/autodiscover.corp.tailspintoys.com
Multiple Active Directory sites
If you have multiple Active Directory sites, your environment may resemble the one in the following figure:
Based on the FQDNs that are used by the Outlook clients in the preceding figure, you would have to associate the
following SPNs with the ASA credential that is used by the Mailbox servers running Client Access services in
ADSite 1:
http/mail.corp.tailspintoys.com
http/autodiscover.corp.tailspintoys.com
You would also have to associate the following SPNs with the ASA credential that is used by the Mailbox servers
running Client Access services in ADSite 2:
http/mailsdc.corp.tailspintoys.com
http/autodiscoversdc.corp.tailspintoys.com
4. When you're asked if you want to change the password for the alternate service account, answer Yes.
The following is an example of the output that's shown when you run the
RollAlternateServiceAccountPassword.ps1 script.
Deploy the ASA credential to another Exchange server running Client Access services
1. Open the Exchange Management Shell on an Exchange 2016 or Exchange 2019 server.
2. Change directories to <Exchange 2016 installation directory>\V15\Scripts.
3. Run the following command to deploy the ASA credential to another Exchange 2016 or Exchange 2019
server running Client Access services:
.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer cas-2.corp.tailspintoys.com -CopyFrom cas-
1.corp.tailspintoys.com
4. Repeat Step 3 for each server running Client Access services that you want to deploy the ASA credential to.
The following is an example of the output that's shown when you run the
RollAlternateServiceAccountPassword.ps1 script.
Repeat Step 2 on each server running Client Access services for which you want to verify the deployment of
the ASA credential.
The following is an example of the output that's shown when you run the Get-ClientAccessServer command above
and no previous ASA credential was set.
Name : CAS-1
AlternateServiceAccountConfiguration : Latest: 1/12/2016 10:19:22 AM, tailspin\EXCH2016ASA$
Previous: <Not set>
...
The following is an example of the output that's shown when you run the Get-ClientAccessServer command above
and an ASA credential was previously set. The previous ASA credential and the date and time it was set are
returned.
Name : CAS-3
AlternateServiceAccountConfiguration : Latest: 1/12/2016 10:19:22 AM, tailspin\EXCH2016ASA$
Previous: 7/15/2015 12:58:35 PM, tailspin\oldSharedServiceAccountName$
...
Before you associate the SPNs with the ASA credential, you have to verify that the target SPNs aren't already
associated with a different account in the forest. The ASA credential must be the only account in the forest with
which these SPNs are associated. You can verify that no other account in the forest is associated with the SPNs by
running the setspn command from the command line.
Verify an SPN is not already associated with an account in a forest by running the setspn command
1. Press Start. In the Search box, type Command Prompt, then in the list of results, select Command
Prompt.
2. At the command prompt, type the following command:
setspn -F -Q <SPN>
Where <SPN> is the SPN you want to associate with the ASA credential. For example:
setspn -F -Q http/mail.corp.tailspintoys.com
The command should return nothing. If it returns something, another account is already associated with the
SPN. Repeat this step one time for each SPN that you want to associate with the ASA credential.
Associate an SPN with an ASA credential by using the setspn command
1. Press Start. In the Search box, type Command Prompt, and then select Command Prompt in the list of
results.
2. At the command prompt, type the following command:
Where <SPN> is the SPN you want to associate with the ASA credential and <Account> is the account
associated with the ASA credential. For example:
Run this command one time for each SPN that you want to associate with the ASA credential.
Verify you associated the SPNs with the ASA credentials by using the setspn command
1. Press Start. In the Search box, type Command Prompt, and then select Command Prompt in the list of
results.
2. At the command prompt, type the following command:
setspn -L <Account>$
Where <Account> is the account associated with the ASA credential. For example:
setspn -L tailspin\EXCH2016ASA$
3. To enable Kerberos authentication for MAPI over HTTP clients, run the following command on your
Exchange 2016 or Exchange 2019 server that is running Client Access services:
In hybrid environments with Exchange Online or if you use OAuth internally, run the following commands
on your Exchange 2016 or Exchange 2019 server that's running Client Access services:
4. Repeat steps 2 and 3 for each Exchange 2016 or Exchange 2019 server that is running Client Access
services for which you want to enable Kerberos authentication.
Verify Exchange client Kerberos authentication
After you've successfully configured Kerberos and the ASA credential, verify that clients can authenticate
successfully, as described in these tasks.
Verify that the Microsoft Exchange Service Host service is running
The Microsoft Exchange Service Host service (MSExchangeServiceHost) on the server that is running Client
Access services is responsible for managing the ASA credential. If MSExchangeServiceHost isn't running, Kerberos
authentication isn't possible. By default, the service is configured to automatically start when the computer starts.
To verify the Microsoft Exchange Service Host service is started
1. Click Start, type services.msc, and then select services.msc from the list.
2. In the Services window, locate the Microsoft Exchange Service Host service in the list of services.
3. The status of the service should be Running. If the status is not Running, right-click the service, and then
click Start.
Verify Kerberos from the server running Client Access services
When you configured the ASA credential on each server running Client Access services, you ran the Set-
ClientAccessServer cmdlet. After you run this cmdlet, you can use the logs to verify successful Kerberos
connections.
Verify that Kerberos is working correctly by using the HttpProxy log file
1. In a text editor, browse to the folder where the HttpProxy log is stored. By default, the log is stored in the
following folder:
%ExchangeInstallPath%\Logging\HttpProxy\RpcHttp
2. Open the most recent log file, and then look for the word Negotiate. The line in the log file will look
something like the following example:
2014-02-19T13:30:49.219Z,e19d08f4-e04c-42da-a6be-
b7484b396db0,15,0,775,22,,RpcHttp,mail.corp.tailspintoys.com,/rpc/rpcproxy.dll,,Negotiate,True,tailspin\
Wendy,tailspintoys.com,MailboxGuid~ad44b1e0-e44f-4a16-9396-
3a437f594f88,MSRPC,192.168.1.77,EXCH1,200,200,,RPC_OUT_DATA,Proxy,exch2.tailspintoys.com,15.00.0775.000,
IntraForest,MailboxGuidWithDomain,,,,76,462,1,,1,1,,0,,0,,0,0,16272.3359,0,0,3,0,23,0,25,0,16280,1,16274
,16230,16233,16234,16282,?ad44b1e0-e44f-4a16-9396-3a437f594f88@tailspintoys.com:6001,,BeginRequest=2014-
02-19T13:30:32.946Z;BeginGetRequestStream=2014-02-19T13:30:32.946Z;OnRequestStreamReady=2014-02-
19T13:30:32.946Z;BeginGetResponse=2014-02-19T13:30:32.946Z;OnResponseReady=2014-02-
19T13:30:32.977Z;EndGetResponse=2014-02-19T13:30:32.977Z;,PossibleException=IOException;
If you see that the AuthenticationType value is Negotiate, the server is successfully creating Kerberos
authenticated connections.
2. Although you don't have to do this immediately, you should eventually restart all client computers to clear
the Kerberos ticket cache from the computer.
Digital certificates and encryption in Exchange
Server
8/23/2019 • 15 minutes to read • Edit Online
Encryption and digital certificates are important considerations in any organization. By default, Exchange Server is
configured to use Transport Layer Security (TLS ) to encrypt communication between internal Exchange servers,
and between Exchange services on the local server. But, Exchange administrators need to consider their
encryption requirements for communication with internal and external clients (computers and mobile devices),
and external messaging servers.
NOTE
Exchange Server 2019 includes important changes to improve the security of client and server connections. The default
configuration for encryption will enable TLS 1.2 only and disable support for older algorithms, namely; DES, 3DES, RC2, RC4
and MD5. It will also configure elliptic curve key exchange algorithms with priority over non-elliptic curve algorithms. In
Exchange Server 2016 and later, all cryptography settings are inherited from the configuration specified in the operating
system. For additional information, see Exchange Server TLS Guidance.
This topic describes the different types of certificates that are available, the default configuration for certificates in
Exchange, and recommendations for additional certificates that you'll need to use with Exchange.
For the procedures that are required for certificates in Exchange Server, see Certificate procedures in Exchange
Server.
Self-signed certificate The certificate is signed by Cost (free). The certificate isn't
the application that created automatically trusted by
it. client computers and mobile
devices. The certificate needs
to be manually added to the
trusted root certificate store
on all client computers and
devices, but not all mobile
devices allow changes to the
trusted root certificate store.
Difficult to establish an
infrastructure for certificate
lifecycle management. For
example, self-signed
certificates can't be revoked.
Certificate issued by an The certificate is issued by a Allows organizations to issue Increased complexity to
internal CA public key infrastructure their own certificates. deploy and maintain the PKI.
(PKI) in your organization.
An example is Active Less expensive than The certificate isn't
Directory Certificate Services certificates from a automatically trusted by
(AD CS). For more commercial CA. client computers and mobile
information, see Active devices. The certificate needs
Directory Certificate Services to be manually added to the
Overview. trusted root certificate store
on all client computers and
devices, but not all mobile
devices allow changes to the
trusted root certificate store.
Certificate issued by a The certificate is purchased Simplified certificate Cost. You need to plan
commercial CA from a trusted commercial deployment, because all ahead to minimize the
CA. clients, devices, and servers number of certificates that
automatically trust the are required.
certificates.
To prove that a certificate holder is who they claim to be, the certificate must accurately identify the certificate
holder to other clients, devices, or servers. The three basic methods to do this are described in the following table.
Certificate subject match The certificate's Subject field Compatible with all clients, Number of certificates
contains the common name devices, and services. required. You can only use
(CN) of the host. For the certificate for the
example, the certificate Compartmentalization. specified host. For example,
that's issued to Revoking the certificate for a you can't use the
www.contoso.com can be host doesn't affect other www.contoso.com certificate
used for the web site hosts. for ftp.contoso.com, even
https://www.contoso.com. when the services are
installed on the same server.
Complexity. On a web
server, each certificate
requires its own IP address
binding.
METHOD DESCRIPTION ADVANTAGES DISADVANTAGES
Certificate subject alternative In addition to the Subject Convenience. You can use More planning required. You
name (SAN) match field, the certificate's Subject the same certificate for need to provide the list of
Alternative Name field multiple hosts in multiple, hosts when you create the
contains a list of multiple separate domains. certificate.
host names. For example:
• www.contoso.com Most clients, devices, and Lack of
• ftp.contoso.com services support SAN compartmentalization. You
• ftp.eu.fabirkam.net certificates. can't selectively revoke
certificates for some of the
Auditing and security. You specified hosts without
know exactly which hosts affecting all of the hosts in
are capable of using the SAN the certificate.
certificate.
Wildcard certificate match The certificate's Subject field Flexibility. You don't need to You can't use wildcard
contains the common name provide a list of hosts when certificates with other top-
as the wildcard character (*) you request the certificate, level domains (TLDs). For
plus a single domain or and you can use the example, you can't use the
subdomain. For example, certificate on any number of *.contoso.com wildcard
*.contoso.com or hosts that you may need in certificate for *.contoso.net
*.eu.contoso.com. The the future. hosts.
*.contoso.com wildcard
certificate can be used for: You can only use wildcard
• www.contoso.com certificates for host names
• ftp.contoso.com at the level of the wildcard.
• mail.contoso.com For example, you can't use
the *.contoso.com certificate
for www.eu.contoso.com. Or,
you can't use the
*.eu.contoso.com certificate
for www.uk.eu.contoso.com.
Certificates in Exchange
When you install Exchange 2016 or Exchange 2019 on a server, two self-signed certificates are created and
installed by Exchange. A third self-signed certificate is created and installed by Microsoft Windows for the Web
Management service in Internet Information Services (IIS ). These three certificates are visible in the Exchange
admin center (EAC ) and the Exchange Management Shell, and are described in the following table:
NAME COMMENTS
NAME COMMENTS
Microsoft Exchange Server Auth Certificate This Exchange self-signed certificate is used for server-to-
server authentication and integration by using OAuth. For
more information, see Plan Exchange Server integration with
SharePoint and Skype for Business.
The properties of these self-signed certificates are described in the Properties of the default self-signed certificates
section.
These are the key issues that you need to consider when it comes to certificates in Exchange:
You don't need to replace the Microsoft Exchange self-signed certificate to encrypt network traffic between
Exchange servers and services in your organization.
You need additional certificates to encrypt connections to Exchange servers by internal and external clients.
You need additional certificates to force the encryption of SMTP connections between Exchange servers
and external messaging servers.
The following elements of planning and deployment for Exchange Server are important drivers for your certificate
requirements:
Load balancing: Do you plan to terminate the encrypted channel at load balancer or reverse proxy server,
use Layer 4 or Layer 7 load balancers, and use session affinity or no session affinity? For more information,
see Load Balancing in Exchange 2016.
Namespace planning: What versions of Exchange are present, are you using the bound or unbound
namespace model, and are you using split-brain DNS (configuring different IP addresses for the same host
based on internal vs. external access)? For more information, see Namespace Planning in Exchange 2016.
Client connectivity: What services will your clients use (web-based services, POP, IMAP, etc.) and what
versions of Exchange are involved? For more information, see the following topics:
Client Connectivity in an Exchange 2016 Coexistence Environment with Exchange 2013
Client Connectivity in an Exchange 2016 Coexistence Environment with Exchange 2010
Client Connectivity in an Exchange 2016 Coexistence Environment with Mixed Exchange Versions
SERVICE DESCRIPTION
IIS (HTTP) By default, the following services are offered under the default
website in the Client Access (frontend) services on a Mailbox
server, and are used by clients to connect to Exchange:
• Autodiscover
• Exchange ActiveSync
• Exchange admin center
• Exchange Web Services
• Offline address book (OAB) distribution
• Outlook Anywhere (RPC over HTTP)
• Outlook MAPI over HTTP
• Outlook on the web
• Remote PowerShell*
POP or IMAP The certificates that are used for POP or IMAP can be
different from the certificate that's used for IIS. However, to
simplify administration, we recommend that you also include
the host names that are used for POP or IMAP in your IIS
certificate, and use the same certificate for all of these
services.
SERVICE DESCRIPTION
Unified Messaging (UM) For more information, see Deploying Certificates for UM.
Note: UM is not available in Exchange 2019.
Hybrid deployment with Microsoft Office 365 For more information, see Certificate Requirements for Hybrid
Deployments.
Secure/Multipurpose Internet Mail Extensions (S/MIME) For more information, see S/MIME for message signing and
encryption.
*Kerberos authentication and Kerberos encryption are used for remote PowerShell access, from both the
Exchange admin center and the Exchange Management Shell. Therefore, you don't need to configure your
certificates for use with remote PowerShell, as long as you connect directly to an Exchange server (not to a load
balanced namespace). To use remote PowerShell to connect to an Exchange server from a computer that isn't a
member of the domain, or to connect from the Internet, you need to configure your certificates for use with
remote PowerShell.
MICROSOFT EXCHANGE
MICROSOFT EXCHANGE SERVER AUTH CERTIFICATE WMSVC
NotBefore The date/time that Exchange The date/time that Exchange The date/time that the IIS
was installed. was installed. Web Manager service was
installed.
Expires on (NotAfter) 5 years after NotBefore . 5 years after NotBefore . 10 years after NotBefore .
Key usage Digital Signature, Key Digital Signature, Key Digital Signature, Key
Encipherment (a0) Encipherment (a0) Encipherment (a0), Data
Encipherment (b0 00 00 00)
Typically, you don't use Windows Certificate Manger to manage Exchange certificates (use the Exchange admin
center or the Exchange Management Shell). Note that the WMSVC certificate isn't an Exchange certificate.
Certificate procedures in Exchange Server
8/23/2019 • 3 minutes to read • Edit Online
Ensuring that certificates are installed and configured correctly is key to delivering a secure messaging
infrastructure for the enterprise. In Exchange Server you can manage certificates in the Exchange admin center
(EAC ), and in the Exchange Management Shell. Certificate management in the EAC has been improved over
certificate management in the Exchange Management Console in Exchange Server 2010. Specifically, certificate
management in the EAC can help administrators by:
Minimizing the number of certificates that are required.
Minimizing the interaction that's required for certificates.
Allowing the centralized installation and management of certificates on all Exchange servers in the
organization.
For more information about certificates in Exchange, see Digital certificates and encryption in Exchange Server .
The tasks that are associated with certificate management in Exchange are described in the following table.
EXCHANGE
TASK EAC MANAGEMENT SHELL TOPIC COMMENTS
Create a new self- Servers > New- Create a new You can create new
signed certificate on Certificates > select ExchangeCertificate Exchange Server self- self-signed certificates
an Exchange server. the server > Add signed certificate and configure the
> Create a self- certificates for
signed certificate Exchange services in
one step.
Create a new Servers > New- Create an Exchange The procedures are
certificate request Certificates > select ExchangeCertificate Server certificate the same for an
(also known as a the server > Add with the request for a internal CA (for
certificate signing > Create a request GenerateRequest certification authority example, Active
request or CSR) for a for a certificate switch. Directory Certificate
certification authority from a certification Services) or a
(CA). authority commercial CA.
Complete a pending Servers > Import- Complete a pending After you receive the
certificate request on Certificates > select ExchangeCertificate Exchange Server certificate file or files
an Exchange server. the server > select certificate request from the CA, you
the certificate request install them on the
> click the Complete Exchange server.
link in the details
pane.
EXCHANGE
TASK EAC MANAGEMENT SHELL TOPIC COMMENTS
Assign a certificate to Servers > Enable- Assign certificates to The procedures are
Exchange services. Certificates > select ExchangeCertificate Exchange Server the same for self-
the server > select services signed certificates, or
the certificate > Edit certificates that were
> Services tab. issued by a CA.
For certificates issued
by a CA, you can only
assign the certificates
to Exchange services
after you complete
the pending
certificate request
(install the certificate
on the Exchange
server).
Export an existing Servers > Export- Export a certificate You can only export
certificate or Certificates > select ExchangeCertificate from an Exchange valid (unexpired)
certificate request the server > select server certificates where the
from an Exchange the certificate > PrivateKeyExportab
server. More options > le property has the
Export Exchange value True .
Certificate You can only export
pending certificate
requests in the
Exchange
Management Shell.
You can't import an
exported pending
certificate request.
EXCHANGE
TASK EAC MANAGEMENT SHELL TOPIC COMMENTS
Creating a certificate request is the first step in installing a new certificate on an Exchange server to configure
Transport Layer Security (TLS ) encryption for one or more Exchange services. You use a certificate request (also
known as a certificate signing request or CSR ) to obtain a certificate from a certification authority (CA). The
procedures are the same for obtaining certificates from an internal CA (for example, Active Directory Certificate
Services), or from a commercial CA. After you create the certificate request, you send the results to the CA, and
the CA uses the information to issue the actual certificate, which you install later.
You can create certificate requests in the Exchange admin center (EAC ) or in the Exchange Management Shell. The
New Exchange certificate wizard in the EAC can assist you in selecting the host names that are required in the
certificate.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see
Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Client Access services security" entry in the Clients and mobile devices
permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example creates a certificate request on the local Exchange server for a wildcard certificate with the following
properties:
SubjectName: *.contoso.com in the United States, which requires the value C=US,CN=*.contoso.com .
RequestFile: \\FileServer01\Data\Contoso Wildcard Cert.req
This example creates a certificate request on the local Exchange server for a SAN certificate with the following
properties:
SubjectName: mail.contoso.com in the United States, which requires the value C=US,CN=mail.contoso.com .
Note that this CN value is automatically included in the DomainName parameter (the Subject
Alternative Name field).
Additional Subject Alternative Name field values:
autodiscover.contoso.com
legacy.contoso.com
mail.contoso.net
autodiscover.contoso.net
legacy.contoso.net
RequestFile: \\FileServer01\Data\Contoso SAN Cert.req
This example creates a request for a single subject certificate with the following properties:
SubjectName: mail.contoso.com in the United States, which requires the value C=US,CN=mail.contoso.com .
RequestFile: \\FileServer01\Data\Mail.contoso.com Cert.req
Notes:
The only required part of the X.500 SubjectName parameter value (the certificate's Subject field) is
CN=<HostNameOrFQDN> . However, the certificate request should always include the C=<CountryOrRegion>
value (otherwise, you might not be able to renew the certificate). Check the Subject field requirements of
your CA.
The RequestFile parameter accepts a local path or a UNC path.
We didn't use the BinaryEncoded switch, so the request is Base64 encoded. The information that's
displayed onscreen is also written to the file, and the contents of the file are what we need to send to the
CA. If we had used the BinaryEncoded switch, the request would have been encoded by DER, and the
certificate request file itself is what we would need to send to the CA.
We didn't use the KeySize parameter, so the certificate request has a 2048 bit RSA public key.
For more information, see New -ExchangeCertificate.
Next steps
The content of a Base64 encoded certificate request file looks like this:
You need to send this information to the CA. How you send it depends on the CA, but typically, you send the
contents of the file in an email message or in the certificate request form on the CA's web site.
If the CA requires a binary certificate request that's encoded by DER (you used the New-ExchangeCertificate
cmdlet with the BinaryEncoded switch), you typically send the whole certificate request file to the CA.
After you receive the certificate from the CA, you need to complete the pending certificate request. For
instructions, see Complete a pending Exchange Server certificate request.
Complete a pending Exchange Server certificate
request
8/23/2019 • 5 minutes to read • Edit Online
Completing a pending certificate request (also known as a certificate signing request or CSR ) is the next step in
configuring Transport Layer Security (TLS ) encryption in Exchange Server. After you receive the certificate from
the certification authority (CA), you install the certificate on the Exchange server to complete the pending
certificate request.
You can complete a pending certificate request in the Exchange admin center (EAC ) or in the Exchange
Management Shell. The procedures are the same for completing new certificate requests or certificate renewal
requests. The procedures are also the same for certificates that were issued by an internal CA (for example, Active
Directory Certificate Services), or a commercial CA.
You might receive one or more of the following types of certificate files CA:
PKCS #12 certificate files: These are binary certificate files that have .cer, .crt, .der, .p12, or .pfx filename
extensions, and require a password when the file contains the private key or chain of trust. The CA might
issue you only one binary certificate file that you need to install (protected by a password), or multiple root
or intermediate binary certificate files that you also need to install.
PKCS #7 certificate files: These are text certificate files that have .p7b or .p7c filename extensions. These
files contain the text: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- or
-----BEGIN PKCS7----- and -----END PKCS7----- . If the CA includes a chain of certificates file with your
binary certificate file, you also need to install the chain of certificates file.
If you renew or replace a certificate that was issued by a CA on a subscribed Edge Transport server, you
need to remove the old certificate, and then delete and recreate the Edge Subscription. For more
information, see Edge Subscription process.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see
Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Client Access services security" entry in the Clients and mobile devices
permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example imports the binary certificate file \\FileServer01\Data\Contoso Cert.cer that's protected by the
password P@ssw0rd1 on the local Exchange server.
To import a chain of certificates file (PKCS #7 text files that have .p7b or .p7c filename extensions), use the
following syntax:
This example imports the text certificate file \\FileServer01\Data\Chain of Certificates.p7b on the local Exchange
server.
Import-ExchangeCertificate -FileData "Import-ExchangeCertificate -FileData ([Byte[]](Get-Content -Encoding
Byte -Path "\\FileServer01\Data\Chain of Certificates.p7b" -ReadCount 0))]
Notes:
The FileName and FileData parameters accept local paths if the certificate file is located on the Exchange
server where you're running the command, and this is the same server where you want to import the
certificate. Otherwise, use a UNC path.
If you want to be able to export the certificate from the server where you're importing it, you need to use
the PrivateKeyExportable parameter with the value $true .
For more information, see Import-ExchangeCertificate.
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List
FriendlyName,Subject,CertificateDomains,Thumbprint
Next steps
After you complete the pending certificate request by installing the certificate on the server, you need to assign the
certificate to one or more Exchange services before the Exchange server is able to use the certificate for
encryption. For more information, see Assign certificates to Exchange services .
Assign certificates to Exchange Server services
8/23/2019 • 4 minutes to read • Edit Online
After you install a certificate on an Exchange server, you need to assign the certificate to one or more Exchange
services before the Exchange server is able to use the certificate for encryption. You can assign certificates to
services in the Exchange admin center (EAC ) or in the Exchange Management Shell. Once you assign a certificate
to a service, you can't remove the assignment. If you no longer want to use a certificate for a specific service, you
need to assign another certificate to the service, and then remove the certificate that you don't want to use.
The available Exchange services are described in the following table.
SERVICE USES
Unified Messaging (UM) TLS encryption for client connections to the backend UM
service on Exchange 2016 Mailbox servers.
You can only assign a certificate to the UM service when the
UM startup mode property of the service is set to TLS or
Dual. If the UM startup mode is set to the default value TCP,
you can't assign the certificate to the UM service. (Note: UM
is not available in Exchange 2019). For more information, see
Configure the Startup Mode on a Mailbox Server.
SERVICE USES
Unified Messaging Call Router (UMCallRouter) TLS encryption for client connections to the UM Call Router
service in the Client Access services on Exchange 2016
Mailbox servers.
You can only assign a certificate to the UM Call Router
service when the UM startup mode property of the service is
set to TLS or Dual. If the UM startup mode is set to the
default value TCP, you can't assign the certificate to the UM
Call Router service. (Note: UM is not available in Exchange
2019). For more information, see Configure the Startup Mode
on a Client Access Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example assigns the certificate that has the thumbprint value 434AC224C8459924B26521298CE8834C514856AB to
the POP, IMAP, IIS, and SMTP services.
You can find the certificate thumbprint value by using the Get-ExchangeCertificate cmdlet.
When you install Exchange Server, a self-signed certificate that's created and signed by the Exchange server itself
is automatically installed on the server. However, you can also create additional self-signed certificates that you
can use.
You can create self-signed certificates certificate in the Exchange admin center (EAC ) or in the Exchange
Management Shell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example creates a self-signed certificate on the local Exchange server with the following properties:
Subject: <ServerName>. For example, if you run the command on the server named Mailbox01, the value
is Mailbox01 .
Subject alternative names: <ServerName>, <Server FQDN>. For example,
Mailbox01, Mailbox01.contoso.com .
New-ExchangeCertificate
This example creates a creates a self-signed certificate on the local Exchange server with the following properties:
Subject: Exchange01, which requires the value CN=Exchange01 . Note that this value is automatically
included in the DomainName parameter (the Subject Alternative Name field).
Additional subject alternative names:
mail.contoso.com
autodiscover.contoso.com
Exchange01.contoso.com
Exchange02.contoso.com
Services: SMTP, IIS
Friendly name: Contoso Exchange Certificate
The private key is exportable. This allows you to export the certificate from the server (and import it on
other servers).
Notes:
The only required part of the X.500 SubjectName parameter value (the certificate's Subject field) is
CN=<HostNameOrFQDN> .
Some Services parameter values generate warning or confirmation messages. For more information, see
Assign certificates to Exchange Server services .
For more information, see New -ExchangeCertificate.
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List
FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
Renew an Exchange Server certificate
8/23/2019 • 6 minutes to read • Edit Online
Every certificate has a built-in expiration date. In Exchange Server, the default self-signed certificate that's installed
on the Exchange server expires 5 years after Exchange was installed on the server. You can use the Exchange admin
center (EAC ) or the Exchange Management Shell to renew Exchange certificates. This includes Exchange self-
signed certificates, and certificates that were issued by a certification authority (CA).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
To find the thumbprint value of the certificate that you want to renew, run the following command:
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $false} | Format-List
FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
This example creates a certificate renewal request with the following properties:
Certificate to renew: 5DB9879E38E36BCB60B761E29794392B23D1C054
RequestFile: \\FileServer01\Data\ContosoCertRenewal.req
Notes:
The RequestFile parameter accepts a local path or a UNC path.
We didn't use the BinaryEncoded switch, so the request is Base64 encoded. The information that's displayed
onscreen is also written to the file, and the contents of the file are what we need to send to the CA. If we had
used the BinaryEncoded switch, the request would have been encoded by DER, and the certificate request
file itself is what we would need to send to the CA.
We didn't use the KeySize parameter, so the certificate request has a 2048 bit RSA public key.
For more information, see Get-ExchangeCertificate and New -ExchangeCertificate.
How do you know this worked?
To verify that you have successfully created a certificate renewal request for a certification authority, perform either
of the following steps:
In the EAC at Servers > Certificates, verify the server where you stored the certificate request is selected.
The request should be in the list of certificates with the Status value Pending request.
In the Exchange Management Shell on the server where you stored the certificate request, run the following
command:
Get-ExchangeCertificate | where {$_.Status -eq "PendingRequest" -and $_.IsSelfSigned -eq $false} |
Format-List FriendlyName,Subject,CertificateDomains,Thumbprint
To find the thumbprint value of the certificate that you want to renew, run the following command:
This example renews a self-signed certificate on the local Exchange server, and uses the following settings:
The thumbprint value of the existing self-signed certificate to renew is
BC37CBE2E59566BFF7D01FEAC9B6517841475F2D
The Force switch replaces the original self-signed certificate without a confirmation prompt.
The private key is exportable. This allows you to export the certificate and import it on other servers.
Get-ExchangeCertificate | where {$_.Status -eq "Valid" -and $_.IsSelfSigned -eq $true} | Format-List
FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter
Export a certificate from an Exchange server
8/23/2019 • 2 minutes to read • Edit Online
You can export a certificate from an Exchange server as a backup or to import the certificate on other clients,
devices or servers. You can export certificates in the Exchange admin center (EAC ) or in the Exchange
Management Shell. The resulting certificate file is a password-protected binary PKCS #12 file that contains the
certificate's private key, and is suitable for importing (installing) on other servers.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see
Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Client Access services security" entry in the Clients and mobile devices
permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Password: When you export the certificate with its private key, you need to specify a password.
Exporting the certificate with its private key allows you to import the certificate on other servers.
When you're finished, click OK.
This example exports a certificate from the local Exchange server to a file with the following settings:
The certificate that has the thumbprint value 5113ae0233a72fccb75b1d0198628675333d010e is exported to the
file C:\Data\Fabrikam.pfx .
The exported certificate file is encoded by DER (not Base64).
The password for the certificate file is P@ssw0rd1 .
Notes:
The FileName parameter accepts a local path or a UNC path.
You can use a similar procedure to export a pending certificate request (also known as a certificate signing
request or CSR ). For example, if you need to resubmit the certificate request to the certification authority,
and you can't find the original certificate request file. When you export a certificate request, you typically
don't need to use the Password parameter or the BinaryEncoded switch, and you save the request to a .req
file. Note that you can't import an exported certificate request on another server.
For more information, see Export-ExchangeCertificate.
To enable encryption for one or more Exchange services, the Exchange server needs to use a certificate. SMTP
communication between internal Exchange servers is encrypted by the default self-signed certificate that's
installed on the Exchange server. To encrypt communication with internal or external clients, servers, or services,
you'll likely want to use a certificate that's automatically trusted by all clients, services and servers that connect to
your Exchange organization. For more information, see Certificate requirements for Exchange services.
You can import (install) certificates on Exchange servers in the Exchange admin center (EAC ) or in the Exchange
Management Shell.
These are the types of certificate files that you can import on an Exchange server:
PKCS #12 certificate files: These are binary certificate files that have .cer, .crt, .der, .p12, or .pfx filename
extensions, and require a password when the file contains the private key or chain of trust. Examples of
these types of files include:
Self-signed certificates that were exported from other Exchange servers by using the EAC or the
Export-ExchangeCertificate with the PrivateKeyExportable parameter value $true . For more
information, see Export a certificate from an Exchange server .
Certificates that were issued by a certification authority (an internal CA like Active Directory
Certificate Services, or a commercial CA).
Certificates that were exported from other servers (for example, Skype for Business Server).
PKCS #7 certificate files: These are text certificate files that have .p7b or .p7c filename extensions. These
files contain the text: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- or
-----BEGIN PKCS7----- and -----END PKCS7----- . A certificate authority might include a chain of certificates
file that also needs to be installed along with the actual binary certificate file.
In the EAC, you can import the certificate file on multiple Exchange servers at the same time (Step 4 in the
procedure).
To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see
Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Client Access services security" entry in the Clients and mobile devices
permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Password: If the certificate file contains the private key or chain of trust, the file is protected by a
password. Enter the password here.
When you're finished, click Next.
4. In the Specify the servers you want to apply this certificate to page, click Add
On the Select a server page that opens, select the Exchange server where you want to install the
certificate, and click Add - >. Repeat this step as many times as necessary. When you're finished selecting
servers, click OK.
When you're finished, click Finish. For next steps, see the Next steps section.
This example imports the certificate file \\FileServer01\Data\Fabrikam.pfx that's protected by the password
P@ssw0rd1 on the local Exchange server.
To import a chain of certificates file (PKCS #7 text files that have .p7b or .p7c filename extensions) that's associated
with a certificate, use the following syntax:
Notes:
You need to repeat this procedure on each Exchange server where you want to import the certificate (run
the command on the server, or use the Server parameter).
The FileName and FileData parameters accept local paths if the certificate file is located on the Exchange
server where you're running the command, and this is the same server where you want to import the
certificate. Otherwise, use a UNC path.
If you want to be able to export the certificate from the server where you're importing it, you need to use
the PrivateKeyExportable parameter with the value $true .
For more information, see Import-ExchangeCertificate.
Next steps
After you install the certificate on the server, you need to assign the certificate to one or more Exchange services
before the Exchange server is able to use the certificate for encryption. For more information, see Assign
certificates to Exchange Server services.
Configure client-specific message size limits
8/23/2019 • 7 minutes to read • Edit Online
In Exchange Server, there are several different message size limits that apply to messages as they travel through
your organization. For more information, see Message size limits in Exchange Server.
However, there are client-specific message size limits you can configure for Outlook on the web (fornerly known
as Outlook Web App) and email clients that use Exchange ActiveSync or Exchange Web Services (EWS ). If you
change the Exchange organizational, connector, or user message size limits, you likely need change the limits for
Outlook on the web, ActiveSync, and EWS. These limits are described in the following tables. To change the
message size limit for a specific client type, you need to change all the values that are described in the table.
NOTE
For any message size limit, you need to set a value that's larger than the actual size you want enforced. This accounts for the
Base64 encoding of attachments and other binary data. Base64 encoding increases the size of the message by approximately
33%, so the value you specify should be approximately 33% larger than the actual message size you want enforced. For
example, if you specify a maximum message size value of 64 MB, you can expect a realistic maximum message size of
approximately 48 MB.
ActiveSync
SERVICES CONFIGURATION FILE KEYS AND DEFAULT VALUES SIZE
Backend %ExchangeInstallPath%ClientAccess\Sync\web.config
maxRequestLength="10240" kilobytes
Backend %ExchangeInstallPath%ClientAccess\Sync\web.config
<add bytes
key="MaxDocumentDataSize"
value="10240000">
Backend 14 instances of
%ExchangeInstallPath%ClientAccess\exchweb\ews\web.config bytes
maxReceivedMessageSize="67108864"
(for different combinations
of http/https bindings and
authentication methods)
Backend %ExchangeInstallPath%ClientAccess\Owa\web.config
maxRequestLength="35000" kilobytes
Backend 2 instances of
%ExchangeInstallPath%ClientAccess\Owa\web.config bytes
maxReceivedMessageSize="35000000"
(for http and https bindings)
Backend 2 instances of
%ExchangeInstallPath%ClientAccess\Owa\web.config bytes
maxStringContentLength="35000000"
(for http and https bindings)
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Notepad %ExchangeInstallPath%ClientAccess\exchweb\ews\web.config
Notepad %ExchangeInstallPath%FrontEnd\HttpProxy\ews\web.config
2. Find the relevant keys in the appropriate web.config files as described in the tables earlier in the topic. For
example, for EWS clients, find the maxAllowedContentLength key in the Client Access and backend
web.config files and all 14 instances of the value maxReceivedMessageSize="67108864" in the backend
web.config file.
For example, to allow a Base64 encoded maximum message size of approximately 64 MB, change all
instances of 67108864 to 89478486 (64*4/3*1048756):
Run the following commands from an elevated command prompt (a Command Prompt window you
open by selecting Run as administrator):
The Availability service makes free/busy information available to Outlook and Outlook on the web (formerly
known as Outlook Web App) clients. The Availability service improves information workers' calendaring and
meeting scheduling experience by providing secure, consistent, and up-to-date free/busy information.
Outlook and Outlook on the web use the Availability service to perform the following tasks:
Retrieve current free/busy information for Exchange mailboxes
Retrieve current free/busy information from other Exchange organizations
Retrieve published free/busy information from public folders for mailboxes on previous versions of
Exchange
View attendee working hours
Show meeting time suggestions
Outlook 2010 or later Exchange 2010 or later Exchange 2010 or later The Availability service reads
free/busy information from
the target mailbox.
SOURCE MAILBOX RETRIEVING FREE/BUSY RETRIEVAL
CLIENT FREE/BUSY INFORMATION TARGET MAILBOX METHOD
Outlook on the web or Exchange 2010 or later Exchange 2010 or later Outlook on the web or
Outlook Web App Outlook Web App calls the
Availability service API, which
reads the free/busy
information from the target
mailbox.
Configure the Availability service for cross-forest
topologies
8/23/2019 • 4 minutes to read • Edit Online
The Availability service improves information workers' free/busy information by providing secure, consistent, and
up-to-date free/busy information to clients that are running Outlook. By default, this service is installed with
Exchange Server. In cross-forest topologies where all connecting clients are running Outlook, the Availability
service is the only method of retrieving free/busy information. You can use the Exchange Management Shell to
configure the Availability service for cross-forest topologies.
NOTE
You can't use the Exchange admin center (EAC) to configure the Availability service for cross-forest topologies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example defines the free/busy access method that the Availability service uses on the local Mailbox server in
the source forest. The local Mailbox server is configured to access free/busy information from the forest
ContosoForest.com on a per-user basis. This example uses the service account to retrieve free/busy information.
NOTE
To configure bidirectional cross-forest availability, repeat these steps in the Exchange Management Shell for the target forest.
If you choose to configure cross-forest availability with trust, and also choose to use a service account (instead of
specifying organization-wide or per-user credentials), you must extend permissions as shown in the example in the
next section, "Use the Exchange Management Shell to configure trusted cross-forest availability with a service
account." Performing that procedure in the target forest gives Mailbox servers in the source forest permission to
serialize the original user context.
For detailed information about syntax and parameters, see the following topics:
Get-MailboxServer
Add-ADPermission
Add-AvailabilityAddressSpace
Set-AvailabilityConfig
This example adds the Availability address space configuration object for the source forest, and you're prompted to
enter the credentials for organization-wide user in Contoso.com domain.
This topic contains links to topics and information about planning for and then deploying Exchange Server 2016
or Exchange Server 2019.
IMPORTANT
Make sure you read the Release notes for Exchange Server topics before you begin your deployment. The release notes
contain important information on issues you might encounter during and after your deployment.
IMPORTANT
See the Establish an Exchange 2016 or Exchange 2019 test environment section later in this topic for information about
installing Exchange 2019 in a test environment.
Exchange architecture
Learn about the Mailbox and Edge Transport server roles and more in Exchange.
Understand the system requirements that need to be satisfied in your organization before you can install
Exchange.
Learn about the Windows Server features and the other software that needs to be installed for a successful
installation of Exchange.
Use this tool to generate a customized checklist for planning, installing, or upgrading Exchange. Guidance is
available for multiple scenarios, including an on-premises, hybrid, or cloud deployment.
Active Directory
Learn about how Exchange uses Active Directory and how your Active Directory deployment affects your
Exchange deployment.
Learn about the built-in antispam and antimalware protection options in Exchange.
Exchange Server Hybrid Deployments
Learn about planning a hybrid deployment with Microsoft Office 365 and your on-premises Exchange
organization.
Learn about the application programming interfaces (APIs) that are available for applications that use
Exchange 2019.
Learn about the steps you need to take to prepare your Active Directory forest for Exchange 2019 and the
changes Exchange makes to your forest.
Learn about using the unattended setup at the command line to install, remove, update, and recover
Exchange servers.
Install Exchange Edge Transport servers using the Setup wizard
Learn about using the Setup wizard to install Edge Transport servers in a perimeter network.
Learn about finding and installing the latest Cumulative Update (CU ) for the Exchange servers in your
organization.
Read this topic for information that will help you deploy Exchange in an existing hybrid deployment.
Exchange Setup
You can use different types and modes of Exchange Setup to install and maintain the various editions and
versions of Exchange.
Exchange editions and versions
Exchange is available in two server editions: Standard Edition and Enterprise Edition. The edition you install is
defined by your product key (the only available download can install both versions). For more information, see
Exchange Server Licensing.
Types of Exchange Setup
You have the following options for Exchange Setup:
Exchange Setup wizard: Running Setup.exe without any command line switches provides an interactive
experience where you're guided by the Exchange 2019 Setup wizard.
Exchange unattended setup: Running Setup.exe with command line switches enables you to install
Exchange from an interactive command line or through a script.
Modes of Exchange Setup
Exchange setup includes the following modes:
Install: Install a new server role (Mailbox server, Edge Transport server, or Management tools). This mode
is available in the Exchange Setup wizard and unattended setup.
Uninstall: Remove the Exchange installation from a computer. You can use this mode from both the
Exchange Setup wizard and unattended setup.
Upgrade: Install a CU on an existing Exchange server. You can use this mode from both the Exchange
Setup wizard and unattended setup.
NOTE
Exchange doesn't support in-place upgrades from previous versions. This mode is used only to install CUs.
RecoverServer: You need to recover data from the Exchange server after a catastrophic failure. To do this,
you install a new Windows server with the same FQDN as the failed server (for example,
mailbox01.contoso.com), and then run Exchange Setup with the /Mode:RecoverServer switch without
specifying the Exchange server roles to restore.
Setup detects the Exchange server object in Active Directory and installs the corresponding files and
configuration automatically. After you recover the server, you can restore databases and reconfigure any
additional settings. To run in RecoverServer mode:
Exchange can't be already installed on the server.
The Exchange server object must exist in Active Directory.
You can only use unattended setup.
NOTE
You must complete one mode of Setup before you can use another mode.
Exchange Server system requirements
8/23/2019 • 13 minutes to read • Edit Online
Before you install Exchange Server 2019, we recommend that you review this topic to ensure your network,
hardware, software, clients, and other elements meet the requirements for Exchange 2019. Also, make sure you
understand the coexistence scenarios that are supported for Exchange 2019 and earlier versions of Exchange.
To actually install Exchange 2019, see Deploy new installations of Exchange.
Exchange 2016 Supported with Exchange 2016 CU11 or later on all Exchange
2016 servers in the organization, including Edge Transport
servers.
Mixed Exchange 2013 and Exchange 2016 organization Supported if all Exchange 2013 and Exchange 2016 servers in
the organization meet the requirements as previously
described in this table.
COMPONENT REQUIREMENT
Domain controllers All domain controllers in the forest need to be running one of
the following versions of Windows Server:
• Windows Server 2019 Standard or Datacenter
• Windows Server 2016 Standard or Datacenter
• Windows Server 2012 R2 Standard or Datacenter
Active Directory forest The Active Directory forest functional level is Windows
Server 2012 R2 or higher.
COMPONENT REQUIREMENT
Active Directory site The Active Directory site where you install the Exchange
Server must contain at least one writeable domain controller
that's also a global catalog server, or the installation will fail.
Furthermore, you can't install the Exchange server and then
remove the domain controller from the Active Directory site.
IPv6 Exchange 2013 and later support IPv6 only when IPv4 is also
installed and enabled on the Exchange server.
If you deploy Exchange in this configuration, and your
network supports IPv4 and IPv6, all Exchange servers can
send data to and receive data from devices, servers, and
clients that use IPv6 addresses. For more information, see
IPv6 Support in Exchange 2013.
Processor Either of the following types of 64-bit See the Supported operating systems
processors: for Exchange 2019 section later in this
• Intel processor that supports Intel 64 topic for supported operating systems.
architecture (formerly known as Intel
EM64T).
• AMD processor that supports the
AMD64 platform.
Notes:
• Intel Itanium IA64 processors are not
supported.
• Recommended supported processor
sockets is up to 2 on physical
machines.
COMPONENT REQUIREMENT NOTES
Memory Varies by Exchange server role: Exchange 2019 has large memory
• Mailbox: 128 GB minimum support (up to 256 GB).
recommended
• Edge Transport: 64 GB minimum
recommended.
Paging file size Set the paging file minimum and None
maximum value to the same size: 25%
of installed memory.
Mailbox and Edge Transport server roles Windows Server 2019 Standard or Datacenter
Notes:
Installing Exchange 2019 on a computer that's running Windows Server Core is fully supported and
recommended. The Desktop Experience feature is no longer required.
Installing Exchange 2019 on a computer that's running Nano Server isn't supported.
Supported Powershell versions for Exchange 2019 servers
Exchange 2019 servers support the version of PowerShell that's included in the release of Windows Server
where Exchange is installed. Don't install stand-alone downloads of WMF or PowerShell on Exchange servers.
Installing other software on Exchange 2019 servers
We don't support installing Office client or Office server software on Exchange servers (for example, SharePoint
Server, Skype for Business Server, Office Online Server, or Project Server). Other software that you want to
install on an Exchange 2019 server needs to be designed to run on the same computer as Exchange Server.
IMPORTANT
• Releases of .NET Framework that aren't listed in the table below aren't supported on any release of Exchange
2019. This includes minor and patch-level releases of .NET Framework.
IMPORTANT
You need KB3140245 to apply registry keys to enable TLS 1.1 & 1.2 support for Windows 7, otherwise Outlook 2013 and
2016 will not work on Windows 7.
Exchange 2010 Supported with Update Rollup 11 for Exchange 2010 SP3 or
later on all Exchange 2010 servers in the organization,
including Edge Transport servers.
Mixed Exchange 2010 and Exchange 2013 organization Supported with the following minimum versions of Exchange:
• Update Rollup 11 Exchange 2010 SP3 or later on all
Exchange 2010 servers in the organization, including Edge
Transport servers.
• Exchange 2013 Cumulative Update 10 or later on all
Exchange 2013 servers in the organization, including Edge
Transport servers.
COMPONENT REQUIREMENT
Domain controllers All domain controllers in the forest need to be running one of
the following versions of Windows Server:
• Windows Server 2019 Standard or Datacenter
• Windows Server 2016 Standard or Datacenter
• Windows Server 2012 R2 Standard or Datacenter
• Windows Server 2012 Standard or Datacenter
• Windows Server 2008 R2 Standard or Enterprise
• Windows Server 2008 R2 Datacenter RTM or later
Active Directory forest The Active Directory forest functional level is Windows Server
2008 R2 or higher.
Active Directory site • The Active Directory site where you install the Exchange
Server must contain at least one writeable domain controller
that's also a global catalog server, or the installation will fail.
• You can't install the Exchange server and then remove the
domain controller from the Active Directory site.
COMPONENT REQUIREMENT
DNS namespace support Exchange 2016 supports the following domain name system
(DNS) namespaces:
• Contiguous
• Noncontiguous
• Single label domains
• Disjoint
For more information about DNS namespaces supported by
Exchange, see Microsoft Knowledge Base article 2269838,
Microsoft Exchange compatibility with Single Label Domains,
Disjoined Namespaces, and Discontiguous Namespaces.
IPv6 support In Exchange 2016, IPv6 is supported only when IPv4 is also
installed and enabled. If Exchange 2016 is deployed in this
configuration, and the network supports IPv4 and IPv6, all
Exchange servers can send data to and receive data from
devices, servers, and clients that use IPv6 addresses. For
more information, see IPv6 Support in Exchange 2013.
NOTE
In multi-domain environments, on Windows Server 2008 domain controllers that have the Active Directory language locale
set to Japanese (ja-jp), your servers may not receive some attributes that are stored on an object during inbound
replication. For more information, see KB949189.
Processor Either of the following types of 64-bit For more information, see Sizing
processors: Exchange 2016 Deployments.
• Intel processor that supports Intel 64 See the Supported operating systems
architecture (formerly known as Intel for Exchange 2016 section later in this
EM64T). topic for supported operating systems.
• AMD processor that supports the
AMD64 platform.
Memory Varies by Exchange server role: For more information, see Sizing
• Mailbox: 8 GB minimum. Exchange 2016 Deployments.
• Edge Transport: 4 GB minimum.
Paging file size Set the paging file minimum and None
maximum value to the same size:
• Less than 32 GB of RAM installed:
Physical RAM plus 10MB, up to a
maximum value of 32GB (32,778MB).
• 32 GB of RAM or more installed:
32GB
Disk space • At least 30 GB of free space on the For more information, see Sizing
drive where you're installing Exchange, Exchange 2016 Deployments.
plus an additional 500 MB for each
Unified Messaging (UM) language pack
that you plan to install.
• At least 200 MB of free space on the
System drive.
• At least 500 MB of free space on the
drive that contains the message queue
database.
COMPONENT REQUIREMENT
Mailbox and Edge Transport server roles • Windows Server 2016 Standard or Datacenter*
• Windows Server 2012 R2 Standard or Datacenter
• Windows Server 2012 Standard or Datacenter
IMPORTANT
• Releases of .NET Framework that aren't listed in the table below are not supported on any release of Exchange
2016. This includes minor and patch-level releases of .NET Framework.
TIP
Looking for Exchange 2013 prerequisites? See Exchange 2013 prerequisites.
This topic provides the steps for installing the necessary Windows Server operating system prerequisites for
Exchange Server 2016 and Exchange Server 2019 Mailbox servers and Edge Transport servers, and also the
Windows prerequisites for installing the Exchange Management Tools on Windows client computers.
After you've prepared your environment for Exchange Server, use the Exchange Deployment Assistant for the
next steps in your actual deployment. For information on hybrid deployments, see Exchange Server Hybrid
Deployments.
TIP
Have you heard about the Exchange Server Deployment Assistant? It's a free online tool that helps you quickly deploy
Exchange Server in your organization by asking you a few questions and creating a customized deployment checklist just
for you. If you want to learn more about it, go to Microsoft Exchange Server Deployment Assistant.
To actually install Exchange 2016 and Exchange 2019, see Deploy new installations of Exchange.
NOTE
You can't upgrade Windows from one version to another, or from Standard to Datacenter, when Exchange is installed on
the server.
Verify the Supported operating systems for Exchange 2019 or Supported operating systems for Exchange
2016.
NOTE
New to Exchange 2019 is the ability to upgrade your operating system to a newer version while Exchange is installed on
Windows Server 2019 or later.
Verify the computer is joined to the appropriate internal Active Directory domain.
Install the latest Windows updates on your computer. For more information, see Deployment Security
Checklist.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
NOTE
• An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
• The Visual C++ Redistributable package is required if you're using the Exchange Setup Wizard to prepare Active
Directory. If you're using unattended Setup from the command line to prepare Active Directory, this package isn't
required. For more information, see Prepare Active Directory and domains.
2. Install the Remote Tools Administration Pack by running the following command in Windows PowerShell:
Install-WindowsFeature RSAT-ADDS
NOTE
Using the Exchange Setup Wizard to prepare Active Directory requires the installation of the Management Tools Exchange
role.
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions
2. Add the required Lync Server or Skype for Business Server components:
a. Install the Server Media Foundation windows feature by executing the following command in Windows
PowerShell:
Install-WindowsFeature Server-Media-Foundation
b. Install Unified Communications Managed API 4.0. This package is available for download and in the
\UCMARedist folder on the Exchange Server media.
NOTE
When installing on Windows Server Core, you must use the installation package located in \UCMARedist on
distributed media.
3. If you aren't going to use Exchange Setup to install the required Windows components (in the wizard or
from the command line), run the one of the following commands in Windows PowerShell:
Desktop Experience:
Server Core:
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
2. If you aren't going to use Exchange Setup to install the required Windows components (in the wizard or
from the command line), run the following command in Windows PowerShell:
Install-WindowsFeature ADLDS
``
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
2. If you aren't going to use Exchange Setup to install the required Windows components (in the wizard or
from the command line), run the following command in Windows PowerShell:
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
2. Install the Remote Tools Administration Pack by running the following command in Windows PowerShell:
Install-WindowsFeature RSAT-ADDS
After you've installed the Remote Tools Administration Pack you can use the computer to prepare Active
Directory. For more information, see Prepare Active Directory and domains.
IMPORTANT
Windows Server 2016 requires Exchange 2016 Cumulative Update 3 or later.
Exchange 2016 Mailbox servers on Windows Server 2016
1. Run the following command in Windows PowerShell to install the required Windows components:
NOTE
• An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
• Only the Mailbox role requires the Visual C++ Redistributable Packages for Visual Studio 2013. Other Exchange
installations (management tools and Edge Transport) only require the Visual C++ Redistributable Packages for
Visual Studio 2012.
Install-WindowsFeature ADLDS
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
NOTE
• An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
• Only the Mailbox role requires the Visual C++ Redistributable Packages for Visual Studio 2013. Installations of
the Exchange management tools and Edge Transport servers only require the Visual C++ Redistributable Packages
for Visual Studio 2012.
Install-WindowsFeature ADLDS
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
2. Run the following command in an elevated Windows PowerShell window (a Windows PowerShell
window you open by selecting Run as administrator):
Enable-WindowsOptionalFeature -Online -FeatureName IIS-ManagementScriptingTools,IIS-
ManagementScriptingTools,IIS-IIS6ManagementCompatibility,IIS-LegacySnapIn,IIS-ManagementConsole,IIS-
Metabase,IIS-WebServerManagementTools,IIS-WebServerRole
NOTE
An overview of the latest supported versions is available at: Visual C++ Redistributable versions.
3. Run the following command in an elevated Windows PowerShell window (a Windows PowerShell
window you open by selecting Run as administrator):
An optional prerequisite for Exchange 2016 Cumulative Update 1 (CU1) or later, as well as for Exchange 2019, is
the installation of Office Online Server on one or more servers in your organization. Office Online Server enables
users to view supported file attachments within Outlook on the web (formerly known as Outlook Web App)
without downloading them first and without having a local installation of the program. Without Office Online
Server installed, Outlook users need to download attachments to their local computer and then open them in a
local application.
NOTE
Office Online Server is available for download as part of a volume licensing agreement. If you don't have a volume license
agreement, you can skip the instructions in this step. However, without Office Online Server installed, Outlook users will
need to download attachments to their local computer to view them; they won't be able to view them in Outlook.
You can configure an Office Online Server endpoint in two places in Exchange 2016 and later: at the organization
level, and at the Mailbox server level. Where you configure the endpoint depends on the size of your organization
and the location of your servers and users.
Organization: There are a couple of reasons why you might configure the Office Online Server endpoint
at the organization level:
Single-server or single-location deployment: You can configure the endpoint at the organization
level if all of your Exchange 2016 Mailbox servers are in the same location and you don't plan on
having geographically distributed Office Online Server servers.
Fallback for large deployments: You can configure endpoint at the organization level as a fallback
if the endpoint configured on a Mailbox server isn't available. If an Office Web Apps server isn't
available, the client will try to connect to the endpoint configured at the organization level.
Notes:
If you have Exchange 2013 servers in your organization, don't configure an endpoint at the
organization level. Doing so will direct Exchange 2013 servers to use the Office Online Server
server. This isn't supported.
Previewing attachments in S/MIME messages in Outlook on the web isn't supported by
Office Online Server.
Mailbox server: If you want to distribute client requests between two or more Office Online Server
servers, if you want to geographically distribute Office Online Server servers, or if you have Exchange
2013 in your organization, configure the endpoints at the Exchange Mailbox server level. When you
configure an endpoint at the server level, mailboxes located on that server will send requests to the
configured Office Online Server server.
If you want users outside of your network to view supported file attachments in Outlook, Office Online Server
needs to be accessible from the Internet. TCP port 443 needs to be opened on your firewall and forwarded to the
Office Online Server server. If you deploy more than one Office Online Server server, each server needs its own
fully qualified domain name (FQDN ). Each server also needs to be accessible from the Internet via TCP port 443.
Office Online Server system requirements
Office Online Server requires the following to install:
Windows Server 2012 R2
Exchange 2016 Cumulative Update 1 (CU1) or later, or Exchange 2019
NOTE
If you're running Windows Server 2016, you will need Exchange 2016 CU3 or later, as detailed in Exchange Server
prerequisites.
3. Reboot the computer after the Windows features have been installed.
NOTE
You can configure different internal and external URLs, but in the next step you'll see that you can only configure
one URL for Exchange. In this case, if you use the internal URL in the next step, this function will only work internally
and external users will get an unexpected error. If you use the external URL, this function will only work for external
users and internal users will get an unexpected error.
Restart-WebAppPool MsExchangeOwaAppPool
Restart-WebAppPool MsExchangeOwaAppPool
Active Directory in Exchange Server organizations
8/23/2019 • 2 minutes to read • Edit Online
Exchange Server 2016 and Exchange Server 2019 use Active Directory to store and share directory information
with Windows. Starting with Exchange 2013, we've made some changes to how Exchange works with Active
Directory. These changes are described in this topic.
Exchange Server 2016 and Exchange Server 2019 store all configuration and recipient information in the Active
Directory directory service database. When an Exchange server requires information about recipients the
configuration of the Exchange organization, it queries Active Directory. Active Directory servers must be available
for Exchange to function correctly.
This topic explains how Exchange stores and retrieves information in Active Directory so that you can plan access
to Active Directory. This topic also discusses issues you should be aware of if you try to recover deleted Exchange
Active Directory objects.
IMPORTANT
You can't deploy an Exchange server in any site that contains only read-only directory servers.
Recovery of deleted Exchange objects
Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and
recover accidentally deleted Active Directory objects without restoring Active Directory data from backups,
restarting Active Directory Domain Services (AD DS ), or rebooting domain controllers.
The most important thing to understand about recovering deleted Exchange-related Active Directory objects is
that Exchange objects don't exist in isolation. For example, when you mail-enable a user, several different policies
and links are calculated for the user based on your current Exchange configuration. Two problems that may arise
when you restore a deleted Exchange configuration or recipient object are:
Collisions: Some Exchange attributes must be unique across a forest. For example, all email addresses on a
mail-enabled object (also known as proxy addresses) must be unique. Two different mail-enabled objects
can't have the same email address. Active Directory doesn't enforce proxy address uniqueness (Exchange
administrative tools check for uniqueness). Exchange email address policies also automatically resolve
possible conflicts in proxy address assignment based on deterministic rules. Therefore, restoring an
Exchange user object might create a collision with proxy addresses or other attributes that should be unique.
Misconfigurations: Exchange has automated rules that assign various policies or settings. If you delete a
recipient, and then change the rules or policies, restoring an Exchange user object may result in a user being
assigned to the wrong policy (or even to a policy that no longer exists).
The following guidelines will help you minimize problems or issues when you recover deleted Exchange-related
objects:
If you deleted an Exchange configuration object using Exchange management tools, don't restore the object.
Instead, create the object again using the Exchange management tools (the Exchange admin center or the
Exchange Management Shell).
If you deleted an Exchange configuration object without using the Exchange management tools, recover the
object as soon as possible. The more administrative and configuration changes that are mae after the
deletion, the more likely that restoring the objects will result in misconfiguration.
If you recover deleted Exchange recipients (contacts, users, or distribution groups), monitor closely for
collisions and errors relating to the recovered objects. If Exchange policies or other recipient configuration
settings were modified after the deletion, re-apply the current policies to the restored recipients to ensure
that they're configured correctly.
This reference topic provides a summary of the Active Directory schema changes that are made when you install
Exchange Server 2016 or Exchange Server 2019 in your organization. Refer to the .ldf files for more information
about changes to the Active Directory schema. The .ldf files are located in the \Setup\Data\ directory in the
Exchange installation files.
Exchange schema updates are cumulative. Each Cumulative Update (CU ) includes all of the changes that were
included in previous releases. This means that if you skip a CU, you might still need to apply schema updates even
if the CU that you're installing doesn't include its own changes.
NOTE
The Active Directory schema changes that are described in this topic might not apply to all editions of an Exchange 2019
version. To verify that Active Directory has been successfully prepared, see the Exchange Active Directory versions section in
Prepare Active Directory and domains for Exchange 2019.
Exch-Mapi-Virtual-Directory ntdsSchemaAdd
Exch-Push-Notifications-App ntdsSchemaAdd
ms-Exch-Account-Forest ntdsSchemaAdd
ms-Exch-ActiveSync-Device-Autoblock-Threshold ntdsSchemaAdd
ms-Exch-Auth-Auth-Config ntdsSchemaAdd
ms-Exch-Auth-Auth-Server ntdsSchemaAdd
ms-Exch-Auth-Partner-Application ntdsSchemaAdd
ms-Exch-Auth-Policy ntdsSchemaAdd
ms-Exch-Client-Access-Rule ntdsSchemaModify
ms-Exch-Config-Settings ntdsSchemaAdd
ms-Exch-Encryption-Virtual-Directory ntdsSchemaAdd
ms-Exch-Exchange-Transport-Server ntdsSchemaAdd
ms-Exch-Hosted-Content-Filter-Config ntdsSchemaAdd
ms-Exch-Http-Delivery-Connector ntdsSchemaAdd
ms-Exch-Hygiene-Configuration ntdsSchemaAdd
ms-Exch-Intra-Organization-Connector ntdsSchemaModify
ms-Exch-Mailbox-Policy ntdsSchemaAdd
ms-Exch-Mailflow-Policy ntdsSchemaAdd
ms-Exch-Mailflow-Policy-Collection ntdsSchemaAdd
ms-Exch-Malware-Filter-Config ntdsSchemaAdd
ms-Exch-MSO-Forward-Sync-Divergence ntdsSchemaAdd
ms-Exch-MSO-Sync-Service-Instance ntdsSchemaAdd
CLASS CHANGE
ms-Exch-Organization-Upgrade-Policy ntdsSchemaAdd
ms-Exch-Protocol-Cfg-SIP-Container ntdsSchemaAdd
ms-Exch-Protocol-Cfg-SIP-FE-Server ntdsSchemaAdd
ms-Exch-Resource-Policy ntdsSchemaAdd
ms-Exch-Safe-Attachment-Protection-Config ntdsSchemaAdd
ms-Exch-Smart-Links-Protection-Config ntdsSchemaAdd
ms-Exch-Team-Mailbox-Provisioning-Policy ntdsSchemaAdd
ms-Exch-Throttling-Policy ntdsSchemaModify
ms-Exch-Unified-Policy ntdsSchemaAdd
ms-Exch-Unified-Rule ntdsSchemaAdd
ms-Exch-Workload-Policy ntdsSchemaAdd
ms-DS-GeoCoordinates-Altitude 1
ms-DS-GeoCoordinates-Latitude 1
ms-DS-GeoCoordinates-Longitude 1
ms-Exch-Accepted-Domain-Name 9
ms-Exch-Archive-GUID 9
ms-Exch-Auth-Application-Identifier 1
ATTRIBUTE SEARCH FLAG VALUE
ms-Exch-Auth-Issuer-Name 1
ms-Exch-Bypass-Audit 9
ms-Exch-Data-Encryption-Policy-Link 1
ms-Exch-Default-Public-Folder-Mailbox 19
ms-Exch-Device-Client-Type 1
ms-Exch-Extension-Custom-Attribute-1 1
ms-Exch-Extension-Custom-Attribute-2 1
ms-Exch-Extension-Custom-Attribute-3 1
ms-Exch-Extension-Custom-Attribute-4 1
ms-Exch-Extension-Custom-Attribute-5 1
ms-Exch-Home-MDB-SL 1
ms-Exch-Home-MTA-SL 1
ms-Exch-Is-Dirsync-Status-Pending 1
ms-Exch-Mailbox-Audit-Enable 19
ms-Exch-Mailbox-Database-Transport-Flags 16
ms-Exch-Mailbox-Move-Source-Archive-MDB-Link-SL 1
ms-Exch-Mailbox-Move-Source-MDB-Link-SL 1
ms-Exch-Mailbox-Move-Target-Archive-MDB-Link-SL 1
ms-Exch-Organization-Upgrade-Policy-Link 1
ms-Exch-Organization-Upgrade-Policy-Link-SL 1
ms-Exch-OWA-Set-Photo-URL 16
ms-Exch-Previous-Archive-Database-SL 8
ms-Exch-Previous-Home-MDB-SL 8
ms-Exch-Provisioning-Tags 1
ATTRIBUTE SEARCH FLAG VALUE
ms-Exch-Public-Folder-EntryId 24
ms-Exch-Public-Folder-Mailbox 24
ms-Exch-Public-Folder-Smtp-Address 24
ms-Exch-Recipient-SoftDeleted-Status 27
ms-Exch-Relocate-Tenant-Completion-Target-Vector 8
ms-Exch-Relocate-Tenant-Flags 8
ms-Exch-Relocate-Tenant-Safe-Lockdown-Schedule 8
ms-Exch-Relocate-Tenant-Source-Forest 9
ms-Exch-Relocate-Tenant-Start-Lockdown 8
ms-Exch-Relocate-Tenant-Start-Retired 8
ms-Exch-Relocate-Tenant-Start-Sync 8
ms-Exch-Relocate-Tenant-Status, 9
ms-Exch-Relocate-Tenant-Target-Forest 9
ms-Exch-Relocate-Tenant-Transition-Counter 8
ms-Exch-Sync-Cookie 8
ms-Exch-Team-Mailbox-Expiration 16
ms-Exch-Team-Mailbox-Expiry-Days 16
ms-Exch-Team-Mailbox-Owners 16
ms-Exch-Team-Mailbox-SharePoint-Linked-By 16
ms-Exch-Team-Mailbox-SharePoint-Url 16
ms-Exch-Team-Mailbox-Show-In-Client-List 16
ms-Exch-Transport-Rule-Immutable-Id 1
ms-Exch-When-Soft-Deleted-Time 17
IDENTIFIER VALUES
NOTE
The Active Directory schema changes that are described in this topic might not apply to all editions of an Exchange 2016
version. To verify that Active Directory has been successfully prepared, see the Exchange Active Directory versions section in
Prepare Active Directory and domains for Exchange Server.
CLASS CHANGE
ms-Exch-Http-Delivery-Connector ntdsSchemaAdd
CLASS CHANGE
ms-Exch-Mailbox-Policy ntdsSchemaAdd
ms-Exch-Auth-Policy ntdsSchemaAdd
ms-Exch-Data-Encryption-Policy-Link 1
NOTE
No changes to the Active Directory schema were made between Exchange 2016 Preview and Exchange 2016 RTM.
CLASS CHANGE
Exch-Mapi-Virtual-Directory ntdsSchemaAdd
Exch-Push-Notifications-App ntdsSchemaAdd
ms-Exch-Account-Forest ntdsSchemaAdd
ms-Exch-ActiveSync-Device-Autoblock-Threshold ntdsSchemaAdd
ms-Exch-Auth-Auth-Config ntdsSchemaAdd
ms-Exch-Auth-Auth-Server ntdsSchemaAdd
ms-Exch-Auth-Partner-Application ntdsSchemaAdd
ms-Exch-Client-Access-Rule ntdsSchemaModify
ms-Exch-Config-Settings ntdsSchemaAdd
ms-Exch-Encryption-Virtual-Directory ntdsSchemaAdd
ms-Exch-Exchange-Transport-Server ntdsSchemaAdd
ms-Exch-Hosted-Content-Filter-Config ntdsSchemaAdd
ms-Exch-Hygiene-Configuration ntdsSchemaAdd
ms-Exch-Intra-Organization-Connector ntdsSchemaModify
ms-Exch-MSO-Forward-Sync-Divergence ntdsSchemaAdd
ms-Exch-MSO-Sync-Service-Instance ntdsSchemaAdd
ms-Exch-Mailflow-Policy ntdsSchemaAdd
ms-Exch-Mailflow-Policy-Collection ntdsSchemaAdd
ms-Exch-Malware-Filter-Config ntdsSchemaAdd
ms-Exch-Organization-Upgrade-Policy ntdsSchemaAdd
ms-Exch-Protocol-Cfg-SIP-Container ntdsSchemaAdd
ms-Exch-Protocol-Cfg-SIP-FE-Server ntdsSchemaAdd
ms-Exch-Resource-Policy ntdsSchemaAdd
ms-Exch-Safe-Attachment-Protection-Config ntdsSchemaAdd
ms-Exch-Smart-Links-Protection-Config ntdsSchemaAdd
CLASS CHANGE
ms-Exch-Team-Mailbox-Provisioning-Policy ntdsSchemaAdd
ms-Exch-Throttling-Policy ntdsSchemaModify
ms-Exch-Unified-Policy ntdsSchemaAdd
ms-Exch-Unified-Rule ntdsSchemaAdd
ms-Exch-Workload-Policy ntdsSchemaAdd
ms-DS-GeoCoordinates-Altitude 1
ms-DS-GeoCoordinates-Latitude 1
ms-DS-GeoCoordinates-Longitude 1
ms-Exch-Accepted-Domain-Name 9
ms-Exch-Archive-GUID 9
ms-Exch-Auth-Application-Identifier 1
ms-Exch-Auth-Issuer-Name 1
ms-Exch-Bypass-Audit 9
ms-Exch-Default-Public-Folder-Mailbox 19
ms-Exch-Device-Client-Type 1
ms-Exch-Extension-Custom-Attribute-1 1
ms-Exch-Extension-Custom-Attribute-2 1
ms-Exch-Extension-Custom-Attribute-3 1
ms-Exch-Extension-Custom-Attribute-4 1
ms-Exch-Extension-Custom-Attribute-5 1
ms-Exch-Home-MDB-SL 1
ms-Exch-Home-MTA-SL 1
ms-Exch-Is-Dirsync-Status-Pending 1
ms-Exch-Mailbox-Audit-Enable 19
ms-Exch-Mailbox-Database-Transport-Flags 16
ms-Exch-Mailbox-Move-Source-Archive-MDB-Link-SL 1
ATTRIBUTE SEARCH FLAG VALUE
ms-Exch-Mailbox-Move-Source-MDB-Link-SL 1
ms-Exch-Mailbox-Move-Target-Archive-MDB-Link-SL 1
ms-Exch-OWA-Set-Photo-URL 16
ms-Exch-Organization-Upgrade-Policy-Link 1
ms-Exch-Organization-Upgrade-Policy-Link-SL 1
ms-Exch-Previous-Archive-Database-SL 8
ms-Exch-Previous-Home-MDB-SL 8
ms-Exch-Provisioning-Tags 1
ms-Exch-Public-Folder-EntryId 24
ms-Exch-Public-Folder-Mailbox 24
ms-Exch-Public-Folder-Smtp-Address 24
ms-Exch-Recipient-SoftDeleted-Status 27
ms-Exch-Relocate-Tenant-Completion-Target-Vector 8
ms-Exch-Relocate-Tenant-Flags 8
ms-Exch-Relocate-Tenant-Safe-Lockdown-Schedule 8
ms-Exch-Relocate-Tenant-Source-Forest 9
ms-Exch-Relocate-Tenant-Start-Lockdown 8
ms-Exch-Relocate-Tenant-Start-Retired 8
ms-Exch-Relocate-Tenant-Start-Sync 8
ms-Exch-Relocate-Tenant-Status, 9
ms-Exch-Relocate-Tenant-Target-Forest 9
ms-Exch-Relocate-Tenant-Transition-Counter 8
ms-Exch-Sync-Cookie 8
ms-Exch-Team-Mailbox-Expiration 16
ms-Exch-Team-Mailbox-Expiry-Days 16
ATTRIBUTE SEARCH FLAG VALUE
ms-Exch-Team-Mailbox-Owners 16
ms-Exch-Team-Mailbox-SharePoint-Linked-By 16
ms-Exch-Team-Mailbox-SharePoint-Url 16
ms-Exch-Team-Mailbox-Show-In-Client-List 16
ms-Exch-Transport-Rule-Immutable-Id 1
ms-Exch-When-Soft-Deleted-Time 17
IDENTIFIER VALUES
When you install Exchange Server 2016 or Exchange Server 2019, changes are made to your Active Directory
forest and domains to store information about the Exchange servers, mailboxes, and other Exchange-related
objects in your organization.
Three steps are required to prepare Active Directory for Exchange:
1. Extend the Active Directory schema
2. Prepare Active Directory containers, objects, and other items
3. Prepare Active Directory domains
After all three steps are done, your Active Directory forest is ready for Exchange. This topic explains what Exchange
does at each step of Active Directory preparation.
You can make these changes before you install the first Exchange 2016 or Exchange 2019 server in the
organization by running the /PrepareSchema, /PrepareAD, and /PrepareAllDomains or /PrepareDomains
commands using Exchange command line Setup. For instructions, see Prepare Active Directory and domains for
Exchange. Or, these changes are automatically made for you during the installation of the first Exchange server
using the Exchange Setup wizard. For instructions, see Install Exchange Mailbox servers using the Setup wizard.
Exchange uses Active Directory to store information about mailboxes and the configuration of Exchange servers
in the organization. Before you install Exchange Server 2016 or Exchange Server 2019 (even if you have earlier
versions of Exchange installed in your organization), you need to prepare your Active Directory forest and its
domains for the new version of Exchange. There are two ways to do this:
Let the Exchange Setup wizard do it for you: If you don't have a large Active Directory deployment,
and you don't have a separate team that manages Active Directory, we recommend using the Setup
wizard. Your account needs to be a member of both the Schema Admins and Enterprise Admins security
groups. For more information about how to use the Setup wizard, check out Install Exchange Mailbox
servers using the Setup wizard.
Follow the steps in this topic: If you have a large Active Directory deployment, or if a separate team
manages Active Directory, this topic is for you. Following the steps in this topic gives you much more
control over each stage of preparation, and who can do each step. For example, Exchange administrators
might not have the required permissions to extend the Active Directory schema.
For details on new schema classes and attributes that Exchange adds to Active Directory, including those made
by Cumulative Updates (CUs), see Active Directory schema changes in Exchange Server.
For details about what's happening when Active Directory is being prepared for Exchange, see What changes in
Active Directory when Exchange is installed?.
If you aren't familiar with Active Directory forests or domains, check out Active Directory Domain Services
Overview.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
When you extend the Active Directory schema for Exchange, the following requirements apply:
Your account needs to be a member of the Schema Admins and Enterprise Admins security groups. If
you have multiple Active Directory forests, make sure you're logged into the right one.
The computer needs to be a member of the same Active Directory domain and site as the schema master.
If you use the /DomainController:<DomainControllerFQDN> switch, you need to specify the domain
controller that's the schema master.
The only supported way to extend the schema for Exchange is to use Setup.exe with /PrepareSchema,
/PrepareAD, or the Exchange Setup wizard. Other ways of extending the schema aren't supported.
To extend the schema for Exchange, run the following command in a Windows Command Prompt window:
For example, if the Exchange installation files are available on drive E:, run the following command:
After Setup finishes extending the schema, you'll need to wait while Active Directory replicates the changes to
all of your domain controllers before you proceed. To check the progress of the replication, you can use the
repadmin tool in Windows Server. For more information about how to use the repadmin tool, see Repadmin.
This example uses the Exchange installation files on drive E: and names the Exchange organization "Contoso
Corporation".
IMPORTANT
If you have a hybrid deployment configured between your on-premises organization and Exchange Online, add the
/TenantOrganizationConfig switch to the command.
As in Step 1, you'll need to wait while Active Directory replicates the changes from this step to all of your
domain controllers before you proceed, and you can use the repadmin tool to check the progress of the
replication.
The final step is to prepare the Active Directory domain where Exchange servers will be installed or where mail-
enabled users will be located. This step creates additional containers and security groups, and sets the
permissions so Exchange can access them.
If you have multiple domains in your Active Directory forest, you have the following choices in how to prepare
them:
Prepare all domains in the Active Directory forest
Choose the Active Directory domains to prepare
Regardless of the method you choose, wait until Active Directory has finished replicating the changes from Step
2 to all domain controllers before you proceed. Otherwise, you might get an error when you try to prepare the
domains.
Prepare all domains in the Active Directory forest
When you prepare all domains in the Active Directory forest for Exchange, your account needs to be a member
of the Enterprise Admins security group.
To prepare all domains in your Active Directory forest, run the following command in a Windows Command
Prompt window:
For example, if the Exchange installation files are available on drive E:, run the following command:
TIP
You don't need to do this step in the domain where you ran the /PrepareAD command in Step 2, because the
/PrepareAD command has automatically prepared that domain for you.
When you prepare specific domains in your Active Directory forest, the following requirements apply:
You need to prepare every domain where an Exchange server will be installed.
You need to prepare any domain that will contain mail-enabled users, even if the domain won't contain
any Exchange servers.
Your account needs to be a member of the Domain Admins group in the domain that you want to
prepare.
If the domain that you want to prepare was created after you ran /PrepareAD in Step 2, your account
also needs to be a member of the Organization Management role group in Exchange.
To a prepare a specific domain in your Active Directory forest, run the following command in a Windows
Command Prompt window:
Notes:
If the computer is a member of the domain that you want to prepare, you can use the /PrepareDomain
switch by itself. Otherwise, you need to specify the FQDN of the domain.
You need to run this command for each Active Directory domain where you'll install an Exchange server
or where mail-enabled users will be located.
This example uses the Exchange installation files on drive E: to prepare the engineering.corp.contoso.com
domain:
This is the same example, but run on a computer that's a member of the engineering.corp.contoso.com domain:
Never change values in ADSI Edit unless you're told to do so by Microsoft Customer Service and Support.
Changing values in ADSI Edit can cause irreparable damage to your Exchange organization and Active
Directory.
Check the Exchange setup log to verify that Active Directory preparation has completed successfully. For
more information, see Verify an Exchange installation. Note that you can't use the Get-ExchangeServer
cmdlet as described in the topic until you've completed the installation of at least one Exchange Mailbox
server in an Active Directory site.
Before you begin your installation of Exchange Server, see Planning and deployment for important planning
information, and information about system requirements and prerequisites.
The following topics provide information about deploying new installations of Exchange 2019 in your
organization:
Install Exchange Mailbox servers using the Setup wizard
Install Exchange using unattended mode
Install Exchange Edge Transport servers using the Setup wizard
Delegate the installation of Exchange servers
Exchange dev/test environment in Azure
After you've completed your installation, see Exchange post-installation tasks.
Install Exchange Mailbox servers using the Setup
wizard
8/23/2019 • 5 minutes to read • Edit Online
Before you install an Exchange Server 2016 or Exchange Server 2019 Mailbox server, verify the following
prerequisites:
Verify the network, computer hardware, operating system, and software requirements at: Exchange Server
system requirements and Exchange Server prerequisites.
The target server must be a member of an Active Directory domain.
The account that you use to install Exchange requires the following permissions*:
Enterprise Admins group membership: Required if this is the first Exchange server in the
organization.
Schema Admins group membership: Required if you haven't previously extended the Active
Directory schema or prepared Active Directory for Exchange 2016 or Exchange 2019.
Exchange Organization Management role group membership: Required if you've already
prepared the Active Directory domain that will contain the Exchange server, or if other Exchange
servers already exist in the organization.
* Members of the Delegated Setup role group can install Exchange on servers that have already been
provisioned in Active Directory by an Exchange administrator. For more information, see Delegate the
installation of Exchange servers.
Verify that you've read the release notes at Release notes for Exchange Server.
For more information about planning and deploying Exchange, see Planning and deployment for Exchange
Server.
To install the Edge Transport role on a computer, see Install Exchange Edge Transport servers using the Setup
wizard. Note that you can't install the Edge Transport role on a Mailbox server.
After you install Exchange on a server, you must not change the server name. Renaming a server after you've
installed an Exchange server role is not supported.
4. The Copying Files page shows the progress of copying files to the local hard drive. Typically, the files are
copied to %WinDir%\Temp\ExchangeSetup , but you can confirm the location in the Exchange Setup log at
C:\ExchangeSetupLogs\ExchangeSetup.log .
5. On the Introduction page, we recommend that you visit the Exchange Server deployment planning links
if you haven't already reviewed them. Click Next to continue.
6. On the License Agreement page, review the software license terms, select I accept the terms in the
license agreement, and then click Next to continue.
9. On the Installation Space and Location page, either accept the default installation location (
C:\Program Files\Microsoft\Exchange Server\V15 ), or click Browse to choose a new location. Make sure
that you have enough disk space available in the location where you want to install Exchange. Click Next
to continue.
10. If this is the first Exchange 2016 or Exchange 2019 server in your organization and you haven't already
done the steps in Prepare Active Directory and domains for Exchange, you arrive on the Exchange
Organization page. On this page, configure the following settings:
Specify the name for this Exchange organization: The default value is First Organization, but
you typically use the company name for this value. The organization name is used internally by
Exchange, isn't typically seen by users, doesn't affect the functionality of Exchange, and doesn't
determine what you can use for email addresses.
The organization name can't contain more than 64 characters, and can't be blank.
Valid characters are A to Z, a to z, 0 to 9, hyphen or dash (-), and space, but leading or trailing
spaces aren't allowed.
You can't change the organization name after it's set.
Apply Active Directory split permission security model to the Exchange organization: Most
organizations don't need to select this option. If you need to separate management of Active
Directory security principals and the Exchange configuration, split permissions might work for you.
For more information, click ?.
Click Next to continue.
11. On the Malware Protection Settings page, choose whether you want disable malware scanning.
Malware scanning is enabled by default (the value No is selected). If you disable malware scanning, you
can enable it in the future. Click Next to continue.
12. On the Readiness Checks page, verify that the organization and server role prerequisite checks
completed successfully. If they haven't, the only option on the page is Retry, so you need to resolve the
errors before you can continue.
After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors
without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the
computer, you need to start over at Step 1.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so
you can continue. Be sure to review any warnings, and then click Install to install Exchange.
13. On the Setup Progress page, a progress bar indicates how the installation is proceeding.
14. On the Setup Completed page, click Finish, and then restart the computer.
Next steps
To verify that you've successfully installed Exchange, see Verify an Exchange installation.
Complete your deployment by performing the tasks provided in Exchange post-installation tasks.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Install Exchange Edge Transport servers using the
Setup wizard
8/23/2019 • 4 minutes to read • Edit Online
Before you install an Exchange Server 2016 or Exchange Server 2019 Edge Transport server, verify the following
prerequisites:
We recommend that you install Edge Transport servers in a perimeter network that's outside of your
organization's internal Active Directory forest. Installing the Edge Transport server role on domain-joined
computers only enables domain management of Windows features and settings. Edge Transport servers
don't directly access Active Directory. Instead, they use Active Directory Lightweight Directory Services (AD
LDS ) to store configuration and recipient information. For more information about the Edge Transport role,
see Edge Transport servers.
Verify the network, computer hardware, operating system, and software requirements at: Exchange Server
system requirements and Exchange Server prerequisites.
Verify the local account on the target computer is a member of the local Administrators group.
Verify that you've read the release notes at Release notes for Exchange Server.
For more information about planning and deploying Exchange, see Planning and deployment for Exchange
Server.
To install the Mailbox role on a computer, see Install Exchange Mailbox servers using the Setup wizard. Note that
you can't install the Edge Transport role on a Mailbox server.
After you install Exchange on a server, you must not change the server name. Renaming a server after you've
installed an Exchange server role is not supported.
4. The Copying Files page shows the progress of copying files to the local hard drive. Typically, the files are
copied to %WinDir%\Temp\ExchangeSetup , but you can confirm the location in the Exchange Setup log at
C:\ExchangeSetupLogs\ExchangeSetup.log .
5. On the Introduction page, we recommend that you visit the Exchange Server deployment planning links if
you haven't already reviewed them. Click Next to continue.
6. On the License Agreement page, review the software license terms, select I accept the terms in the
license agreement, and then click Next to continue.
After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors
without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the
computer, you need to start over at Step 1.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so
you can continue. Be sure to review any warnings, and then click Install to install Exchange.
11. On the Setup Progress page, a progress bar indicates how the installation is proceeding.
12. On the Setup Completed page, click Finish, and then restart the computer.
Next steps
To verify that you've successfully installed Exchange, see Verify an Exchange installation.
Complete your deployment by performing the tasks provided in Exchange post-installation tasks.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Use unattended mode in Exchange Setup
8/23/2019 • 14 minutes to read • Edit Online
Running Exchange Setup from the command line allows you to automate the installation of Exchange do and other related tasks on Exchange servers (for example, remove
an existing Exchange server or recover a failed Exchange server).
This topic describes the available command line switches, and provides examples.
For more information about planning for Exchange 2016 or Exchange 2019, see Planning and deployment for Exchange Server.
For information about tasks to complete after installation, see Exchange Server post-installation tasks.
SWITCH DESCRIPTION
/IAcceptExchangeServerLicenseTerms This switch is required in all unattended setup commands (whenever you run Setup.exe with any
additional switches). If you don't use this switch, you'll get an error. To read the license terms,
visit Microsoft License Terms.
/PrepareAD (or /p) Use these switches to extend the Active Directory schema for Exchange, prepare Active
/PrepareSchema (or /ps) Directory for Exchange, and prepare some or all Active Directory domains for Exchange. For
/PrepareDomain:<DomainFQDN> (or /pd:<DomainFQDN>) more information, see Prepare Active Directory and domains for Exchange
/PrepareAllDomains (or /pad)
/NewProvisionedServer[:<ServerName>] (or /nprs[:<ServerName>] The /NewProvisionedServer switch creates the Exchange server object in Active Directory. After
/RemoveProvisionedServer:<ServerName> (or /rprs:<ServerName>) that, a member of the Delegated Setup role group can install Exchange on the server. For more
information, see Delegate the installation of Exchange servers.
The /RemoveProvisionedServer switch removes a provisioned Exchange server object from
Active Directory before Exchange is installed on the server.
/AddUmLanguagePack:<Culture1>,<Culture2>...<CultureN> Note: These switches aren't available in Exchange 2019. They're only available in Exchange
/RemoveUmLanguagePack:<Culture1>,<Culture2>...<CultureN> 2016.
Adds or removes Unified Messaging (UM) language packs from existing Exchange 2016 Mailbox
servers. UM language packs enable callers and Outlook Voice Access users to interact with the
UM system in those languages. You can't add or remove the en-US language pack.
You can install language packs on existing Mailbox servers by using the /AddUmLanguagePack
switch or by running the UMLanguagePack.<Culture>.exe file directly. You can only remove
installed language packs by using the /RemoveUmLanguagePack switch. For more information,
see UM languages, prompts, and greetings.
/ActiveDirectorySplitPermissions: True or False False /Mode:Install /Roles:Mailbox Specifies the Active Directory split
<TrueOrFalse> or /PrepareAD commands for the permissions model when preparing
first Exchange server in the Active Directory. For more
organization. information, see the "Active
Directory split permissions" section
in Understanding split permissions.
/AdamLdapPort: A valid TCP port number 50389 /Mode:Install Specifies a custom LDAP port to
<TCPPortNumber> /Roles:EdgeTransport use for the Active Directory
commands Lightweight Directory Services (AD
LDS) instance on Edge Transport
servers. The value is stored in the
registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\E
.
/AdamSslPort:<TCPPortNumber> A valid TCP port number 50636 /Mode:Install Specifies a custom SSL (TLS) port to
/Roles:EdgeTransport use for the AD LDS instance on
commands Edge Transport servers. The value is
stored in the registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\E
.
SWITCH VALID VALUES DEFAULT VALUE AVAILABLE WITH DESCRIPTION
/AnswerFile:" The name and location of a text file n/a /Mode:Install /Roles:Mailbox Use this switch to create a text file
<PathAndFileName>" (for example,"D:\Server or that you can use to install
(af:"<PathAndFileName>") data\answer.txt"). /Mode:Install Exchange on multiple computers
/Roles:EdgeTransport with the same settings. You can use
commands the following switches in the
answer file: AdamLdapPort,
AdamSslPort,
CustomerFeedbackEnabled,
DbFilePath, DisableAMFiltering,
DoNotStartTransport,
EnableErrorReporting,
IAcceptExchangeServerLicenseTerm
s, LogFolderPath, Mdbname,
OrganizationName,
TenantOrganizationConfig, and
UpdatesDir. Don't use the forward
slash character ( / ) with the
switches in the answer file. Put each
switch or switch/value pair on one
line in the file.
/CustomerFeedbackEnabled: True or False False /Mode:Install and /PrepareAD Specifies whether to allow or
<TrueOrFalse> commands prevent Exchange from providing
usage feedback to Microsoft to
help improve future Exchange
features. You can enable or disable
error reporting on the server after
setup is complete by using the
ErrorReportingEnabled parameter
on the Set-ExchangeServer
cmdlet.
/DbFilePath:"<Path>\ A folder path and an .edb filename %ExchangeInstallPath%Mailbox\ /Mode:Install /Roles:Mailbox Specifies the location of the first
<FileName>.edb" (for example, "D:\Exchange <DatabaseName>\ commands mailbox database that's created on
Database Files\DB01\db01.edb"). <DatabaseName>.edb where: the new Mailbox server. You can
• <DatabaseName> is Mailbox specify the name of the database
Database <10DigitNumber> that file with the /MdbName switch and
matches the default name of the the location of the database
database or the value you specified transaction log files with the
with the /MdbName switch /LogFolderPath switch.
(without the .edb file name
extension).
• %ExchangeInstallPath% is
%ProgramFiles%\Microsoft\Exc
hange Server\V15\ or the
location you specified with the
/TargetDir switch.
/DomainController: The server name (for example, A randomly-selected domain All /Mode commands (except when Specifies the domain controller that
<ServerNameOrFQDN> DC01) or FQDN (for example, controller in the same Active you're installing an Edge Transport Exchange Setup uses to read from
(/dc:<ServerNameOrFQDN>) dc01.contoso.com) of the domain Directory site as the target server server) or /PrepareAD, and write to Active Directory. The
controller. where you're running Setup. /PrepareSchema, /PrepareDomain domain controller must meet the
and /PrepareAllDomains minimum requirements for
commands Exchange 2016 or Exchange 2019.
If you use this switch in
/PrepareSchema or /PrepareAD
commands that extend the Active
Directory schema for Exchange, you
must specify the schema master;
otherwise, you'll get an error.
/DoNotStartTransport n/a n/a /Mode:Install /Roles:Mailbox , Tells Setup to not start the
/Mode:Install Microsoft Exchange Transport
/Roles:EdgeTransport service (mail flow) on Mailbox
, and /Mode:RecoverServer servers or Edge Transport servers
commands. after Setup is complete. You can
use this switch to configure
additional settings before the
server accepts email messages (for
example, configure antispam
agents or move the queue
database back onto a recovered
Exchange server.)
/InstallWindowsComponents n/a n/a /Mode:Install commands Installs the required Windows roles
and features for the specified
Exchange server role. If a reboot is
required, Setup will resume where
the installation ended.
SWITCH VALID VALUES DEFAULT VALUE AVAILABLE WITH DESCRIPTION
/LogFolderPath:"<Path>" A folder path (for example, %ExchangeInstallPath%Mailbox\ /Mode:Install /Roles:Mailbox Specifies the location of the
"E:\Exchange Database Logs"). <DatabaseName> where: commands transaction log files for the first
• <DatabaseName> is Mailbox mailbox database that's created on
Database <10DigitNumber> that the new Mailbox server. You can
matches the default name of the specify the location of the database
database or the value you specified files with the /DbFilePath switch.
with the /MdbName switch
(without the .edb file name
extension).
• %ExchangeInstallPath% is
%ProgramFiles%\Microsoft\Exc
hange Server\V15\ or the
location you specified with the
/TargetDir switch.
/MdbName:"<FileName>" A database filename without the Mailbox Database /Mode:Install /Roles:Mailbox Specifies the name of the first
.edb extension (for example, <10DigitNumber> (for example, commands mailbox database that's created on
"db01") Mailbox Database 0139595516). the new Mailbox server. You can
specify the location of the database
files with the /DbFilePath switch.
/OrganizationName:" A text string (for example, "Contoso Blank in command line setup; First /Mode:Install /Roles:Mailbox The organization name is used
<Organization Name>" Corporation"). Organization in the Exchange or /PrepareAD commands for the internally by Exchange, isn't
(/on:"<Organization Name>") Setup wizard. first Exchange server in the typically seen by users, doesn't
organization. affect the functionality of Exchange,
and doesn't determine what you
can use for email addresses.
• The organization name can't
contain more than 64 characters,
and can't be blank.
• Valid characters are A to Z, a to z,
0 to 9, hyphen or dash (-), and
space, but leading or trailing spaces
aren't allowed.
• You can't change the organization
name after it's set.
/SourceDir:"<Path>" A folder path (for example, The ServerRoles\UnifiedMessaging /AddUmLanguagePack commands Specifies the location of the
(or /s:"<Path>") "Z:\Exchange). folder on the Exchange installation in Exchange 2016 (not available in language packs (UMLanguagePack.
media. Exchange 2019) <Culture>.exe files) to install on
existing Exchange 2016 Mailbox
servers.
/TargetDir:"<Path>" A folder path (for example, %ProgramFiles%\Microsoft\Exc /Mode:Install and Specifies where to install Exchange
(or /t:"<Path>") "D:\Program hange Server\V15\ /Mode:RecoverServer commands on the server. You can't install
Files\Microsoft\Exchange"). Exchange in the root of a drive (for
example, C:\), or on a ROM drive,
RAM disk, network drive,
removable disk, or unknown drive
type.
When you recover a failed
Exchange server that was installed
using a custom installation path,
you need to use this switch to
specify the custom path during the
recovery.
/TenantOrganizationConfig:" A folder path (for example n/a /Mode:Install or /PrepareAD Required in hybrid deployments
<Path>" "C:\Data") commands. between on-premises organizations
and Office 365 to specify the
location of the text file that
contains the configuration
information for your Office 365
organization. You create this file by
running the Get-
OrganizationConfig cmdlet in
Exchange Online PowerShell in your
Office 365 organization.
/UpdatesDir:"<Path>" A folder path (for example, The Updates folder at the root of /Mode:Install , ,
/Mode:Upgrade Specifies the source location of
(/u:"<Path>") "D:\Downloads\Exchange the Exchange installation media. /Mode:RecoverServer, and updates for Setup to install. You
Updates"). /AddUmLanguagePack commands. can only specify one folder for
updates.
Any UM language packs located in
this folder will be automatically
installed on the target Exchange
2016 Mailbox server.
After you install Exchange on a server, you must not change the server name. Renaming a server after you've installed an Exchange server role is not supported.
For Mailbox servers:
Estimated time to complete: 60 minutes
The target server must be a member of an Active Directory domain.
The account that you use to install Exchange requires the following permissions*:
Enterprise Admins group membership: Required if this is the first Exchange server in the organization.
Schema Admins group membership: Required if you haven't previously extended the Active Directory schema or prepared Active Directory for Exchange
2016 or Exchange 2019.
Exchange Organization Management role group membership: Required if you've already prepared the Active Directory domain that will contain the
Exchange server, or if other Exchange servers already exist in the organization.
*Members of the Delegated Setup role group can install Exchange on servers that have already been provisioned in Active Directory by an Exchange administrator.
For more information, see Delegate the installation of Exchange servers.
For Edge Transport servers:
Estimated time to complete: 40 minutes
We recommend that you install Edge Transport servers in a perimeter network that's outside of your organization's internal Active Directory forest. Installing the
Edge Transport server role on domain-joined computers only enables domain management of Windows features and settings. Edge Transport servers don't
directly access Active Directory. Instead, they use Active Directory Lightweight Directory Services (AD LDS) to store configuration and recipient information. For
more information about the Edge Transport role, see Edge Transport servers.
Verify the local account on the target computer is a member of the local Administrators group on the target server.
You need to configure the primary DNS suffix on the computer. For example, if the fully qualified domain name of your computer is edge.contoso.com, the DNS
suffix for the computer is contoso.com. For more information, see Primary DNS Suffix is missing [ms.exch.setupreadiness.FqdnMissing].
In coexistence scenarios, Exchange 2010 Hub Transport servers need an update before you can subscribe a Exchange 2016 Edge Transport server to an Active
Directory site that contains Exchange 2010 Hub Transport servers. If you don't install this update, the EdgeSync Subscription won't work correctly for Exchange
2010 Hub Transport server that participate in EdgeSync synchronization. For more information, see Supported coexistence scenarios for Exchange 2016.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
For more information, see Prepare Active Directory and domains for Exchange.
Install Mailbox servers in unattended mode
This example installs the first Exchange server (Mailbox server) in the organization, configures "Contoso Corporation" as the Exchange organization name in Active
Directory, and installs the Exchange management tools on the local server.
This example installs the Mailbox server role and the management tools in the default folder on the local server in an organization where Active Directory has already
been prepared for the version of Exchange that's being installed.
This example installs the Mailbox server role and the management tools in the "C:\Exchange Server" folder on the local server.
This example installs the Mailbox server role on the local server by using the settings in the ExchangeConfig.txt file.
This example uses the domain controller named DC01 to read from and write to Active Directory while installing the Mailbox server role and the management tools on
the local server.
This example updates Exchange Setup with patches from the specified folder, and then installs the Mailbox server role and the management tools on the local server. In
Exchange 2016 only, if any UM language packs are located in this folder, the language packs are automatically installed.
This example installs the Edge Transport server role and the management tools in the specified folder on the local server.
Remove provisioned Exchange server objects from Active Directory in unattended mode
This example removes the provisioned Exchange server object named Exchange03 from Active Directory before Exchange is installed on the server (if Exchange was already
installed on the server, the procedure wouldn't work).
NOTE
These procedures aren't available in Exchange 2019.
This example installs the Russian and Spain Spanish language packs on the local Exchange 2016 Mailbox server from the specified folder.
This example uninstalls the Korean UM language pack from the local Exchange 2016 Mailbox server.
Next steps
To verify that you've successfully installed Exchange in unattended mode, see Verify Exchange Server installations.
Complete your deployment by performing the tasks provided in Exchange post-installation tasks.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Delegate the installation of Exchange servers
8/23/2019 • 4 minutes to read • Edit Online
In large companies, people who install and configure new Windows servers often aren't Exchange administrators.
In Exchange 2016 and Exchange 2019, these users can still install Exchange on Windows servers, but only after
an Exchange administrator provisions the Exchange server object in Active Directory. Provisioning an Exchange
server object makes all of the required Active Directory changes independently of the actual installation of
Exchange on a server. An Exchange administrator can provision a new Exchange server object hours or even days
before Exchange is installed.
After an Exchange administrator provisions the Exchange server object, the only requirement for installing
Exchange on the server is membership in the Delegated Setup role group, which allows members to install
Exchange on provisioned servers. If this sounds like something you want to do, then this topic is for you.
If you run the command on the target server, you can use the /NewProvisionedServer switch by itself.
Otherwise, you need to specify the Name of the server to provision.
This example uses the Exchange installation files on drive E: to provision the server Mailbox01:
This example uses the Exchange installation files on drive E: to provision the local server where you're
running the command:
Note: To remove a provisioned Exchange server object from Active Directory before Exchange is installed
on it, replace the /NewProvisionedServer switch with /RemoveProvisionedServer.
4. Add the appropriate users to the Delegated Setup role group so they can install Exchange on the
provisioned server. To add users to a role group, see Add members to a role group. The delegates can use
the procedures in Install Exchange Mailbox servers using the Setup wizard to install Exchange on the
provisioned server.
More information
An Exchange administrator might need to complete the deployment by performing the tasks provided in
Exchange post-installation tasks.
The high-level Active Directory changes that are made when you provision an Exchange server object are
described in the following list:
A server object is created in the CN=Servers,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Organization Name>,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=<Root Domain> configuration partition.
The following access control entries (ACEs) are added to the server object within the configuration
partition for the Delegated Setup role group:
Full Control on the server object and its child objects
Deny access control entry for the Send As extended right
Deny access control entry for the Receive As extended right
Deny CreateChild and DeleteChild permissions for Exchange Public Folder Store objects
Note: Public folders are administered at an organizational level; therefore, the creation and deletion
of public folder stores is restricted to Exchange administrators.
The Active Directory computer account for the server is added to the Exchange Servers group.
The server is added as a provisioned server in the Exchange admin center (EAC ).
Only members of the Organization Management role group in Exchange have the permissions required to make
these changes to Active Directory.
Exchange dev/test environments in Azure
8/23/2019 • 12 minutes to read • Edit Online
This topic steps you through creating an Exchange 2016 or Exchange 2019 dev/test deployment in Microsoft
Azure. Here is the resulting configuration.
This configuration consists of a single Exchange server and a Windows Server Active Directory (AD ) domain
controller in a subnet of an Azure virtual network. This provides a basis and common starting point from which
you can demonstrate Exchange and develop Exchange Server applications. This configuration is only for internal
email and application testing on the Exchange server. No external email flow is configured.
There are three major phases to setting up this dev/test environment:
1. Set up the virtual network and domain controller (adVM ).
2. Add the Exchange server (exVM ).
3. Configure Exchange.
If you don't already have an Azure subscription, you can sign up for an Azure Free Trial. If you have an MSDN or
Visual Studio subscription, see Monthly Azure credit for Visual Studio subscribers.
NOTE
Because Exchange makes changes to the schema in Windows Server AD, this configuration cannot use Azure Active Directory
Domain Services.
NOTE
These commands are for Azure PowerShell 1.0.0 and later. For a text file that contains all the PowerShell commands in this
article, click here.
1. Sign into your Azure account.
Connect-AzAccount
3. Set your Azure subscription with the following commands. Set the $subscr variable by replacing everything
within the quotes, including the < and > characters, with the correct name.
$subscrName="<subscription name>"
Select-AzSubscription -SubscriptionName $subscrName
4. Create a new resource group. To determine a unique resource group name, use this command to list your
existing resource groups.
Create your new resource group with these commands. Set the variables by replacing everything within the
quotes, including the < and > characters, with the correct names.
5. Resource Manager-based virtual machines require a Resource Manager-based storage account. You must
pick a globally unique name for your storage account that contains only lowercase letters and numbers. You
can use this command to list the existing storage accounts.
Use this command to test whether a proposed storage account name is unique.
Create a new storage account for your new test environment with these commands.
6. Create the EXSrvrVnet Azure Virtual Network that will host the EXSrvrSubnet subnet and protect it with a
network security group.
$rgName="<name of your new resource group>"
$locName=(Get-AZResourceGroup -Name $rgName).Location
$exSubnet=New-AZVirtualNetworkSubnetConfig -Name EXSrvrSubnet -AddressPrefix 10.0.0.0/24
New-AZVirtualNetwork -Name EXSrvrVnet -ResourceGroupName $rgName -Location $locName -AddressPrefix
10.0.0.0/16 -Subnet $exSubnet -DNSServer 10.0.0.4
$rule1 = New-AZNetworkSecurityRuleConfig -Name "RDPTraffic" -Description "Allow RDP to all VMs on the
subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -
SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
$rule2 = New-AZNetworkSecurityRuleConfig -Name "ExchangeSecureWebTraffic" -Description "Allow HTTPS to
the Exchange server" -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix
Internet -SourcePortRange * -DestinationAddressPrefix "10.0.0.5/32" -DestinationPortRange 443
New-AZNetworkSecurityGroup -Name EXSrvrSubnet -ResourceGroupName $rgName -Location $locName -
SecurityRules $rule1, $rule2
$vnet=Get-AZVirtualNetwork -ResourceGroupName $rgName -Name EXSrvrVnet
$nsg=Get-AZNetworkSecurityGroup -Name EXSrvrSubnet -ResourceGroupName $rgName
Set-AZVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name EXSrvrSubnet -AddressPrefix "10.0.0.0/24" -
NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork
7. Create the adVM virtual machine in Azure. adVM is a domain controller for the corp.contoso.com Windows
Server AD domain and a DNS server for the virtual machines of the EXSrvrVnet virtual network.
First, fill in the name of your resource group, Azure location, and storage account name and run these
commands at the Azure PowerShell command prompt on your local computer to create an Azure virtual
machine for adVM.
You will be prompted for a user name and password. This article will refer to this user name as
ADMIN_NAME. Use a strong password and record both in a secure location.
Note: The password that you specify cannot be "pass@word1". It must be between 8-123 characters long
and must satisfy at least 3 of the following password complexity requirements:
Contains an uppercase letter
Contains an lowercase letter
Contains a numeric digit
Contains a special character
It can take a few minutes for Azure to build the virtual machine.
Connect to the domain controller virtual machine using local administrator account credentials
1. In the Azure portal, click Resource Groups > <your resource group name>> adVM > Connect.
2. Run the adVM.rdp file that is downloaded, and then click Connect.
3. In Windows Security, click Use another account. In User name, type **adVM**<ADMIN_NAME>.
4. In Password, type the password of the ADMIN_NAME account, and then click OK.
5. When prompted, click Yes.
6. Add an extra data disk as a new volume with the drive letter F: with these commands at an administrator-
level Windows PowerShell command prompt on adVM.
7. Configure adVM as a domain controller and DNS server for the corp.contoso.com domain. Run these
commands at an administrator-level Windows PowerShell command prompt on adVM.
Add-WindowsFeature RSAT-ADDS-Tools
Connect-AzAccount
You must determine a globally unique DNS name for the exVM virtual machine. You must pick a globally unique
DNS name that contains only lowercase letters and numbers. You can do this with the following PowerShell
commands:
NOTE
This command block uses a standard storage account created in phase 1 to reduce costs for this dev/test environment. For a
production Exchange server, you must use a premium storage account.
From the Azure portal, connect to the exVM virtual machine using the credentials of the local administrator
account.
Next, join exVM to the Windows AD domain with these commands at a Windows PowerShell prompt.
Note that you must supply domain account credentials after entering the Add-Computer command. Use the
CORP\<ADMIN_NAME> account and password.
Here is the result of Phase 2.
Phase 3: Configure Exchange
In this phase, you configure Exchange on exVM and test mail delivery between two mailboxes.
Prepare Windows Server AD
1. At the PowerShell command prompt on your local computer, run the following command:
2. Note or copy the full DNS name from the display of the command. This is the Internet DNS name of the
exVM virtual machine. You will need this value later.
3. If needed, connect to the adVM virtual machine with the Azure portal using the CORP\<ADMIN_NAME>
account and password.
4. From the Start screen of adVM, type Active Directory, and then click Active Directory Domains and
Trusts.
5. Right-click Active Directory Domains and Trusts, and then click Properties.
6. In Alternative UPN suffixes, type or copy the Internet DNS name of the exVM virtual machine from step
2, click Add, and then click OK.
7. Close the remote desktop session with adVM.
Install Exchange
1. Connect to the exVM virtual machine with the Azure portal using the CORP\<ADMIN_NAME> account
and password.
2. From exVM, open an administrator-level Windows PowerShell command prompt and run the following
commands.
3. Connect to the exVM virtual machine with the Azure portal using the CORP\<ADMIN_NAME> account
and password.
4. From Server Manager, click Local Server. In the Properties for exVM, click On for IE Enhanced Security
Configuration. In Internet Explorer Enhanced Security Configuration, click Off for both
Administrators and Users, and then click OK.
5. From the Start screen, click Internet Explorer, and then download the Unified Communications Managed
API 4.0 Runtime from https://www.microsoft.com/download/details.aspx?id=34992. When prompted, click
Run.
6. When prompted with the Microsoft Unified Communications Managed API 4.0, Runtime Setup, click Next.
7. Click I have read and accept the license terms, and then click Install. On the Installation is Complete
page, click Finish.
8. From Internet Explorer, download the latest version of Exchange. For more information, see Updates for
Exchange Server.
9. Click Save to store the ISO file in the Downloads folder.
10. Click Open Folder, right-click the Exchange ISO file, and then click Mount.
11. From an administrator-level Windows PowerShell command prompt on exVM, run the following:
e:
.\setup.exe /mode:Install /role:Mailbox /OrganizationName:Contoso /IacceptExchangeServerLicenseTerms
Restart-Computer
Wait until Exchange setup completes, which can take some time, and exVM restarts.
Add two mailboxes to the Exchange server
1. Connect to the exVM virtual machine with the Azure portal using the CORP\<ADMIN_NAME> account
and password.
2. From the Start screen, type Exchange, and then click Exchange Management Shell.
3. Copy the following commands to Notepad, insert the Internet DNS name of the exVM virtual machine for
the $dnsName variable, and then copy and paste the resulting commands into the Exchange Management
Shell.
4. Record the password specified in a safe place. Next, run these commands to create two mailboxes.
See also
Troubleshoot outbound SMTP connectivity issues in Azure
Deploy new installations of Exchange
Exchange Server system requirements
Exchange Server
What's new in Exchange Server
Cloud adoption Test Lab Guides (TLGs)
Upgrade Exchange to the latest Cumulative Update
8/23/2019 • 4 minutes to read • Edit Online
If you have Exchange Server 2016 or Exchange Server 2019 installed, you can upgrade the Exchange servers to
the latest Cumulative Update (CU ). Because each CU is a full installation of Exchange that includes updates and
changes from all previous CU's, you don't need to install any previous CU's or Exchange 2016 RTM or Exchange
2019 RTM first. For more information about the latest available Exchange CUs, see Updates for Exchange Server.
Cau t i on
After you upgrade Exchange to a newer CU, you can't uninstall the new version to revert to the previous version.
Uninstalling the new version completely removes Exchange from the server.
Any customized Exchange or Internet Information Server (IIS ) settings that you made in Exchange XML
application configuration files on the Exchange server (for example, web.config files or the
EdgeTransport.exe.config file) will be overwritten when you install an Exchange CU. Be sure save this
information so you can easily re-apply the settings after the install. After you install the Exchange CU, you
need to re-configure these settings.
After you install an Exchange CU, you need to restart the computer so that changes can be made to the
registry and operating system.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Best Practices
Always keep your servers as up to date as possible. This especially applies to the installation of a new
server.
Always install the latest Cumulative Update when creating a new server.
There is no need to install the RTM build or previous builds and then upgrade to the latest Cumulative
Update. This is because each Cumulative Update is a full build of the product.
Reboot the server beforehand.
Test the new update in a non-production environment first to avoid any problems in the new update
affecting the running production environment.
Have a tested and working backup of both the Active Directory and your Exchange Server.
Backup any and all customizations. They will not survive the update.
Use an elevated command prompt to run the Cumulative Update.
Temporarily disable any anti-virus software during the update process.
Reboot your server upon completion of the update.
4. The Copying Files page shows the progress of copying files to the local hard drive. Typically, the files are
copied to %WinDir%\Temp\ExchangeSetup , but you can confirm the location in the Exchange Setup log at
C:\ExchangeSetupLogs\ExchangeSetup.log .
5. The Upgrade page shows that Setup detected the existing installation of Exchange, so you're upgrading
Exchange on the server (not installing a new Exchange server). Click Next to continue.
6. On the License Agreement page, review the software license terms, select I accept the terms in the
license agreement, and then click Next to continue.
7. On the Readiness Checks page, verify that the prerequisite checks completed successfully. If they haven't,
the only option on the page is Retry, so you need to resolve the errors before you can continue.
After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors
without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the
computer, you need to start over at Step 1.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so
you can continue. Be sure to review any warnings, and then click Install to install Exchange.
8. On the Setup Progress page, a progress bar indicates how the installation is proceeding.
9. On the Setup Completed page, click Finish, and then restart the computer.
Notes:
The optional /DomainController switch specifies the domain controller that Setup uses to read from an
write to Active Directory.
The optional /EnableErrorReporting switch enables Setup to automatically submit critical error reports to
Microsoft. Microsoft uses this information to diagnose problems and provide solutions.
This example uses the Exchange CU files on drive E: to install the CU on the local server, and uses the domain
controller dc01.contoso.com to read from and write to Active Directory.
For more information about unattended Setup from the command line, see Install Exchange using unattended
mode.
The Exchange Server supportability matrix provides a central source for Exchange administrators to easily locate
information about the level of support available for any configuration or required component for supported
versions of Microsoft Exchange Server.
Release model
The following table identifies the release model for each supported version of Exchange. The release model is
identified by a check mark ( ).
In Exchange Server 2010 and earlier, each update rollup package (RU ) is cumulative with regard to the whole
product. When you apply an RU to Exchange Server 2010, you apply all the fixes in that update rollup package, and
all the fixes in each earlier update rollup package. When an update or a hotfix is created for Exchange 2010 or
earlier, one or more of the binary files included in the update or included in the hotfix are cumulative. They are
cumulative in regard to the contents of the files, not in regard to the whole Exchange product. For more
information, see Exchange 2010 Servicing.
In Exchange Server 2013 or later, we changed the way we deliver hotfixes and service packs by using a scheduled
delivery model. In this model, cumulative updates (CUs) are released quarterly (every three months). A CU is
released as a full, self-contained refresh of that version of Exchange, similar to a product upgrade or a service pack
release. For more information, see Updates for Exchange Server.
SERVICING RELEASE
MODEL EXCHANGE 2019 EXCHANGE 2016 EXCHANGE 2013 EXCHANGE 2010
Cumulative updates
(CUs)
Security hotfixes
delivered separately
Support lifecycle
For more information about the support lifecycle for a specific version of Exchange, or of the Microsoft Windows
server or client operating systems, see the Microsoft Support Lifecycle page. For more information about the
Microsoft Support Lifecycle, see the Microsoft Support Lifecycle Policy FAQ.
IMPORTANT
Releases of Windows Server and Windows client that aren't listed in the tables below are not supported for use with any
version or release of Exchange.
SERVER
OPERATING EXCHANGE 2016 EXCHANGE 2016 EXCHANGE 2013 EXCHANGE 2010
SYSTEM EXCHANGE 2019 CU3 AND LATER CU2 AND EARLIER SP1 AND LATER SP3
Windows Server
2019
Windows Server
2016
Windows Server
2012 R2
Windows Server
2012
Windows Server
2008 R2 SP1
Windows Server
2008 SP2
NOTE
Client operating systems only support the Exchange management tools.
Windows 10
Windows 8.1
Windows 8
CLIENT OPERATING EXCHANGE 2016 CU3 EXCHANGE 2013 SP1
SYSTEM EXCHANGE 2019 AND LATER AND LATER EXCHANGE 2010 SP3
Windows 7 SP1
Windows
Server
2019
Active
Directory
servers
Windows
Server
2016
Active
Directory
servers
Windows
Server
2012 R2
Active
Directory
servers
Windows
Server
2012
Active
Directory
servers
Windows
Server
2008 R2
SP1
Active
Directory
servers
OPERATIN EXCHANGE EXCHANGE EXCHANGE EXCHANGE EXCHANGE EXCHANGE
G SYSTEM 2016 CU12 2016 CU7 EXCHANGE 2016 CU2 2013 SP1 2010 SP3 2010 SP3
ENVIRON EXCHANGE AND AND 2016 CU3 AND AND RU22 OR RU5 -
MENT 2019 LATER LATER TO CU6 EARLIER LATER LATER RU21
Windows
Server
2008 SP2
Active
Directory
servers
Windows
Server
2003 SP2
Active
Directory
servers
EXCHANGE EXCHANGE
AD FOREST EXCHANGE EXCHANGE 2016 CU2 EXCHANGE 2010 SP3 EXCHANGE
FUNCTIONAL EXCHANGE 2016 CU7 2016 CU3 TO AND 2013 SP1 RU22 OR 2010 SP3
LEVEL 2019 AND LATER CU6 EARLIER AND LATER LATER RU5 - RU21
Windows
Server 2016
Windows
Server 2012
R2
Windows
Server 2012
Windows
Server 2008
R2
Windows
Server 2008
Windows
Server 2003
Web browsers supported for use with the premium version of Outlook
Web App or Outlook on the web
The following table identifies the Web browsers supported for use together with the premium version of Outlook
Web App or Outlook on the web. Supported browsers are identified by a check mark ( ).
Internet Explorer 11
Internet Explorer 10
Internet Explorer 9
Internet Explorer 8
Internet Explorer 7
Firefox 12 or later
Chrome 3.0.195 or
later
Chrome 18 or later
* Current release of Firefox or Chrome means the latest version or the immediately previous version.
Web browsers supported for use with the basic version of Outlook Web
App or Outlook on the web
The following table identifies the Web browsers supported for use together with the light (basic) version of
Outlook Web App or Outlook on the web. Supported browsers are identified by a check mark ( ).
NOTE
Outlook Web App Basic (Outlook Web App Light) is supported for use in mobile browsers. However, if rendering or
authentication issues occur in a mobile browser, determine whether the issue can be reproduced by using Outlook Web App
Light in the full client of a supported browser. For example, test the use of Outlook Web App Light in Safari, Chrome, or
Internet Explorer. If the issue can't be reproduced in the full client, we recommend that you contact the mobile device vendor
for help. In these cases, we collaborate with the vendor as appropriate.
BROWSER EXCHANGE 2019 EXCHANGE 2016 EXCHANGE 2013 EXCHANGE 2010 SP3
Microsoft Edge
Internet Explorer 11
Internet Explorer 10
Internet Explorer 9
Internet Explorer 8
Internet Explorer 7
Opera
* Current release of Firefox or Chrome means the latest version or the immediately previous version.
Web browsers supported for use of S/MIME with Outlook Web App or
Outlook on the web
The following table identifies the Web browsers supported for the use of S/MIME together with Outlook Web App
or Outlook on the web. Supported browsers are identified by a check mark ( ).
Microsoft Edge
Internet Explorer 11
Internet Explorer 10
Internet Explorer 9
Internet Explorer 8
Internet Explorer 7
Clients
The following tables identify the mail clients that are supported for use together with each version of Exchange.
Supported clients are identified by a check mark ( ).
Outlook 2019
Outlook 2016 1 1
Outlook 2013 1 1
Outlook 2010 1 2
Outlook 2007 3
Entourage 2008 4 4 4
(EWS)
1 Supported with the latest Office service pack and public updates.
2 Requires Outlook 2010 Service Pack 1 and the latest public update.
3 Requires Outlook 2007 Service Pack 3 and the latest public update.
4 EWS only. There is no DAV support for Exchange 2010.
Windows Mobile 10
Windows Phone 8
Windows Phone 7
Tools
The following table identifies the version of Microsoft Exchange that can be used together with the Microsoft
Exchange Inter-Organization Replication tool (Exscfg.exe; Exssrv.exe). The tool is used to replicate public folder
information (including free/busy information) between Exchange organizations. For more information, see
Microsoft Exchange Server Inter-Organization Replication. Supported versions are identified by a check mark ( ).
EXCHANGE 2013 SP1
TOOL EXCHANGE 2019 EXCHANGE 2016 AND LATER EXCHANGE 2010 SP3
Inter-Organization
Replication tool
IMPORTANT
• Versions of .NET Framework that aren't listed in the tables below are not supported on any version or release of
Exchange. This includes minor and patch-level releases of .NET Framework.
• When upgrading Exchange from an unsupported CU to the current CU and no intermediate CUs are available, you should
first upgrade to the latest version of .NET that's supported by Exchange and then immediately upgrade to the current CU.
This method doesn't replace the need to keep your Exchange servers up to date and on the latest supported CU. Microsoft
makes no claim that an upgrade failure will not occur using this method, which may result in the need to contact Microsoft
Support Services.
Exchange 2019
.NET FRAMEWORK CU2 RTM, CU1
Exchange 2016
.NET FRAMEWORK CU13 CU11, CU12 CU10 CU8, CU9 CU5, CU6, CU7
.NET Framework
4.8
.NET Framework
4.7.2
.NET Framework
4.7.1
.NET Framework
4.6.2
Exchange 2013
.NET FRAMEWORK CU23 CU21, CU22 CU19, CU20 CU16, CU17, CU18
1 On Windows Server 2012, you need to install the .NET Framework 3.5 before you can use Exchange 2010 SP3.
2 Exchange 2010 uses only the .NET Framework 3.5 and the .NET Framework 3.5 SP1 libraries. It doesn't use the
.NET Framework 4.5 libraries if they're installed on the server. We support the installation of any major or minor
version of the .NET Framework 4.5 (for example, .NET Framework 4.5.1, .NET Framework 4.5.2, etc.) as long as the
.NET Framework 3.5 or the .NET Framework 3.5 SP1 are also installed on the server.
Windows PowerShell
Exchange 2013 or later requires the version of Windows PowerShell that's included in Windows (unless
otherwise specified by an Exchange Setup-enforced prerequisite rule).
Exchange 2010 requires Windows PowerShell 2.0 on all supported versions of Windows.
Exchange does not support the use of Windows Management Framework add-ons on any version of
Windows PowerShell or Windows. If there are other installed versions of Windows PowerShell that support
side-by-side operation, Exchange will use only the version that it requires.
MMC 3.0
Windows Installer
The following table identifies the version of Windows Installer that is used together with each version of Exchange.
Supported versions are identified by a check mark ( ).
EXCHANGE 2013 SP1 AND
WINDOWS INSTALLER EXCHANGE 2016 LATER EXCHANGE 2010 SP3
You can deploy Exchange Server 2016 and Exchange Server 2019 in a virtualized environment. This topic
provides an overview of the scenarios that are supported for deploying Exchange on hardware virtualization
software.
The following terms are used in this discussion of Exchange virtualization:
Cold boot: When bringing a system from a power-off state into a clean start of the operating system, the
action is a cold boot. No operating system state has been persisted in this case.
Saved state: When a virtual machine is powered off, hypervisors typically have the ability to save the state
of the virtual machine, so when the machine is powered back on, it returns to that saved state rather than
going through a cold boot startup.
Planned migration: When a system administrator initiates the move of a virtual machine from one
hypervisor host to another, the action is a planned migration. The action could be a single migration, or a
system administrator could configure automation to move the virtual machine on a timed basis. A planned
migration could also be the result of some other event that occurs in the system, other than hardware or
software failure.
The key point of a planned migration is the Exchange virtual machine is operating normally and needs to
be relocated for some reason. This relocation can be done via technology (for example, Live Migration or
vMotion). However, if the Exchange virtual machine or the hypervisor host where the virtual machine is
located experiences some sort of failure condition, the outcome isn't characterized as a planned migration.
NOTE
Deployment of Exchange 2016 or Exchange 2019 on Infrastructure-as-a-Service (IaaS) providers is
supported if all supportability requirements are met. In the case of providers who are provisioning virtual
machines, these requirements include ensuring that the hypervisor being used for Exchange virtual
machines is fully supported, and that the infrastructure to be utilized by Exchange meets the performance
requirements that were determined during the sizing process. Deployment on Microsoft Azure virtual
machines is supported if all storage volumes used for Exchange databases and database transaction logs
(including transport databases) are configured for Azure Premium Storage.
Exchange 2016 integration with SharePoint Server 2016 and Skype for Business allow for services that provide
the ability to preserve, archive, and then quickly search email, documents, and other content. Together, these
enterprise applications make possible scenarios such as eDiscovery and collaboration using site mailboxes to let
your organization preserve important data. Critical in most organizations these days is the ability to archive and
then locate email and documents as required to meet compliance and regulatory requirements. You can use
Exchange 2016 along with SharePoint 2016 and Skype for Business to:
Archive Exchange mailboxes
Archive Skype for Business content
Preserve SharePoint Server 2016 documents and websites
Search across stores using eDiscovery
Authenticate seamlessly across servers
The eDiscovery Center introduced in SharePoint 2013 provides content identification, preservation, collection,
processing, and analysis. In an Exchange environment, eDiscovery lets you archive content discovered across
SharePoint Server 2016, Skype for Business, andExchange. You can use the eDiscovery Center to create
eDiscovery Case sites that are used to organize in-place holds, queries, and exports for a specific case.
Exchange 2016, SharePoint Server 2016, and Skype for Business Server use the standard protocol, Open
Authorization (OAuth), for server-to-server authentication to provide the cross-product functionality described
here. Using the same protocol allows these applications to seamlessly and securely authenticate to each other. The
authorization method supports authentication as an application by means of a linked account and user
impersonation where the access request is made in the user context. You can learn more about OAuth later in this
article in the Server-to-server authentication using OAuth section.
NOTE
For enterprises that use Lync Server 2013, you can still make full use of the features described in this topic.
SERVER AUTHMETADATAURL
In hybrid deployments, you need to configure OAuth authorization protocol between your on-premises Exchange
2016 and Exchange Online organizations. Hybrid deployments by default continue to use the federation trust
process.
Certain Exchange 2016 features are only fully available across your organization by using the new OAuth protocol.
For example, before you can use In-Place eDiscovery to search on-premises and cloud-based mailboxes in an
Exchange hybrid organization, you need to configure OAuth authentication between your Exchange on-premises
and Exchange Online organizations. The Hybrid Configuration Wizard doesn't manage the OAuth authorization
connection. For more information, see Configure OAuth Authentication Between Exchange and Exchange Online
Organizations.
In online deployments, Exchange Online, SharePoint Online and Skype for Business Online need to be configured
for a modern authentication connection. Modern authentication brings Active Directory Authentication Library
(ADAL )-based sign in to Office 2013 Windows clients. Office 2013 client applications sign in to the Office 365
service to gain access to Exchange Online, SharePoint Online and Skype for Business Online. We recommend that
you enable Exchange Online for modern authentication when enabling modern authentication for Skype for
Business. Modern authentication is enabled by default in SharePoint Online. For more information, see Enable
Exchange Online for modern authentication.
The per service default state of modern authentication is:
Skype for Business Online - OFF by default
Skype for Business Online - OFF by default
SharePoint Online - ON by default.
IMPORTANT
The default Server Auth Certificate created by Exchange 2016 is valid for five years. You need to make sure that the
authorization configuration includes a current certificate.
Exchange 2016 supports partner applications such as SharePoint Server 2016 and Skype for Business Server 2015
by using OAuth configuration with the script, Configure-EnterpriseApplication.ps1 . You can automate the task
using the script to more easily configure authentication with partner applications and reduce configuration errors.
The script performs the following tasks:
1. Configures an Enterprise partner application that self-issues OAuth tokens to successfully authenticate to
Exchange.
2. Assigns Role Based Access Control (RBAC ) roles to the partner application to authorize it for calling specific
Exchange Web Services APIs.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Partner applications - configure" entry in the Sharing and collaboration
permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
If Exchange 2016 also needs to access resources offered by the partner application, you must also configure OAuth
authentication in the partner application.
Read the following topics to help you configure your new Exchange 2016 or Exchange 2016 organization.
TOPIC DESCRIPTION
Enter your Exchange product key Learn how to license your Exchange server.
Configure mail flow and client access on Exchange servers Learn how to configure mail flow to and from the Internet
and configure Exchange to accept client connections from the
Internet.
Verify Exchange Server installations Learn how to verify that Exchange 2016 was installed
successfully in your organization.
Install the Exchange management tools Learn how to install the Exchange Management Shell and
Exchange Toolbox on client workstations or other non-
Exchange servers in your organization.
Configure instant messaging integration with Outlook on the Learn how to configure instant messaging (IM) integration
web in Exchange between Skype for Business Server and Outlook on the web
(formerly known as Outlook Web App)
Change the offline address book generation schedule in Learn how to change the offline address book (OAB)
Exchange generation schedule on specific Exchange servers or for the
whole organization
Configure certificate based authentication in Exchange 2016 Learn how to configure CBA in Exchange 2016 CU1 or later
Note:
If you've enabled the Scripting Agent in your Exchange organization, and you keep a customized
%ExchangeInstallPath%Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml file on all of your Mailbox
servers, you need to copy that file to every new Mailbox server that you deploy in your organization (the file isn't
used on Edge Transport servers).
The default value of %ExchangeInstallationPath% is %ProgramFiles%\Microsoft\Exchange Server\V15,
but the actual value is wherever you installed Exchange on the server.
The default name of the file on a new Exchange server is
%ExchangeInstallPath%Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml.sample. As part of
enabling the Scripting Agent in your organization, you need to rename this file to
ScriptingAgentConfig.xml and customize it or replace it with your existing ScriptingAgentConfig.xml file.
For more information about the Scripting Agent in Exchange 2013 (which still applies to Exchange 2016 and
2019), see Scripting Agent.
Enter your Exchange Server product key
8/23/2019 • 4 minutes to read • Edit Online
A product key tells Exchange Server 2016 or Exchange Server 2019 that you've purchased a Standard or
Enterprise Edition license. If the product key you purchased is for an Enterprise Edition license, it lets you mount
more than five databases per server in addition to everything that's available with a Standard Edition license. If you
want to read more about Exchange licensing, see Exchange Server editions and versions.
If you don't enter a product key, your server is automatically licensed as a trial edition. The trial edition functions
just like an Exchange Standard Edition server and is helpful if you want to try out Exchange before you buy it, or to
run tests in a lab. The only difference is that you can only use an Exchange server licensed as a trial edition for up
to 180 days. If you want to keep using the server beyond 180 days, you'll need to enter a product key or the
Exchange admin center (EAC ) will start to show reminders that you need to enter a product key to license the
server.
Note: If you want to install or activate Office, check out:
Install Office
Need help with your Office product key?
If you want to enter a product key on an older version of Exchange, check out Enter an Exchange 2010 product key.
If you want to enter a product key on an Exchange 2016 or Exchange 2019 server, you're in the right place! Read
on.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
2. The Exchange server properties window opens. On the General tab, do one of the following steps:
License an unlicensed server: Enter the product key in the Enter a valid product key text boxes.
Change or upgrade the product key on a licensed server: Select Change product key and
enter the product key in the Enter a valid product key text boxes. Note that you'll only see Change
product key if the server is already licensed.
Note that this command works to license an unlicensed server or to upgrade a licensed server from a Standard
Edition license to an Enterprise Edition license.
This example licenses the Exchange server named Mailbox01.
Restart-Service MSExchangeIS
In the Exchange Management Shell, replace <ServerName> with the name of the Exchange server you
licensed, and run the following command to verify the property values:
Get-ExchangeServer <ServerName> | Format-List Name,Edition,*Trial*
In the Exchange Management Shell, run the following command to view the licensing status of all Exchange
servers in your organization:
After you've installed Exchange Server 2016 or Exchange 2019 in your organization, you need to configure
Exchange for mail flow and client access. Without these additional steps, you won't be able to send mail to the
internet and external clients (for example, Microsoft Outlook, and Exchange ActiveSync devices) won't be able to
connect to your Exchange organization.
The steps in this topic assume a basic Exchange deployment with a single Active Directory site and a single simple
mail transport protocol (SMTP ) namespace.
IMPORTANT
This topic uses example values such as Mailbox01, contoso.com, mail.contoso.com, and 172.16.10.11. Replace the example
values with the server names, FQDNs, and IP addresses for your organization.
For additional management tasks related to mail flow and clients and devices, see Mail flow and the transport
pipeline and Clients and mobile.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
IMPORTANT
To receive email from the internet for a domain, you need an MX resource record in your public DNS for that domain. Each
MX record should resolve to the internet-facing server that receives email for your organization.
NOTE
We recommend that you configure a user principal name (UPN) that matches the primary email address of each user. If you
don't provide a UPN that matches the email address of a user, the user will be required to manually provide their
domain\user name or UPN in addition to their email address. If their UPN matches their email address, Outlook on the web
(formerly known as Outlook on the web), ActiveSync, and Outlook will automatically match their email address to their UPN.
Contoso.com MX Mail.contoso.com
FQDN DNS RECORD TYPE VALUE
Mail.contoso.com A 172.16.10.11
ECP https://owa.contoso.com/ecp
EWS https://mail.contoso.com/EWS/Exchange.asmx
Microsoft-Server-ActiveSync https://mail.contoso.com/Microsoft-Server-ActiveSync
OAB https://mail.contoso.com/OAB
OWA https://owa.contoso.com/owa
PowerShell http://mail.contoso.com/PowerShell
To verify that you've successfully configured your public DNS records, do the following steps:
1. Open a command prompt and run nslookup.exe .
2. Change to a DNS server that can query your public DNS zone.
3. In nslookup , look up the record of each FQDN you created. Verify that the value that's returned for each
FQDN is correct.
4. In nslookup , type set type=mx and then look up the accepted domain you added in Step 1. Verify that the
value returned matches the FQDN of the Mailbox server.
$HostName = "Mailbox01"
3. Run each of the following commands in the Exchange Management Shell to configure each internal URL
to match the virtual directory's external URL.
After you've configured the internal URL on the Mailbox server virtual directories, you need to configure your
private DNS records for Outlook on the web and other connectivity. Depending on your configuration, you'll need
to configure your private DNS records to point to the internal or external IP address or FQDN of your Mailbox
server. Examples of recommended DNS records that you should create are described in the following table:
FQDN DNS RECORD TYPE VALUE
ECP https://owa.contoso.com/ecp
EWS https://mail.contoso.com/EWS/Exchange.asmx
Microsoft-Server-ActiveSync https://mail.contoso.com/Microsoft-Server-ActiveSync
OAB https://mail.contoso.com/OAB
OWA https://owa.contoso.com/owa
PowerShell http://mail.contoso.com/PowerShell
To verify that you have successfully configured your private DNS records, do the following:
1. Open a command prompt and run nslookup.exe .
2. Change to a DNS server that can query your private DNS zone.
3. In nslookup , look up the record of each FQDN you created. Verify that the value that's returned for each
FQDN is correct.
Configure different internal and external URLs
1. Open the EAC, and go to Servers > Virtual directories,
2. On the internet-facing Mailbox server, select the virtual directory that you want to configure, and then click
Edit .
3. The virtual directory properties window opens. In the Internal URL field, replace the existing host name
value in the URL (likely, the FQDN of the Mailbox server) with the new value that you want to use (for
example, internal.contoso.com).
For example, in the properties of the Exchange Web Services (EWS ) virtual directory, change the existing
value from https://Mailbox01.corp.contoso.com/ews/exchange.asmx to
https://internal.contoso.com/ews/exchange.asmx.
When you're finished, click Save.
4. Repeat the previous steps for each virtual directory you want to change.
NOTE
The ECP and OWA virtual directory internal URLs must be the same. You can't set an internal URL on the
Autodiscover virtual directory.
After you've configured the internal URL on the Mailbox server virtual directories, you need to configure your
private DNS records for Outlook on the web, and other connectivity. Depending on your configuration, you'll
need to configure your private DNS records to point to the internal or external IP address or FQDN of your
Mailbox server. An example of the recommended DNS record that you should create is described in the following
table:
ECP https://internal.contoso.com/ecp
EWS https://internal.contoso.com/EWS/Exchange.asmx
Microsoft-Server-ActiveSync https://internal.contoso.com/Microsoft-Server-ActiveSync
OAB https://internal.contoso.com/OAB
OWA https://internal.contoso.com/owa
PowerShell http://internal.contoso.com/PowerShell
To verify that you've successfully configured your private DNS records, do the following:
1. Open a command prompt and run nslookup.exe .
2. Change to a DNS server that can query your private DNS zone.
3. In nslookup , look up the record of each FQDN you created. Verify that the value that's returned for each
FQDN is correct.
Step 6: Configure an SSL certificate
Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your
Exchange server. The following steps show you how to configure an SSL certificate from a third-party certificate
authority (CA):
1. Create an Exchange Server certificate request for a certification authority .
You should request a certificate from a third-party CA so your clients automatically trust the
certificate. For more information, see Best practices for Exchange certificates.
If you configured your internal and external URLs to be the same, Outlook on the web (when
accessed from the internet) and Outlook on the web (when accessed from the Intranet)
should both show owa.contoso.com. OAB (when accessed from the internet) and OAB (when
accessed from the Intranet) should show mail.contoso.com.
If you configured the internal URLs to be internal.contoso.com, Outlook on the web (when
accessed from the internet) should show owa.contoso.com and Outlook on the web (when
accessed from the Intranet) should show internal.contoso.com.
2. Complete a pending Exchange Server certificate request.
3. Assign certificates to Exchange Server services
At minimum, you should select SMTP and IIS.
If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.
How do you know this step worked?
To verify that you've successfully added a new certificate, do the following steps:
1. In the EAC, go to Servers > Certificates.
2. Select the new certificate and then, in the certificate details pane, verify that the following are true:
Status shows Valid
Assigned to services shows, at minimum, IIS and SMTP.
After you install Exchange Server 2016 or Exchange Server 2019, we recommend that you verify the installation
by running the Get-ExchangeServer cmdlet and by reviewing the Exchange Setup log. If the setup process fails
or errors occur during installation, you can use the Setup log to find the source of the problem.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or
Exchange Online Protection.
Run Get-ExchangeServer
To verify that Exchange installed successfully, run the following commands in the Exchange Management Shell. To
open the Exchange Management Shell, see Open the Exchange Management Shell.
This command returns a summary list of the names, Active Directory sites, Exchange server roles, Exchange
editions, and Exchange versions of all Exchange servers in the organization.
Get-ExchangeServer
This example returns additional details about the Exchange server named Mailbox01.
Review the Windows Application log and the Exchange Setup log
Exchange Setup logs events in the Application log of the Windows Server. This log contains a history of
each action that the system takes during Exchange setup and any errors that occurred (By default, the
logging method is set to Verbose). You can use the Windows Event Viewer to find the messages related
to Exchange setup.
The Exchange Setup log is available at <system drive>:\ExchangeSetupLogs\ExchangeSetup.log (<system
drive> is the drive where Windows is installed). The Setup log tracks the progress of every task during the
Exchange installation and configuration. The file contains information about the status of the prerequisite
and system readiness checks before installation starts, the application installation progress, and the
configuration changes that are made to the system. Check this log file to verify that Exchange was installed
as expected.
We recommend that you start your review of the Windows Application log and/or the Exchange Setup log by
searching for errors. If you find an error entry, read the associated text to determine the cause of the error.
Install the Exchange management tools
8/23/2019 • 5 minutes to read • Edit Online
The management tools in Exchange Server 2016 and Exchange Server 2019 include the Exchange Management
Shell and the Exchange Toolbox. You can install the management tools on other client computers or servers in the
Active Directory domain to help you manage your Exchange organization. The management tools have similar
operating system, .NET Framework, and Windows Management Framework (Windows PowerShell) requirements
as an Exchange server. The notable exception is: you can install the management tools on client versions of
Windows. For more information, see Exchange Server system requirements and Exchange Server prerequisites.
NOTE
The management tools don't include the Exchange admin center (EAC). The EAC is a web-based console that's hosted on
Exchange 2016 Mailbox servers, and like any web site, you can access the EAC from other computers. For more information
about the EAC, see Exchange admin center in Exchange Server.
For more information about the Exchange Management Shell and the Exchange Toolbox, see Exchange Server
PowerShell (Exchange Management Shell) and Exchange Toolbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
8. On the Installation Space and Location page, either accept the default installation location (
C:\Program Files\Microsoft\Exchange Server\V15 ), or click Browse to choose a new location. Make sure that
you have enough disk space available in the location where you want to install the management tools. Click
Next to continue.
9. If this is the first installation of Exchange in your organization (Exchange server or the management tools),
you arrive on the Exchange Organization page. On this page, configure the following settings:
Specify the name for this Exchange organization: The default value is First Organization, but
you typically use the company name for this value. The organization name is used internally by
Exchange, isn't typically seen by users, doesn't affect the functionality of Exchange, and doesn't
determine what you can use for email addresses.
The organization name can't contain more than 64 characters, and can't be blank.
Valid characters are A to Z, a to z, 0 to 9, hyphen or dash (-), and space, but leading or trailing
spaces aren't allowed.
You can't change the organization name after it's set.
Apply Active Directory split permission security model to the Exchange organization: Most
organizations don't need to select this option. If you need to separate management of Active
Directory security principals and the Exchange configuration, split permissions might work for you.
For more information, click ?.
Click Next to continue.
10. On the Readiness Checks page, verify that the organization and server role prerequisite checks completed
successfully. If they haven't, the only option on the page is Retry, so you need to resolve the errors before
you can continue.
After you resolve the errors, click Retry to run the prerequisite checks again. You can fix some errors
without exiting Setup, while the fix for other errors requires you to restart the computer. If you restart the
computer, you need to start over at Step 2.
When no more errors are detected on the Readiness Checks page, the Retry button changes to Install so
you can continue. Be sure to review any warnings, and then click Install to install the management tools.
11. On the Setup Completed page, click Finish, and then restart the computer.
To configure instant messaging (IM ) integration between Skype for Business Server and Outlook on the web
(formerly known as Outlook Web App) in Exchange 2016 or Exchange 2019, you need to use the Exchange
Management Shell. This is different than previous versions of Exchange where you needed to edit the web.config
file. If you edit the web.config file instead of using the steps in this topic, the settings are ignored and Outlook on
the web users receive the following error message:
There's a problem with instant messaging. Please try again later.
Also, the following health set errors are generated on the Exchange server:
HealthSet: OWA.Protocol.Dep
Subject:
OWA.Protocol.Dep health set unhealthy (OwaIMInitializationFailedMonitor/OWA.Protocol.Dep) - Owa
InstantMessaging provider failed to intialize
Message:
Owa InstantMessaging provider failed to initialize due to incorrect IM configuration on the server.
Signin attempts to OWA IM will fail. Error Message: {Instant Messaging Certificate Thumbprint is null or
empty on web.config).
Use the procedures in this topic to fix these errors and configure IM integration between Skype for Business
Server and Exchange 2016 or Exchange 2019. IM integration between Lync Server 2013 and Exchange 2016 or
later isn't supported. For details on setting up Skype for Business Server with Outlook on the web (formerly
known as Outlook Web App), see Configure integration between on-premises Skype for Business Server and
Outlook Web App
Notes:
To configure the same settings on all Exchange 2016 and Exchange 2019 servers in the Active Directory
forest, don't use the Server parameter.
To configure the settings on a specific Exchange 2016 or Exchange 2019 server, use the Server parameter
and the name of the server (don't use the fully qualified domain name or FQDN ). This method is useful
when you need to specify different settings on different Exchange servers.
This example specifies the IM server and IM certificate thumbprint on all Exchange 2016 and Exchange 2019
servers in the organization.
Setting override name: "IM Override" (must be unique)
Skype for Business server name: skype01.contoso.com
Certificate thumbprint: CDF34A740E9D225A1A06193A9D44B2CE22775308
Override reason: Configure IM
This example specifies the IM server and IM certificate thumbprint, but only on the server named Mailbox01.
Step 3: Restart the Outlook on the web pool on the Exchange server
Run the following command in the Exchange Management Shell or in Windows PowerShell on the server. You
need to do this on every Exchange 2016 or Exchange 2019 server that's used for Outlook on the web.
Restart-WebAppPool MSExchangeOWAAppPool
Note: In Exchange 2016 CU3 or earlier, you need to use different values for some of the parameters:
Process: Microsoft.Exchange.Directory.TopologyService (instead of MSExchangeMailboxAssistants ).
Argument: Config (instead of "Config,Component=OwaServer" ).
Change the offline address book generation schedule
in Exchange
8/23/2019 • 3 minutes to read • Edit Online
An offline address book (OAB ) is a copy of an address book that's been downloaded so that an Outlook user can
access the information it contains while disconnected from the server. By default, a new OAB is generated every 8
hours in Exchange Server 2016 and Exchange Server 2019, but you can change the interval by using the Exchange
Management Shell.
For additional management tasks related to OABs, see Procedures for offline address books in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Notes:
To specify a <TimeSpan> value, use the syntax d.hh:mm:ss , where d = days, hh = hours, mm = minutes,
and ss = seconds.
To configure the OAB generation schedule on all Exchange 2016 and Exchange 2019 Mailbox servers in the
Active Directory forest, don't use the Server parameter.
To configure the OAB generation schedule on a specific Exchange 2016 or Exchange 2019 Mailbox server,
use the Server parameter and the name (not the fully qualified domain name or FQDN ) of the server. This
method is useful when you need to specify different OAB generation schedules on different Exchange
servers.
In Exchange 2016 Cumulative Update 3 (CU3) or earlier, the Component parameter value is
MailboxAssistants .
This example specifies that the OAB is generated every two hours on all Exchange 2016 and Exchange 2019
servers in the organization that are responsible for generating OABs.
Setting override name: "OAB Generation Override" (must be unique)
WorkCycle: 02:00:00 (2 hours)
Override reason: Generate OAB every 2 hours
This example specifies the same OAB generation schedule, but only on the server named Mailbox01.
Step 2: Use the Exchange Management Shell to apply the new OAB generation schedule
To apply the new OAB generation schedule, use this syntax:
Notes:
If you didn't use the Server parameter in Step 1, don't use it here. If you used the Server parameter in Step
1, use the same server name here.
If you delete the custom OAB generation schedule by using the Remove-SettingOverride cmdlet, you still
need to run this command to change the generation schedule back to the default value of 8 hours.
This example applies the new OAB generation schedule on all Exchange 2016 and Exchang 2019 Mailbox servers
in the organization.
This example applies the new OAB generation schedule on the server named Mailbox01.
Note: In Exchange 2016 CU3 or earlier, you need to run this command instead:
[xml]$diag=Get-ExchangeDiagnosticInfo -Server <ServerName> -Process
Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Config;
$diag.Diagnostics.Components.VariantConfiguration.Configuration.MailboxAssistants.OABGeneratorAssistant
.
See also
Procedures for offline address books in Exchange Server
Configure certificate based authentication in
Exchange 2016
8/23/2019 • 8 minutes to read • Edit Online
Certificate based authentication (CBA) in Exchange allows Outlook on the web (formerly known as Outlook Web
App) and Exchange ActiveSync clients to be authenticated by client certificates instead of entering a user name and
password.
Before you configure Exchange, you need to issue a client certificate to each user. Because of the sheer number of
certificates involved, you should use an automated internal public key infrastructure (PKI) to issue and manage the
client certificates. An example of an automated internal PKI is Active Directory Certificate Services (AD CS ). For
more information about AD CS, see Active Directory Certificate Services Overview. Here's more information
about the certificate requirements:
The client certificate must be issued for client authentication (for example, the default User certificate
template in AD CS ).
The client certificate must contain the user principal name (UPN ) of the user (in the certificate's Subject or
Subject Alternative Name fields).
The client certificate must be associated with the user account in Active Directory.
All servers and devices that are involved in access to Outlook on the web and ActiveSync (including proxy
servers and client devices) must trust the entire chain of trust for the client certificates (the root certificate of
the certification authority, and any intermediate CAs that were used to issue certificates).
For CBA in Outlook on the web, the client certificate needs to be installed on the local computer, device, or on a
smart card. For CBA in ActiveSync, the client certificate needs to be installed on the local device. You can automate
the installation of certificates on devices by using a mobile device management (MDM ) solution like Intune. For
more information about Intune, see Overview of Microsoft Intune.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Install-WindowsFeature Web-Client-Auth
4. On the Authentication page that opens, select Active Directory Client Certificate Authentication
from the list, and in the Actions pane, click Enable.
You'll see a warning that SSL must be enabled to use Active Directory Client Certificate Mapping.
Step 5: Use IIS Manager to enable client certificate mapping for the
Outlook on the web, Exchange admin center, and ActiveSync virtual
directories
IMPORTANT
After you perform this step, running the Set-ActiveSyncVirtualDirectory cmdlet might disable the client certificate
mapping for ActiveSync.
1. In IIS Manager, expand the server, expand Sites, and then expand Default Web Site.
2. Select the owa virtual directory, and verify Features View is selected at the bottom of the page.
3. In the Management section, double-click Configuration Editor.
4. On the Configuration Editor page, click the drop down on Section, and navigate to system.webServer >
security > authentication > clientCertificateMappingAuthentication.
5. Set the enabled value to True, and in the Actions pane, click Apply.
Note that this step requires membership in the Enterprise Admins group.
The topics in this are provide details about the readiness checks that Exchange Server performs when Exchange is
installed. Readiness checks ensure that your Active Directory forest and Exchange servers are ready for the version
of Exchange that you're installing. Each readiness check topic describes the actions that you can take to resolve
issues that are found when the readiness checks are run. You should only perform the steps outlined in a readiness
check topic if that readiness check was displayed during setup.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or
Exchange Online Protection.
AD LDS directory exists in default location
[ADAMDataPathExists]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because the attempt to install Active Directory Lightweight Directory Services (AD
LDS ) failed.
An older installation of AD LDS exists in the default location. Setup can't perform a new AD LDS install in an
existing AD LDS directory structure.
To resolve this issue, remove the existing AD LDS directory and then run Setup again.
For more information about AD LDS directory management, see Administering AD LDS Directory Partitions.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Duplicate Microsoft Exchange System Objects
container exists in Active Directory [AdInitErrorRule]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it found a duplicate Microsoft Exchange System Objects container in Active
Directory Domain Naming context. When Setup finds a duplicate Microsoft Exchange System Objects container,
you need to delete the duplicate container before Setup can continue. Note that running DomainPrep again won't
fix the problem. You need to find and delete the duplicate Microsoft Exchange System Objects container.
To resolve this issue, do the following steps:
1. Open Active Directory Users and Computers. For example:
Press Windows key + R, enter dsc.msc, and then click OK.
In Administrative Tools > Active Directory Users and Computers.
2. In the Active Directory Users and Computers, click View > Advanced Features.
3. Locate the duplicate Microsoft Exchange System Objects container.
4. Verify that the duplicate Microsoft Exchange System Objects container doesn't contain valid Active
Directory objects.
5. Right-click the duplicate Microsoft Exchange System Objects container, click Delete, and then click Yes
in the confirmation dialog box.
NOTE
To immediately replicate the change, you need to manually initiate replication between domain controllers.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Failover Cluster Command Interface Windows feature
not installed [RsatClusteringCmdInterfaceInstalled]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup can't continue because the local computer is missing a required Windows
feature. You'll need to install this Windows feature before Exchange 2016 can continue.
Exchange 2016 Setup requires that the Failover Cluster Command Interface Windows feature be installed on
the computer before installation can continue.
Do the following to install the Windows feature on this computer. If the feature requires a reboot to complete
installation, you'll need to exit Exchange 2016 Setup, reboot, and then start Setup again.
NOTE
Additional Windows features or updates might need to be installed before Exchange 2016 Setup can continue. For a
complete list of required Windows features and updates, check out Exchange Server prerequisites.
Install-WindowsFeature RSAT-Clustering-CmdInterface
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Active Directory does not exist or cannot be
contacted [CannotAccessAD]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it can't contact a valid Active Directory site. Setup requires that the target
server is able to locate the configuration naming context in Active Directory.
To resolve this issue, verify that the account that you're using an Active Directory account to run Setup and then try
running Setup again. If this doesn't resolve the issue, follow the guidance about using the support tools in the
following topics to further diagnose the problem.
For more information about Active Directory troubleshooting and configuration for Exchange, see the following
topics:
Prepare Active Directory and domains
Troubleshooting Active Directory Domain Services
Configuring a Computer for Troubleshooting
Troubleshooting Active Directory Replication Problems
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
The local computer isn't joined to an Active Directory
domain [ComputerNotPartofDomain]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it detected that the target server isn't a member of an Active Directory
domain. You need to join the target server to an Active Directory domain before you can install the Mailbox server
role. You might also see this message if you're using a local computer account instead of a domain user account
(with the required permissions) to install Exchange.
For more information, see Exchange Server system requirements
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation of the first Exchange server in the
organization can't be delegated
[DelegatedBridgeheadFirstInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because this is the first Exchange server in the organization, and the first Exchange
server needs to be installed by a member of the Enterprise Admins security group (to create the Exchange
Organization container and configure objects in it).
Note: If you haven't already extended the Active Directory schema for Exchange, you need to do one of the
following steps:
A member of the Schema Admins group can extend the Active Directory schema using another computer in
the domain before you install Exchange.
Exchange Setup can extend the schema if your account is a member of the Schema Admins group.
To resolve this issue, run Exchange setup again using an account that's a member of the Enterprise Admins security
group (add the current account or use a different account).
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation of the first Exchange server in the
organization can't be delegated
[DelegatedCafeFirstInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because this is the first Exchange server in the organization, and the first Exchange
server needs to be installed by a member of the Enterprise Admins security group (to create the Exchange
Organization container and configure objects in it).
Note: If you haven't already extended the Active Directory schema for Exchange, you need to do one of the
following steps:
A member of the Schema Admins group can extend the Active Directory schema using another computer in
the domain before you install Exchange.
Exchange Setup can extend the schema if your account is a member of the Schema Admins group.
To resolve this issue, run Exchange setup again using an account that's a member of the Enterprise Admins security
group (add the current account or use a different account).
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation of the first Exchange server in the
organization can't be delegated
[DelegatedClientAccessFirstInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because this is the first Exchange server in the organization, and the first Exchange
server needs to be installed by a member of the Enterprise Admins security group (to create the Exchange
Organization container and configure objects in it).
Note: If you haven't already extended the Active Directory schema for Exchange, you need to do one of the
following steps:
A member of the Schema Admins group can extend the Active Directory schema using another computer in
the domain before you install Exchange.
Exchange Setup can extend the schema if your account is a member of the Schema Admins group.
To resolve this issue, run Exchange setup again using an account that's a member of the Enterprise Admins security
group (add the current account or use a different account).
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation of the first Exchange server in the
organization can't be delegated
[DelegatedMailboxFirstInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because this is the first Exchange server in the organization, and the first Exchange
server needs to be installed by a member of the Enterprise Admins security group (to create the Exchange
Organization container and configure objects in it).
Note: If you haven't already extended the Active Directory schema for Exchange, you need to do one of the
following steps:
A member of the Schema Admins group can extend the Active Directory schema using another computer in
the domain before you install Exchange.
Exchange Setup can extend the schema if your account is a member of the Schema Admins group.
To resolve this issue, run Exchange setup again using an account that's a member of the Enterprise Admins security
group (add the current account or use a different account).
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation of the first Exchange server in the
organization can't be delegated
[DelegatedUnifiedMessagingFirstInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange 2016 Setup can't continue because this is the first Exchange server in the organization, and the first
Exchange server needs to be installed by a member of the Enterprise Admins security group (to create the
Exchange Organization container and configure objects in it).
Note: If you haven't already extended the Active Directory schema for Exchange, you need to do one of the
following steps:
A member of the Schema Admins group can extend the Active Directory schema using another computer in
the domain before you install Exchange.
Exchange Setup can extend the schema if your account is a member of the Schema Admins group.
To resolve this issue, run Exchange setup again using an account that's a member of the Enterprise Admins security
group (add the current account or use a different account).
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Active Directory functional level isn't Windows Server
2003 or later [ForestLevelNotWin2003Native]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Server 2016 Setup can't continue because the Active Directory forest functional level of the target forest
isn't Windows Server 2003 native or later. Before you can install Exchange 2016, you must raise the forest
functional level to Windows Server 2003 or later.
For information about how to raise the forest functional level, see Raise the Forest Functional Level.
For more information about Active Directory functional levels, see the following topics:
What are Active Directory Functional Levels?
How Active Directory Functional Levels Work
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Cannot write to the Exchange organization container
[GlobalServerInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because the user account doesn't have the permissions that are required to write to
the organization container in the Active Directory directory service.
Setup requires that the account you're using to install Exchange has permissions to create and modify objects in
Active Directory:
If this is the first Exchange server in your organizaiton, your account needs to be a member of the Schema
Admins security group (to extend the schema) and the Enterprise Admins security group (to prepare Active
Directory).
After you prepare Active Directory for the version of Exchange that you're installing, your account needs to
be a member of the Organization Management role group.
For more information, see Prepare Active Directory and domains for Exchange.
To resolve this issue, run Exchange setup again using an account that has the appropriate permissions (grant
permissions to the current account or use a different account).
IMPORTANT
Cross-forest installation of Exchange isn't supported. Use an account in the Active Directory forest where you're installing
Exchange.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Global updates required [GlobalUpdateRequired]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because the user account doesn't have the permissions that are required to write to
the organization container in the Active Directory directory service.
Setup requires that the account you're using to install Exchange has permissions to create and modify objects in
Active Directory:
If this is the first Exchange server in your organizaiton, your account needs to be a member of the Schema
Admins security group (to extend the schema) and the Enterprise Admins security group (to prepare Active
Directory).
After you prepare Active Directory for the version of Exchange that you're installing, your account needs to
be a member of the Organization Management role group.
For more information, see Prepare Active Directory and domains for Exchange.
To resolve this issue, run Setup again using an account that has the appropriate permissions (grant permissions to
the current account or use a different account).
IMPORTANT
Cross-forest installation of Exchange isn't supported. Use an account in the Active Directory forest where you're installing
Exchange.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
The Host record for the local computer cannot be
found in the DNS database [HostRecordMissing]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because the Host (A) record for this computer can't be found in the DNS zone for
the domain. Setup requires a vaild A record for the server, and Exchange uses email server A records to find the IP
address of the next hop to send messages.
To resolve this issue:
Verify that the local TCP/IP configuration points to the correct DNS server. For more information, see
Configure TCP/IP settings.
Use Nslookup.exe to verify that the Host (A) record exists on the DNS server. For more information, see To
verify A resource records exist in DNS.
For information about DNS name resolution, troubleshooting, and A records, see the following:
Troubleshooting DNS
Managing resource records
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation on domain controllers is not supported
with Active Directory split permissions
[InstallOnDCInADSplitPermissionMode]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup detected that you're installing Exchange on an Active Directory domain controller and one of the
following conditions is true:
The Exchange organization is already configured for Active Directory split permissions.
You selected the Active Directory split permissions option in Exchange Setup.
Installing Exchange on domain controllers isn't supported when the Exchange organization is configured for Active
Directory split permissions. To install Exchange on a domain controller, you need to configure the Exchange
organization for Role Based Access Control (RBAC ) split permissions or shared permissions.
IMPORTANT
We don't recommend installing Exchange on Active Directory domain controllers. For more information, see Installing
Exchange on a domain controller is not recommended [WarningInstallExchangeRolesOnDomainController].
If you want to use Active Directory split permissions, you need install Exchange on a member server.
For more information about split and shared permissions in Exchange 2013 or later, see the following topics:
Understanding Split Permissions
Configure Exchange 2013 for Split Permissions
Configure Exchange 2013 for Shared Permissions
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
The current account isn't logged into an Active
Directory domain [LoggedOntoDomain]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it detected that the current account isn't logged on to an Active Directory
domain. You need to log in using an Active Directory account that has the permissions required to install Exchange.
Setup requires that the account you're using to install Exchange has permissions to create and modify objects in
Active Directory:
If this is the first Exchange server in your organizaiton, your account needs to be a member of the Schema
Admins security group (to extend the schema) and the Enterprise Admins security group (to prepare Active
Directory).
After you prepare Active Directory for the version of Exchange that you're installing, your account needs to
be a member of the Organization Management role group.
For more information, see Prepare Active Directory and domains for Exchange.
To resolve this issue, run Setup again using an account that has the appropriate permissions (grant permissions to
the current account or use a different account).
IMPORTANT
Cross-forest installation of Exchange isn't supported. Use an account in the Active Directory forest where you're installing
Exchange.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
The computer needs to be restarted before Setup can
continue [RebootPending]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it detected a pending reboot to complete the installation of other programs
or Windows updates.
Although it's tempting, we strongly recommend that you don't attempt to work around this issue by manually
deleting or changing registry keys or values. Although you might fix this issue now, manually modifying the
registry might cause issues later on. This is especially important if the failed installation was a Windows update.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
The logged-on user is not a member of the Schema
Admins group [SchemaUpdateRequired]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because the user account isn't a member of the Schema Admins and Enterprise
Admins security groups.
Setup requires that the account you're using to install Exchange has permissions to create and modify objects in
Active Directory:
If this is the first Exchange server in your organizaiton, your account needs to be a member of the Schema
Admins security group (to extend the schema) and the Enterprise Admins security group (to prepare Active
Directory).
After you prepare Active Directory for the version of Exchange that you're installing, your account needs to
be a member of the Organization Management role group.
For more information, see Prepare Active Directory and domains for Exchange.
To resolve this issue, run Exchange setup again using an account that has the appropriate permissions (grant
permissions to the current account or use a different account).
IMPORTANT
Cross-forest installation of Exchange isn't supported. Use an account in the Active Directory forest where you're installing
Exchange.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
UCMA 4.0, Core Runtime not installed
[UcmaRedistMsi]
8/23/2019 • 2 minutes to read • Edit Online
Exchange 2016 Setup requires the Unified Communications Managed API 4.0 Runtime for Unified Messaging
(UM ) services on the Mailbox server role. You need to install this update before Exchange 2016 Setup can
continue.
Download and install the 64-bit update from Unified Communications Managed API 4.0 Runtime, and then click
Retry on the Readiness Checks page in the Exchange 2016 Setup wizard.
NOTE
If the installation of this update requires a reboot, you'll need to exit Exchange 2016 Setup, reboot, and then start Setup
again.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Cannot remove mailbox database
[UnwillingToRemoveMailboxDatabase]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it can't remove a user mailbox database from the local server without
incurring potential data loss.
Before Exchange Setup removes the Mailbox server role from a server, Setup confirms that alll mailbox databases
have been removed from the server, or that the mailboxes on the server don't contain active mailboxes. However,
user mailboxes might still remain on the server.
To resolve this issue do either of these steps:
To preserve the mailboxes and their content, move the mailboxes to another server. For instructions, see
Mailbox moves in Exchange Server.
Disable the mailboxes if they're no longer required. For more information, see Disable-Mailbox.
Remove the mailbox databases if they're no longer required. For instructions, see Manage mailbox
databases in Exchange Server.
After you deal with the mailbox databases on the server, run Exchange Setup again.
For more information about how to identify a mailbox in the database, see Get-Mailbox.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installing Exchange on a domain controller is not
recommended
[WarningInstallExchangeRolesOnDomainController]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Server 2016 or Exchange 2019 Setup has detected that the target computer is an Active Directory
domain controller, and we don't recommed installing Exchange on domain controllers.
If you install Exchange on a domain controller, be aware of the following issues:
Configuring Exchange for Active Directory split permissions isn't supported. For more information about
split permissions, see Understanding split permissions.
The Exchange Trusted Subsystem universal security group (USG ) is added to the Domain Admins group.
This action grants all Exchange servers domain administrator rights in the domain.
Exchange Server and Active Directory are both resource-intensive applications. There are performance
implications when both applications are running on the same computer.
The domain controller must be a global catalog server, but Exchange services might not start correctly on a
global catalog server.
System shutdown will take considerably longer if Exchange you don't stop the Exchange services before
you shut down or restart the server.
Demoting the domain controller to a member server isn't supported.
Running Exchange on a clustered node that's also an Active Directory domain controller isn't supported.
Therefore, we recommend that you install Exchange on a member server, not on a domain controller.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
KB2619234 update not installed
[Win7RpcHttpAssocCookieGuidUpdateNotInstalled]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Server 2016 Setup can't continue because the local computer requires a software update. You'll need to
install this update before Exchange 2016 Setup can continue.
Exchange 2016 Setup requires a Windows Server update that allows Outlook Anywhere (RPC over HTTP ) to work
correctly.
Download and install the 64-bit update from KB2619234, and then click retry on the Readiness Checks page.
NOTE
If this update requires a reboot to complete installation, you'll need to exit Exchange 2016 Setup, reboot, and then start
Setup again.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Installation of the first Exchange server in the
organization can't be delegated
[DelegatedFrontendTransportFirstInstall]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because this is the first Exchange server in the organization, and the first Exchange
server needs to be installed by a member of the Enterprise Admins security group (to create the Exchange
Organization container and configure objects in it).
Note: If you haven't already extended the Active Directory schema for Exchange, you need to do one of the
following steps:
A member of the Schema Admins group can extend the Active Directory schema using another computer in
the domain before you install Exchange.
Exchange Setup can extend the schema if your account is a member of the Schema Admins group.
To resolve this issue, run Exchange setup again using an account that's a member of the Enterprise Admins security
group (add the current account or use a different account).
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
No Exchange 2010 servers detected
[NoE14ServerWarning]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup displayed this warning because no Exchange 2010 servers exist in the
organization.
Cau t i on
If you continue with Exchange Server 2016 installation, you won't be able to add Exchange 2010 servers to the
organization in the future.
Before deploying Exchange 2016, consider the following factors that may require you to deploy Exchange 2010
servers prior to deploying Exchange 2016:
Third-party or in-house developed applications: Applications developed for earlier versions of
Exchange may not be compatible with Exchange 2016. You may need to maintain Exchange 2010 servers to
support these applications.
Coexistence or migration requirements: If you plan on migrating mailboxes into your organization,
some solutions may require the use of Exchange 2010 servers.
If you decide that you need to deploy Exchange 2010 servers, you need to do so before you deploy Exchange 2016.
You need to prepare Active Directory for each Exchange version in the following order:
1. Exchange 2010
2. Exchange 2013 (only required if you're planning to deploy Exchange 2013 at a later date)
3. Exchange 2016
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
The computer needs to be restarted before Setup can
continue [PendingRebootWindowsComponents]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because it detected a pending reboot to complete the installation of other programs
or Windows updates.
Although it's tempting, we strongly recommend that you don't attempt to work around this issue by manually
deleting or changing registry keys or values. Although you might fix this issue now, manually modifying the
registry might cause issues later on. This is especially important if the failed installation was a Windows update.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Can't install Exchange 2016 in a forest that contains
Exchange 2000 or Exchange 2003 servers.
[Exchange2000or2003PresentInOrg]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because a version of Exchange that's too old for coexistence with the version that
you're installing was found in the Active Directory forest. Before you can continue, you need to eliminate all
unsupported versions of Exchange from your forest, which might require that you to upgrade to an interim version
of Exchange first.
The installation of Exchange Server 2016 or later can't continue because Setup found one or more Exchange 2000
or Exchange 2003 servers in the Active Directory forest. Before you can install Exchange 2016 or later in your
organization, you need to remove all Exchange 2000 or Exchange 2003 servers from the forest.
The upgrade path that you need to follow depends on your current version of Exchange. The upgrade paths are
described in the following table:
NOTE
When you need to upgrade to an interim version of Exchange, you need to migrate all mailboxes, public folders and other
components onto the interim version of Exchange before you decomission and remove the earlier Exchange servers.
Exchange 2000 Exchange 2007 Exchange 2000 > Exchange 2007 >
Exchange 2013 > Exchange 2019.
Exchange 2003 Exchange 2010 Exchange 2003 > Exchange 2010 >
Exchange 2016 > Exchange 2019.
Exchange 2007 Exchange 2013 Exchange 2007 > Exchange 2013 >
Exchange 2019.
Exchange 2010 Exchange 2016 Exchange 2010 > Exchange 2016 >
Exchange 2019.
Exchange 2000 Exchange 2007 • Exchange 2000 > Exchange 2007 >
Exchange 2013 > Exchange 2016.
Exchange 2003 Exchange 2010 • Exchange 2003 > Exchange 2010 >
Exchange 2016.
Exchange 2007 Exchange 2013 • Exchange 2007 > Exchange 2013 >
Exchange 2016.
LATEST EXCHANGE VERSION FOR
CURRENT EXCHANGE VERSION COEXISTENCE UPGRADE PATH SUMMARY
When upgrading to Exchange 2010 or later, you can use the Exchange Deployment Assistant to help complete your
deployment. For more information, see the following links:
Exchange 2010 Deployment Assistant
Exchange 2013 Deployment Assistant
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
An incompatible operating system was found
[ValidOSVersion]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup can't continue because it detected an incompatible operating system. You
must install a compatible operating system on this computer before you install Exchange 2016. The following table
shows the operating systems that are compatible with Exchange 2016.
IMPORTANT
Exchange 2016 doesn't support the Server Core installation option of Windows Server.
COMPONENT REQUIREMENT
Mailbox and Edge Transport server roles Windows Server 2016 Standard or Datacenter*
Windows Server 2012 R2 Standard or Datacenter
Windows Server 2012 Standard or Datacenter
Exchange Setup can't continue because it detected that the ExecutionPolicy Group Policy Object (GPO ) defines
one or both of the following policies:
MachinePolicy
UserPolicy
It doesn't matter how the policies have been defined; it only matters that they have been defined.
Exchange Setup stops and disables the Windows Management Instrumentation (WMI) service. When either of
these policies are defined, the WMI service needs to be enabled to run a Windows PowerShell script. If the policies
are defined and the WMI service is stopped, Setup will fail and the server will be left in an inconsistent state.
To allow Setup to continue, you need to temporarily remove any definition of MachinePolicy or UserPolicy in
the ExecutionPolicy GPO.
For information on how to remove any definitions of MachinePolicy or UserPolicy in the ExecutionPolicy
GPO on Exchange 2010 or later servers, see KB981474.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Primary DNS Suffix is missing
[ms.exch.setupreadiness.FqdnMissing]
8/23/2019 • 2 minutes to read • Edit Online
Exchange Setup can't continue because the primary DNS suffix (for example, contoso.com) hasn't been configured
on the target server. Typically, you'll encounter this error when you're trying to install the Edge Transport server
role.
To resolve this issue, add a primary DNS suffix on the computer and then run Setup again.
1. Replace <Value> with the DNS suffix you want to use (for example, contoso.com), and run the following
command in Winows Powershell on the target server:
IMPORTANT
Changing the computer name or primary DNS suffix after you install Exchange isn't supported.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
MAPI over HTTP isn't enabled
[WarnMapiHttpNotEnabled]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup displayed this warning because there are servers running Exchange 2016
or later in this organization and MAPI over HTTP isn't enabled.
MAPI over HTTP is the preferred Outlook connectivity method when connecting to servers running Exchange
2016 or later. MAPI over HTTP improves the reliability and stability of the Outlook and Exchange connections by
moving the transport layer to the industry-standard HTTP model. This allows a higher level of visibility of
transport errors and enhanced recoverability. Additional functionality includes support for an explicit pause-and-
resume function. This enables supported clients to change networks or resume from hibernation while maintaining
the same server context.
Exchange Setup won't automatically enable MAPI over HTTP to avoid making unexpected changes to client
connectivity. However, we recommend that you enable MAPI over HTTP as soon as possible to receive the benefits
it provides.
For more information about MAPI over HTTP and how to enable it, see MAPI over HTTP in Exchange Server.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Can't install Exchange 2016 or later in a forest that
contains Exchange 2007
[E16E12CoexistenceMinVersionRequirement]
8/23/2019 • 2 minutes to read • Edit Online
The installation of Exchange Server 2016 or later can't continue because Setup found one or more Exchange 2007
servers in the Active Directory forest. Before you can install Exchange 2016 or later in your organization, you need
to remove all Exchange 2007 servers from the forest.
The upgrade steps from Exchange 2007 are:
1. Install Exchange 2013 into your Exchange 2007 organization.
2. Configure Exchange 2013 and Exchange 2007 coexistence.
3. Migrate Exchange 2007 mailboxes, public folders, and other components to Exchange 2013.
4. Decommission and remove all Exchange 2007 servers.
5. Install Exchange 2016 or Exchange 2019 into your Exchange 2013 organization.
6. Configure coexistence with Exchange 2013.
7. Migrate Exchange 2013 mailboxes, public folders, and other components to Exchange 2016 or Exchange
2019.
8. Decommission and remove all Exchange 2013 servers.
The coexistence (and therefore, upgrade) options for Exchange are described in the following table:
When upgrading to Exchange 2010 or later, you can use the Exchange Deployment Assistant to help complete your
deployment. For more information, see the following links:
Exchange 2010 Deployment Assistant
Exchange 2013 Deployment Assistant
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Exchange 2010 SP3 RU11 or later is required for
coexistence with Exchange 2016
[E16E14CoexistenceMinVersionRequirement]
8/23/2019 • 2 minutes to read • Edit Online
The installation of Exchange Server 2016 can't continue because Setup found one or more Exchange 2010 servers
that aren't running the minimum required version of Exchange 2010. Before you can install Exchange 2016 in your
organization, all Exchange 2010 servers in the forest need to be running Exchange 2010 Service Pack 3 (SP3) and
Update Rollup 11 (RU11) or later. This requirement includes Exchange 2010 Edge Transport servers.
IMPORTANT
After you upgrade your Exchange 2010 Edge Transport servers to Exchange 2010 SP3 RU11 or later, you need to re-create
the Edge subscription between your Exchange organization and each Edge Transport server (to update the Edge Transport
server's Exchange version in Active Directory). For more information about re-creating Edge subscriptions in Exchange 2010,
see Managing Edge Subscriptions.
Exchange 2013 CU10 or later is required for
coexistence with Exchange 2016 or later
[E16E15CoexistenceMinVersionRequirement]
8/23/2019 • 2 minutes to read • Edit Online
The installation of Exchange Server 2016 or later can't continue because Setup found one or more Exchange 2013
servers that aren't running the minimum required version of Exchange 2013. Before you can install Exchange 2016
or later in your organization, all Exchange 2013 servers in the forest need to be running Exchange 2013
Cumulative Update 10 (CU10) or later. This requirement includes Exchange 2013 Edge Transport servers.
IMPORTANT
After you upgrade your Exchange 2013 Edge Transport servers to Exchange 2013 CU10 or later, you need to re-create the
Edge subscription between your Exchange organization and each Edge Transport server (to update the Edge Transport
server's Exchange version in Active Directory). For more information about re-creating Edge subscriptions in Exchange 2013,
see Managing Edge Subscriptions.
No Exchange 2013 servers detected
[NoE15ServerWarning]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup displayed this warning because no Exchange Server 2013 server roles exist
in the organization.
Cau t i on
If you continue with Exchange Server 2016 installation, you won't be able to add Exchange 2013 servers to the
organization at a future date.
Before deploying Exchange 2016, consider the following factors that may require you to deploy Exchange 2013
servers prior to deploying Exchange 2016:
Third-party or in-house developed applications: Applications developed for earlier versions of
Exchange may not be compatible with Exchange 2016. You may need to maintain Exchange 2013 servers to
support these applications.
Coexistence or migration requirements: If you plan on migrating mailboxes into your organization,
some solutions may require the use of Exchange 2013 servers.
If you decide that you need to deploy Exchange 2013 servers, you must do so before you deploy Exchange 2016.
Active Directory must be prepared for each Exchange version in the following order:
1. Exchange 2013
2. Exchange 2016
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or
Exchange Online Protection.
Running "dir" on an ReFS-formatted disk could cause
the computer to freeze
[Win2k12RefsUpdateNotInstalled]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup has detected that the computer you're attempting to install Exchange 2016
on doesn't have a recommended Windows update installed. We strongly recommend that you install this Windows
update before installing Exchange 2016 to avoid any issues resolved by the update.
Computers running Windows Server 2012 and later support the Resilient File System (ReFS ). An issue exists that
could cause computers to freeze when the "dir" command is run on disks formatted with ReFS.
Download and install the 64-bit update from the following URL, and then click retry on the Readiness Checks
page.
NOTE
If this update requires a reboot to complete installation, you'll need to exit Exchange 2016 Setup, reboot, and then start
Setup again.
Microsoft Knowledge Base article KB2894875, Windows 8-based or Windows Server 2012-based computer
freezes when you run the "dir" command on an ReFS volume.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
A Windows Server 2012 update rollup hasn't been
installed [Win2k12RollupUpdateNotInstalled]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup has detected that the computer you're attempting to install Exchange 2016
on doesn't have a recommended Windows update installed. We strongly recommend that you install this Windows
update before installing Exchange 2016 to avoid any issues resolved by the update.
A Windows Server 2012 update rollup that resolves several issues, including those that could cause Resilient File
System (ReFS )-formatted disks to perform unreliably, hasn't been installed.
Download and install the 64-bit update from the following URL, and then click retry on the Readiness Checks
page.
NOTE
If this update requires a reboot to complete installation, you'll need to exit Exchange 2016 Setup, reboot, and then start
Setup again.
Microsoft Knowledge Base article KB2822241, Windows 8 and Windows Server 2012 update rollup: April 2013.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Disks formatted as ReFS may not perform reliably
[Win2k12UrefsUpdateNotInstalled]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup has detected that the computer you're attempting to install Exchange 2016
on doesn't have a recommended Windows update installed. We strongly recommend that you install this Windows
update before installing Exchange 2016 to avoid any issues resolved by the update.
Computers running Windows Server 2012 and later support the Resilient File System (ReFS ). An issue in the
Virtual Disk Service could cause disks formatted as ReFS to not perform reliably. This could result in data
corruption or data loss.
Download and install the 64-bit update from the following URL, and then click retry on the Readiness Checks
page.
NOTE
If this update requires a reboot to complete installation, you'll need to exit Exchange 2016 Setup, reboot, and then start
Setup again.
Microsoft Knowledge Base article KB2884597, Virtual Disk Service or applications that use the Virtual Disk Service
crash or freeze in Windows Server 2012.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
KB3206632 security update not installed
[Win2k16LSARollupUpdateNotInstalled]
8/23/2019 • 2 minutes to read • Edit Online
Microsoft Exchange Server 2016 Setup can't continue because the local computer requires a software update.
You'll need to install this update before Exchange 2016 Setup can continue.
Exchange 2016 Setup requires that the December 13, 2016 (KB3206632) security update be installed on the
computer before installation can continue.
Download and install the 64-bit update from the following URL, and then click retry on the Readiness Checks
page.
NOTE
If this update requires a reboot to complete installation, you'll need to exit Exchange 2016 Setup, reboot, and then start
Setup again.
Microsoft Exchange Server 2016 Setup can't continue because it detected that the local computer is running
Windows Server Core or Windows Nano Server. Exchange 2016 requires that Windows Server with Desktop
Experience (Windows Server 2016) or Windows Server with a GUI (Windows Server 2012 and 2012R2) is
installed on the local computer. Before you can install Exchange 2016, you need to do one of the following
depending on the version of Windows Server you have installed:
Windows Server 2012 and Windows Server 2012 R2: Run the following command in Windows
PowerShell:
Windows Server 2016: Install Windows Server 2016 and choose the Desktop Experience installation
option. If a computer is running Windows Server 2016 Core or Nano and you want to install Exchange 2016
on it, you'll need to reinstall the operating system and choose the Desktop Experience installation option.
For more information, see Exchange Server system requirements.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or
Exchange Online Protection.
Exchange Server editions and versions
8/23/2019 • 2 minutes to read • Edit Online
Exchange Server 2016 and Exchange Server 2019 are available in two server editions:
Enterprise Edition: Can scale up to 100 mounted databases per server.
Standard Edition: Limited to five mounted databases per server.
A mounted database is a database that's in use (an active mailbox database that's mounted for use by clients or a
passive mailbox database that's mounted in recovery for log replication and replay). While you can create more
databases than the described limits, you can only mount the maximum number of databases that are allowed by
the edition of Exchange. Note that the recovery database doesn't count towards these limits.
The server editions are defined by a product key. When you enter a valid product key, the supported edition for the
server is established. For more information, see Enter your Exchange Server product key.
Notes:
You can use a valid product key to move from the Trial Edition (evaluation version) of Exchange to either
Standard Edition or Enterprise Edition. No loss of functionality occurs after the Trial Edition expires, so you
can maintain lab, demo, training, and other non-production environments beyond 120 days without having
to reinstall the Trial Edition of Exchange or entering a product key.
You can use a valid product key to move from Standard Edition to Enterprise Edition.
You can't use a valid product key to downgrade from Enterprise Edition to Standard Edition or revert to the
Trial Edition. You can only do these types of downgrades by uninstalling Exchange, reinstalling Exchange,
and entering the correct product key.
Exchange Server 2016 and Exchange Server 2019 have enhanced language support for both servers and clients.
This topic lists the languages that are available for both servers and clients in Exchange 2016 and Exchange 2019.
Understanding the storage options and requirements for Mailbox servers in Exchange Server 2016 and Exchange
Server 2019 is an important part of your Mailbox server storage design solution.
Storage architectures
The following table describes supported storage architectures and provides best practice guidance for each type of
storage architecture where appropriate.
Supported storage architectures
Direct-attached storage (DAS) DAS is a digital storage system directly Not available.
attached to a server or workstation,
without a storage network in between.
For example, DAS transports include
Serial Attached Small Computer System
Interface (SCSI) and Serial Attached
Advanced Technology Attachment
(ATA).
Storage area network (SAN): Internet SAN is an architecture to attach remote Don't share physical disks backing up
Small Computer System Interface (iSCSI) computer storage devices (such as disk Exchange data with other applications.
arrays and tape libraries) to servers in Use dedicated storage networks.
such a way that the devices appear as Use multiple network paths for stand-
locally attached to the operating system alone configurations.
(for example, block storage). iSCSI SANs
encapsulate SCSI commands within IP
packets and use standard networking
infrastructure as the storage transport
(for example, Ethernet).
SAN: Fibre Channel Fibre Channel SANs encapsulate SCSI Don't share physical disks backing up
commands within Fibre Channel Exchange data with other applications.
packets and generally utilize specialized Use multiple Fibre Channel network
Fibre Channel networks as the storage paths for stand-alone configurations.
transport. Follow storage vendor's best practices
for tuning Fibre Channel host bus
adapters (HBAs), for example, Queue
Depth and Queue Target.
A network-attached storage (NAS ) unit is a self-contained computer connected to a network, with the sole purpose
of supplying file-based data storage services to other devices on the network. The operating system and other
software on the NAS unit provide the functionality of data storage, file systems, and access to files, and the
management of these functions (for example, file storage).
All storage used by Exchange for storage of Exchange data must be block-level storage because Exchange 2016
doesn't support the use of NAS volumes, other than in the SMB 3.0 scenario outlined in the topic Exchange Server
virtualization. Also, in a virtualized environment, NAS storage that's presented to the guest as block-level storage
via the hypervisor isn't supported.
Using storage tiers is not recommended, as it could adversely affect system performance. For this reason, do not
allow the storage controller to automatically move the most accessed files to "faster" storage.
Serial ATA (SATA) SATA is a serial interface for ATA and Supported: 512-byte sector disks for
integrated device electronics (IDE) disks. Windows Server 2008 and Windows
SATA disks are available in a variety of Server 2008 R2. In addition, 512e disks
form factors, speeds, and capacities. are supported for Windows Server 2008
In general, choose SATA disks for R2 with the following:
Exchange 2016 mailbox storage when • The hotfix described in KB982018.
you have the following design • Windows Server 2008 R2 with Service
requirements: Pack 1 (SP1) and Exchange Server 2010
• High capacity SP1.
• Moderate performance Exchange 2013 and later supports
• Moderate power utilization native 4-kilobyte (KB) sector disks and
512e disks. Support requires that all
copies of a database reside on the same
physical disk type. For example, it is not
a supported configuration to host one
copy of a given database on a 512-byte
sector disk and another copy of that
same database on a 512e disk or 4K
disk.
Best practice: Consider enterprise class
SATA disks, which generally have better
heat, vibration, and reliability
characteristics.
Serial Attached SCSI Serial Attached SCSI is a serial interface Supported: 512-byte sector disks for
for SCSI disks. Serial Attached SCSI disks Windows Server 2008 and Windows
are available in a variety of form factors, Server 2008 R2. In addition, 512e disks
speeds, and capacities. are supported for Windows Server 2008
In general, choose Serial Attached SCSI R2 with the following:
disks for Exchange 2016 mailbox • The hotfix described in KB982018.
storage when you have the following • Windows Server 2008 R2 SP1 and
design requirements: Exchange Server 2010 SP1.
• Moderate capacity Exchange 2013 and later supports
• High performance native 4-kilobyte (KB) sector disks and
• Moderate power utilization 512e disks. Support requires that all
copies of a database reside on the same
physical disk type. For example, it is not
a supported configuration to host one
copy of a given database on a 512-byte
sector disk and another copy of that
same database on a 512e disk or 4K
disk.
Best practice: Physical disk-write caching
must be disabled when used without a
UPS.
PHYSICAL DISK TYPE DESCRIPTION SUPPORTED OR BEST PRACTICE
Fibre Channel Fibre Channel is an electrical interface Supported: 512-byte sector disks for
used to connect disks to Fibre Channel- Windows Server 2008 and Windows
based SANs. Fibre Channel disks are Server 2008 R2. In addition, 512e disks
available in a variety of speeds and are supported for Windows Server 2008
capacities. R2 with the following:
In general, choose Fibre Channel disks • The hotfix described in KB982018.
for Exchange 2016 mailbox storage • Windows Server 2008 R2 with Service
when you have the following design Pack 1 (SP1) and Exchange Server 2010
requirements: SP1.
• Moderate capacity Exchange 2013 and later supports
• High performance native 4-kilobyte (KB) sector disks and
• SAN connectivity 512e disks. Support requires that all
copies of a database reside on the same
physical disk type. For example, it is not
a supported configuration to host one
copy of a given database on a 512-byte
sector disk and another copy of that
same database on a 512e disk or 4K
disk.
Best practice: Physical disk-write caching
must be disabled when used without a
UPS.
Solid-state drive (SSD) (flash disk) An SSD is a data storage device that Supported: 512-byte sector disks for
uses solid-state memory to store Windows Server 2008 and Windows
persistent data. An SSD emulates a hard Server 2008 R2. In addition, 512e disks
disk drive interface. SSD disks are are supported for Windows Server 2008
available in a variety of speeds (different R2 with the following:
I/O performance capabilities) and • The hotfix described in KB982018.
capacities. • Windows Server 2008 R2 SP1 and
In general, choose SSD disks for Exchange Server 2010 SP1.
Exchange 2016 mailbox storage when Exchange 2013 and later supports
you have the following design native 4-kilobyte (KB) sector disks and
requirements: 512e disks when all copies of a
• Low capacity database reside on the same physical
• Extremely high performance disk type. For example, it is not a
supported configuration to host one
copy of a given database on a 512-byte
sector disk and another copy of that
same database on a 512e disk or 4K
disk.
Best practice: Physical disk-write caching
must be disabled when used without a
UPS.
In general, Exchange 2016 Mailbox
servers don't require the performance
characteristics of SSD storage.
TWO OR MORE
TWO HIGHLY THREE HIGHLY HIGHLY TWO OR MORE
DATACENTER AVAILABLE COPIES AVAILABLE COPIES AVAILABLE COPIES LAGGED COPIES
SERVERS (TOTAL) (TOTAL) PER DATACENTER ONE LAGGED COPY PER DATACENTER
To deploy on JBOD with the primary datacenter servers, you need three or more highly available database copies
within the DAG. If mixing lagged copies on the same server hosting highly available database copies (for example,
not using dedicated lagged database copy servers), you need at least two lagged database copies.
For the secondary datacenter servers to use JBOD, you should have at least two highly available database copies
in the secondary datacenter. The loss of a copy in the secondary datacenter won't result in requiring a reseed
across the WAN or having a single point of failure in the event the secondary datacenter is activated. If mixing
lagged database copies on the same server hosting highly available database copies (for example, not using
dedicated lagged database copy servers), you need at least two lagged database copies.
For dedicated lagged database copy servers, you should have at least two lagged database copies within a
datacenter to use JBOD. Otherwise, the loss of disk results in the loss of the lagged database copy, as well as the
loss of the protection mechanism.
Multiple Databases Per Volume
Multiple databases per volume is a new JBOD scenario available in Exchange 2016 that allows for active and
passive copies (including lagged copies) to be mixed on a single disk, enabling better disk utilization. However, to
deploy lagged copies in this manner, automatic lagged copy log file play down must be enabled. The following
table shows guidelines for JBOD considerations for multiple databases per volume.
JBOD Considerations
DATACENTER SERVERS 3 OR MORE COPIES (TOTAL) TWO OR MORE COPIES PER DATACENTER
The following table provides guidance about storage array configurations for Exchange 2016.
Supported RAID types for the Exchange 2016 Mailbox server role
Disk array RAID stripe size (KB) The stripe size is the per disk unit of Best practice: 256 KB or greater. Follow
data distribution within a RAID set. storage vendor best practices.
Stripe size is also referred to as block
size.
RAID TYPE DESCRIPTION SUPPORTED OR BEST PRACTICE
Storage array cache settings The cache settings are provided by a Best practice: 100 percent write cache
battery-backed caching array controller. (battery or flash backed cache) for DAS
storage controllers in either a RAID or
JBOD configuration. 75 percent write
cache, 25 percent read cache (battery or
flash backed cache) for other types of
storage solutions such as SAN. If your
SAN vendor has different best practices
for cache configuration on their
platform, follow the guidance of your
SAN vendor.
Physical disk write caching The settings for the cache are on each Supported: Physical disk write caching
individual disk. must be disabled when used without a
UPS.
The following table provides guidance about database and log file choices.
Database and log file choices for the Exchange 2016 Mailbox server role
File placement: database per Database per log isolation Best practice: For Supported: Isolation of logs
log isolation refers to placing the recoverability, move and databases isn't required.
database file and logs from database (.edb) file and logs
the same mailbox database from the same database to
onto different volumes different volumes backed by
backed by different physical different physical disks.
disks.
File placement: database files Database files per volume Best practice: Based on your Supported: When using
per volume refers to how you distribute backup methodology. JBOD, create a single volume
database files within or with separate directories for
across disk volumes. database(s) and for log files.
File placement: log streams Log streams per volume Best practice: Based on your Supported: When using
per volume refers to how you distribute backup methodology. JBOD, create a single volume
database log files within or with separate directories for
across disk volumes. database(s) and for log files.
Best practice: When using
JBOD, leverage multiple
databases per volume.
Database size Database size refers to the Supported: Approximately Supported: Approximately
disk database (.edb) file size. 16 terabytes. 16 terabytes.
Best practice: Best practice:
• 200 gigabytes (GB) or less. • 2 terabytes or less.
• Provision for 120 percent • Provision for 120 percent
of calculated maximum of calculated maximum
database size. database size.
DATABASE AND LOG FILE STAND-ALONE: SUPPORTED HIGH AVAILABILITY:
OPTIONS DESCRIPTION OR BEST PRACTICE SUPPORTED OR BEST PRACTICE
Log truncation method Log truncation method is Best practice: Best practice:
the process for truncating • Use backups for log • Enable circular logging for
and deleting old database truncation (for example, deployments that use
log files. There are two circular logging disabled). Exchange native data
mechanisms: • Provision for three days of protection features.
• Circular logging, in which log generation capacity. • Provision for three days
Exchange deletes the logs. beyond replay lag setting of
• Log truncation, which log generation capacity.
occurs after a successful full
or incremental Volume
Shadow Copy Service (VSS)
backup.
Partition alignment Partition alignment refers to Supported: The Windows Supported: The Windows
aligning partitions on sector Server 2008 R2 and Server 2008 R2 and
boundaries for optimal Windows Server 2012 Windows Server 2012
performance. default is 1 megabyte (MB). default is 1 MB.
Volume path Volume path refers to how a Supported: Drive letter or Supported: Drive letter or
volume is accessed. mount point.Best practice: mount point.
Mount point host volume Best practice: Mount point
must be RAID enabled. host volume must be RAID-
enabled.
File system File system is a method for Supported: NTFS and ReFS. Supported: NTFS and ReFS.
storing and organizing
computer files and the data
they contain to make it easy
to find and access the files.
NTFS allocation unit size NTFS allocation unit size Supported: All allocation unit Supported: All allocation unit
represents the smallest sizes. sizes.
amount of disk space that Best practice: 64 KB for both Best practice: 64 KB for both
can be allocated to hold a .edb and log file volumes. .edb and log file volumes.
file.
NTFS compression NTFS compression is the Supported: Not supported Supported: Not supported
process of reducing the for Exchange database or log for Exchange database or log
actual size of a file stored on files. files.
the hard disk.
STAND-ALONE: SUPPORTED HIGH AVAILABILITY:
VOLUME CONFIGURATION DESCRIPTION OR BEST PRACTICE SUPPORTED OR BEST PRACTICE
NTFS Encrypting File System EFS enables users to encrypt Supported: Not supported Not supported for Exchange
(EFS) individual files, folders, or for Exchange database or log database or log files.
entire data drives. Because files.
EFS provides strong
encryption through
industry-standard
algorithms and public key
cryptography, encrypted
files are confidential even if
an attacker bypasses system
security.
Windows BitLocker (volume Windows BitLocker is a data Supported: All Exchange Supported: All Exchange
encryption) protection feature in database and log files. database and log files.
Windows Server 2008. Windows failover clusters
BitLocker protects against require Windows Server
data theft or exposure on 2008 R2 or Windows Server
computers that are lost or 2008 R2 SP1 and the
stolen, and it offers more following hotfix: KB2446607.
secure data deletion when Exchange volumes with
computers are Bitlocker enabled are not
decommissioned. supported on Windows
failover clusters running
earlier versions of Windows.
For more information about
Windows 7 BitLocker
encryption, see BitLocker
Drive Encryption in Windows
7: Frequently Asked
Questions.
Server Message Block (SMB) The Server Message Block Limited Support. Supported Limited Support. Supported
3.0 (SMB) protocol is a network scenario is a hardware scenario is a hardware
file sharing protocol (on top virtualized deployment virtualized deployment
of TCP/IP or other network where the disks are hosted where the disks are hosted
protocols) that allows on VHDs on an SMB 3.0 on VHDs on an SMB 3.0
applications on a computer share. These VHDs are share. These VHDs are
to access files and resources presented to the host via a presented to the host via a
on a remote server. It also hypervisor. For more hypervisor. For more
allows applications to information, see Exchange information, see Exchange
communicate with any Server virtualization. Server virtualization.
server program that is set
up to receive an SMB client
request. Windows Server
2012 introduces the new 3.0
version of the SMB protocol
with the following features:
• SMB Transparent failover
• SMB Scaleout
• SMB Multichannel
• SMB Direct
• SMB Encryption
• VSS for SMB file shares
• SMB Directory Leasing
• SMB PowerShell
STAND-ALONE: SUPPORTED HIGH AVAILABILITY:
VOLUME CONFIGURATION DESCRIPTION OR BEST PRACTICE SUPPORTED OR BEST PRACTICE
Storage Spaces Storage Spaces is a new Supported. Same restrictions Supported. Same restrictions
storage solution that as for physical disk types as for physical disk types
delivers virtualization outlined in this topic. outlined in this topic.
capabilities for Windows
Server 2012. Storage Spaces
allow you to organize
physical disks into storage
pools, which can be easily
expanded by simply adding
disks. These disks can be
connected either through
USB, SATA or SAS. It also
utilizes virtual disks (spaces),
which behave just like
physical disks, with
associated powerful
capabilities such as thin
provisioning, as well as
resiliency to failures of
underlying physical media.
For more information on
Storage Spaces, see Storage
Spaces Overview.
Resilient File System (ReFS) ReFS is a newly engineered Supported for volumes Supported for volumes
file system for Windows containing Exchange containing Exchange
Server 2012 that is built on database files, log files and database files, log files and
the foundations of NTFS. content indexing files, content indexing files,
ReFS maintains high degree provided that the following provided that the following
of compatibility with NTFS hotfix is installed: Exchange hotfix is installed: Exchange
while providing enhanced Server 2013 databases Server 2013 databases
data verification and auto- become fragmented in become fragmented in
correction techniques as well Windows Server 2012. Not Windows Server 2012. Not
as an integrated end-to-end supported for volumes supported for volumes
resiliency to corruptions containing Exchange containing Exchange
especially when used in binaries. binaries.
conjunction with the storage Best practice: Data integrity Best practice: Data integrity
spaces feature. For more features must be disabled features must be disabled
information on ReFS, see for the Exchange database for the Exchange database
Resilient File System (ReFS) (.edb) files or the volume (.edb) files or the volume
overview: Supported that hosts these files. that hosts these files.
Deployments. Integrity features can be Integrity features can be
enabled for volumes enabled for volumes
containing the content index containing the content index
catalog, provided that the catalog, provided that the
volume does not contain volume does not contain
any databases or log files. any databases or log files.
STAND-ALONE: SUPPORTED HIGH AVAILABILITY:
VOLUME CONFIGURATION DESCRIPTION OR BEST PRACTICE SUPPORTED OR BEST PRACTICE
Data De-Duplication Data deduplication is a OS Level: Not Supported for OS Level: Not Supported for
technique to optimize Exchange mailbox databases, Exchange mailbox databases,
storage utilization. It is a transport databases, or transport databases, or
method of finding and content index files. content index files.
removing duplication within
data without compromising Storage System Level: Storage Level: Supported,
its fidelity or integrity. The Supported, but falls within but falls within the Microsoft
goal is to store more data in the Microsoft third-party third-party storage software
less space by segmenting storage software solutions solutions support policy.
files into small variable-sized support policy.
chunks, identifying duplicate Note: OS level dedupe can
chunks, and maintaining a Note: OS level dedupe can be used for Exchange
single copy of each chunk. be used for Exchange database files that are
Data deduplication database files that are completely offline (used as
technologies are typically completely offline (used as backups or archives).
implemented one of two backups or archives).
ways; at the operating
system level, or at the
storage system level and the
operating system is unaware
of it being used.
Network ports for clients and mail flow in Exchange
8/23/2019 • 9 minutes to read • Edit Online
This topic provides information about the network ports that are used by Exchange Server 2016 and Exchange
Server 2019 for communication with email clients, internet mail servers, and other services that are external to
your local Exchange organization. Before we get into that, understand the following ground rules:
We do not support restricting or altering network traffic between internal Exchange servers, between
internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange
servers and internal Active Directory domain controllers in any and all types of topologies. If you have
firewalls or network devices that could potentially restrict or alter this kind of internal network traffic, you
need to configure rules that allow free and unrestricted communication between these servers: rules that
allow incoming and outgoing network traffic on any port (including random RPC ports) and any protocol
that never alter bits on the wire.
Edge Transport servers are almost always located in a perimeter network, so it's expected that you'll restrict
network traffic between the Edge Transport server and the internet, and between the Edge Transport server
and your internal Exchange organization. These network ports are described in this topic.
It's expected that you'll restrict network traffic between external clients and services and your internal
Exchange organization. It's also OK if you decide to restrict network traffic between internal clients and
internal Exchange servers. These network ports are described in this topic.
Encrypted web connections are used by 443/TCP (HTTPS) For more information about these
the following clients and services: clients and services, see the following
• Autodiscover service topics:
• Exchange ActiveSync • Autodiscover service in Exchange
• Exchange Web Services (EWS) Server
• Offline address book (OAB) • Exchange ActiveSync
distribution • EWS reference for Exchange
• Outlook Anywhere (RPC over HTTP) • Offline address books in Exchange
• Outlook MAPI over HTTP Server
• Outlook on the web (formerly known • Outlook Anywhere
as Outlook Web App) • MAPI over HTTP in Exchange Server
Unencrypted web connections are used 80/TCP (HTTP) Whenever possible, we recommend
by the following clients and services: using encrypted web connections on
• Internet calendar publishing 443/TCP to help protect data and
• Outlook on the web (redirect to credentials. However, you may find that
443/TCP) some services must be configured to
• Autodiscover (fallback when 443/TCP use unencrypted web connections on
isn't available) 80/TCP to the Client Access services on
Mailbox servers.
IMAP4 clients 143/TCP (IMAP), 993/TCP (secure IMAP4 is disabled by default. For more
IMAP) information, see POP3 and IMAP4 in
Exchange Server.
POP3 clients 110/TCP (POP3), 995/TCP (secure POP3 is disabled by default. For more
POP3) information, see POP3 and IMAP4 in
Exchange Server.
SMTP clients (authenticated) 587/TCP (authenticated SMTP) The default Received connector named
"Client Frontend <Server name>" in the
Front End Transport service listens for
authenticated SMTP client submissions
on port 587.
Inbound mail 25/TCP (SMTP) Internet (any) Mailbox server The default Receive
connector named
"Default Frontend
<Mailbox server
name>" in the Front
End Transport service
listens for anonymous
inbound SMTP mail
on port 25.
Mail is relayed from
the Front End
Transport service to
the Transport service
on a Mailbox server
using the implicit and
invisible intra-
organization Send
connector that
automatically routes
mail between
Exchange servers in
the same
organization. For
more information, see
Implicit Send
connectors.
PURPOSE PORTS SOURCE DESTINATION COMMENTS
Outbound mail 25/TCP (SMTP) Mailbox server Internet (any) By default, Exchange
doesn't create any
Send connectors that
allow you to send
mail to the internet.
You have to create
Send connectors
manually. For more
information, see
Create a Send
connector to send
mail to the internet.
Outbound mail (if 25/TCP (SMTP) Mailbox server Internet (any) Outbound mail is
proxied through the proxied through the
Front End transport Front End Transport
service) service only when a
Send connector is
configured with
Proxy through
Client Access server
in the Exchange
admin center or
-
FrontEndProxyEnabled
$true
in the Exchange
Management Shell.
In this case, the
default Receive
connector named
"Outbound Proxy
Frontend <Mailbox
server name>" in the
Front End Transport
service listens for
outbound mail from
the Transport service
on a Mailbox server.
For more information,
see Configure Send
connectors to proxy
outbound mail.
DNS for name 53/UDP,53/TCP (DNS) Mailbox server DNS server See the Name
resolution of the next resolution section in
mail hop (not this topic.
pictured)
Network ports required for mail flow with Edge Transport servers
A subscribed Edge Transport server that's installed in your perimeter network affects mail flow in the following
ways:
Outbound mail from the Exchange organization never flows through the Front End Transport service on
Mailbox servers. Mail always flows from the Transport service on a Mailbox server in the subscribed Active
Directory site to the Edge Transport server (regardless of the version of Exchange on the Edge Transport
server).
Inbound mail flows from the Edge Transport server to a Mailbox server in the subscribed Active Directory
site. Specifically:
Mail from an Exchange 2013 or later Edge Transport server first arrives at the Front End Transport
service before it flows to the Transport service on an Exchange 2016 or Exchange 2019 Mailbox
server.
In Exchange 2016, mail from an Exchange 2010 Edge Transport server always delivers mail directly
to the Transport service on an Exchange 2016 Mailbox server. Note that coexistance with Exchange
2010 isn't supported in Exchange 2019.
For more information, see Mail flow and the transport pipeline.
The network ports that are required for mail flow in Exchange organizations that have Edge Transport servers are
described in the following diagram and table.
Inbound mail - 25/TCP (SMTP) Internet (any) Edge Transport server The default Receive
Internet to Edge connector named
Transport server "Default internal
Receive connector
<Edge Transport
server name>" on the
Edge Transport server
listens for anonymous
SMTP mail on port
25.
PURPOSE PORTS SOURCE DESTINATION COMMENTS
Inbound mail - Edge 25/TCP (SMTP) Edge Transport server Mailbox servers in the The default Send
Transport server to subscribed Active connector named
internal Exchange Directory site "EdgeSync - Inbound
organization to <Active Directory
site name>" relays
inbound mail on port
25 to any Mailbox
server in the
subscribed Active
Directory site. For
more information, see
Send connectors
created automatically
by the Edge
Subscription.
The default Receive
connector named
"Default Frontend
<Mailbox server
name>" in the Front
End Transport service
on the Mailbox server
listens for all inbound
mail (including mail
from Exchange 2013
or later Edge
Transport servers) on
port 25.
PURPOSE PORTS SOURCE DESTINATION COMMENTS
Outbound mail - 25/TCP (SMTP) Mailbox servers in the Edge Transport Outbound mail
Internal Exchange subscribed Active servers always bypasses the
organization to Edge Directory site Front End Transport
Transport server service on Mailbox
servers.
Mail is relayed from
the Transport service
on any Mailbox server
in the subscribed
Active Directory site
to an Edge Transport
server using the
implicit and invisible
intra-organization
Send connector that
automatically routes
mail between
Exchange servers in
the same
organization.
The default Receive
connector named
"Default internal
Receive connector
<Edge Transport
server name>" on the
Edge Transport server
listens for SMTP mail
on port 25 from the
Transport service on
any Mailbox server in
the subscribed Active
Directory site.
Outbound mail - 25/TCP (SMTP) Edge Transport server Internet (any) The default Send
Edge Transport server connector named
to internet "EdgeSync - <Active
Directory site name>
to Internet" relays
outbound mail on
port 25 from the
Edge Transport server
to the internet.
PURPOSE PORTS SOURCE DESTINATION COMMENTS
EdgeSync 50636/TCP (secure Mailbox servers in the Edge Transport When the Edge
synchronization LDAP) subscribed Active servers Transport server is
Directory site that subscribed to the
participate in Active Directory site,
EdgeSync all Mailbox servers
synchronization that exist in the site
at the time
participate in
EdgeSync
synchronization.
However, any Mailbox
servers that you add
later don't
automatically
participate in
EdgeSync
synchronization.
DNS for name 53/UDP,53/TCP (DNS) Edge Transport server DNS server See the Name
resolution of the next resolution section
mail hop (not later in this topic.
pictured)
PURPOSE PORTS SOURCE DESTINATION COMMENTS
Open proxy server see comments Edge Transport server Internet By default, sender
detection in sender reputation (the
reputation (not Protocol Analysis
pictured) agent) uses open
proxy server
detection as one of
the criteria to
calculate the sender
reputation level (SRL)
of the source
messaging server. For
more information, see
Sender reputation
and the Protocol
Analysis agent.
Open proxy server
detection uses the
following protocols
and TCP ports to test
source messaging
servers for open
proxy:
• SOCKS4, SOCKS5:
1081, 1080
• Wingate, Telnet,
Cisco: 23
• HTTP CONNECT,
HTTP POST: 6588,
3128, 80
Also, if your
organization uses a
proxy server to
control outbound
internet traffic, you
need to define the
proxy server name,
type, and TCP port
that sender
reputation requires to
access the internet for
open proxy server
detection.
Alternatively, you can
disable open proxy
server detection in
sender reputation.
For more information,
see Sender reputation
procedures.
Name resolution
DNS resolution of the next mail hop is a fundamental part of mail flow in any Exchange organization. Exchange
servers that are responsible for receiving inbound mail or delivering outbound mail must be able to resolve both
internal and external host names for proper mail routing. And all internal Exchange servers must be able to resolve
internal host names for proper mail routing. There are many different ways to design a DNS infrastructure, but the
important result is to ensure name resolution for the next hop is working properly for all of your Exchange servers.
During the installation of Exchange Server 2016 or Exchange Server 2019, Setup runs a set of tasks that install
new services in Microsoft Windows. A service is a background process that can be launched during the startup of
the server by the Windows Service Control Manager. Services are executable files designed to operate
independently and without administrative intervention. A service can run using either a graphical user interface
(GUI) mode or a console mode.
All previous versions of Exchange included components that are implemented as services. Each Exchange server
role includes services that are part of (or may be needed by) the server role to perform its functions. Note that
some services only become active when specific features are used.
The sections in this topic describe the various services that are installed by Exchange 2016 and Exchange 2016 on
Mailbox servers and Edge Transport servers. For services that are labeled as optional, you can disable the service if
you determine your organization doesn't need the functionality that's provided by the service.
DESCRIPTION
SERVICE SHORT AND DEFAULT SECURITY REQUIRED OR
SERVICE NAME NAME DEPENDENCIES STARTUP TYPE CONTEX T DEPENDENCIES OPTIONAL
With each new release of Exchange Server for our on-premises customers we update our Preferred Architecture
and discuss what changes we would like our customers to be aware of. Exchange Server 2013 brought us the first
of the Preferred Architectures in modern Exchange history and was then followed with a refresh for Exchange
Server 2016 by providing refinements for the changes that came with the 2016 release. With this update for
Exchange Server 2019 we will iterate on the previous PA to take advantage of new technologies and
improvements.
Namespace design
In the Namespace Planning and Load Balancing Principles articles for Exchange Server 2016, Ross Smith IV
outlined the various configuration choices that were available with Exchange 2016 and these concepts continue to
apply for Exchange Server 2019. For the namespace, the choices are to either deploy a bound namespace (having a
preference for the users to operate out of a specific datacenter) or an unbound namespace (having the users
connect to any datacenter without preference).
The recommended approach is to utilize the unbounded model, deploying a single Exchange namespace per client
protocol for the site resilient datacenter pair (where each datacenter is assumed to represent its own Active
Directory site - see more details on that below ). For example:
For the Autodiscover service: autodiscover.contoso.com
For HTTP clients: mail.contoso.com
For IMAP clients: imap.contoso.com
For SMTP clients: smtp.contoso.com
Each Exchange namespace is load balanced across both datacenters in a layer 7 configuration that does not
leverage session affinity, resulting in fifty percent of traffic being proxied between datacenters. Traffic is equally
distributed across the datacenters in the site resilient pair, via round robin DNS, geo-DNS, or other similar
solutions. From our perspective, the simpler solution is the least complex and easier to manage, so our
recommendation is to leverage round robin DNS.
One caution we have for customers is to ensure you assign a low TTL (time to live) value for any DNS record
associated with your Exchange architecture. In the event if a full datacenter outage when using round robin DNS
you must maintain the ability to quickly update your DNS records to remove the IP addresses from the offline
datacenter so they are not returned for DNS queries. For example, if your DNS records have a longer TTL value of
24 hours it may take up to a day for downstream DNS caches to properly update. If you do not perform this step
you may find some clients are unable to properly transition to the still available IP addresses in your remaining
datacenter. Do not forget to add the IP addresses back to your DNS records when your previously offline
datacenter is recovered and ready to host services once again.
Datacenter affinity is required for the Office Online Server farms, thus a namespace is deployed per datacenter
with the load balancer utilizing layer 7, and maintaining session affinity via cookie-based persistence.
In the event that you have multiple site resilient datacenter pairs in your environment, you will need to decide if
you want to have a single worldwide namespace, or if you want to control the traffic to each specific datacenter by
using regional namespaces. Your decision depends on your network topology and the associated cost with using
an unbound model; for example, if you have datacenters located in North America and South Africa, the network
link between these regions might not only be costly, but it might also have high latency, which can introduce user
pain and operational issues. In that case, it makes sense to deploy a bound model with a separate namespace for
each region. However, options like geographical DNS offer you the ability to deploy a single unified namespace,
even when you have costly network links; geo-DNS allows you to have your users directed to the closest
datacenter based on their client's IP address.
Server design
In the PA, all servers are physical servers and use locally attached storage. Physical hardware is deployed rather
than virtualized hardware for two reasons:
1. The servers are scaled to use 80% of resources during the worst-failure mode.
2. Virtualization comes with a slight performance penalty as well as adding an additional layer of management
and complexity, which introduces additional recovery modes that do not add value, particularly since
Exchange Server natively provides the same functionality.
Commodity servers
Commodity server platforms are used in the PA. Current commodity platforms are and include:
2U, dual socket servers with up to 48 physical processor cores (an increase from 24 cores in Exchange
2016)
Up to 256GB of memory (an increase from 192GB in Exchange 2016)
A battery-backed write cache controller
12 or more drive bays within the server chassis
The ability to mix traditional rotating platter storage (HDD ) and solid-state storage (SSD ) within the same
chassis.
Scale Theory
It is important to note even though we have increased the allowed processor and memory capacity in Exchange
Server 2019 the Exchange Server PG's recommendation remains to scale out rather than up. Scaling out vs up
means we would much rather see you deploy a larger number of servers with slightly less resources per server
rather than a smaller number of very dense servers using maximum resources and populated with large numbers
of mailboxes. By locating a reasonable number of mailboxes within a server, you lessen the impact of any planned
or unplanned outage as well as reduce the risk of discovering other system bottlenecks.
An increase in system resources should not result in the assumption you will see linear performance gains in
Exchange Server 2019 using the maximum allowed resources when comparing it to Exchange 2016's maximum
allowed resources. Each new version of Exchange brings new processes and updates which in turn make it difficult
to compare a current version to prior version. Please follow any and all sizing guidance from Microsoft when
determining your server design.
Storage
Additional drive bays may be directly attached per-server depending on the number of mailboxes, mailbox size,
and the server's resource scalability.
Each server houses a single RAID1 disk pair for the operating system, Exchange binaries, protocol/client logs, and
the transport database.
The remaining storage is configured as JBOD (Just a Bunch of Disks). Please be aware some hardware storage
controllers may require each disk to each be configured as a single-disk RAID0 group for write caching to be
utilized. Consult with your hardware manufacturer to confirm the proper configuration for your system that
guarantees write-cache will be utilized.
New to the Exchange Server 2019 PA is the recommendation of having two classes of storage for everything not
already located on the RAID1 disk pair previously mentioned.
Traditional storage class
This storage class contains Exchange Server database files and Exchange Server transaction log files. These disks
are large capacity 7.2K RPM serially attached SCSI (SAS ) disks. While SATA disks are also available we observe
better IO and a lower annualized failure rate using the SAS equivalent.
To ensure the capacity and IO of each disk is used as efficiently as possible, up to four database copies are
deployed per-disk. The normal run-time copy layout ensures that there is no more than a single active database
copy per disk.
At least one disk in the traditional storage disk pool is reserved as a hot spare. AutoReseed is enabled and quickly
restores database redundancy after a disk failure by activating the hot spare and initiating database copy reseeds.
Solid state storage class
This storage class contains Exchange 2019's new MetaCache Database (MCDB ) files. These solid-state drives may
come in different form factors such as but not limited to traditional 2.5"/3.5" SAS connected or M.2 PCIe
connected drives.
Customers should expect to deploy roughly 5-10% additional storage as solid state storage. For example, if a
single server was expected to hold 28TB of mailbox database files on traditional storage, then an additional 1.4-
2.8TB TB of solid-state storage would also be recommended as additional storage for the same server.
Traditional and solid-state disks should be deployed in a 3:1 ratio where possible. For every three traditional disks
within the server a single solid-state disk will be deployed and hold the MCDBs for all DBs within the three
associated traditional disks. This recommendation limits the failure domain a solid-state drive failure can impose
on a system. When an SSD fails, Exchange 2019 will failover all database copies using that SSD for their MCDB to
another DAG node with healthy MCDB resources for the affected database. Limiting the number of database
failovers reduce the chance of impacting users if many more databases were sharing a smaller number of solid-
state drives.
In the event of a solid-state drive failure Exchange High Availability services will attempt to mount the affected
databases on different DAG nodes where a healthy MCDB for each affected database still exists. If for some reason
no healthy MCDBs exist for one of the affected databases, then Exchange High Availability services will leave the
local affected database copy running without the performance benefits of the MCDB.
For example, if a customer were to deploy a system capable of holding 20 drives it may have a layout like the
following.
2 HDDs for OS mirror, Exchange Binaries, and Transport Database
12 HDDs for Exchange Database storage
1 HDD as the AutoReseed spare
4 SSDs for Exchange MCDBs that provide between 5-10% of the cumulative database storage capacity.
Optionally a customer may elect to add a spare SSD or a second AutoReseed drive.
This can be visualized as the following;
In the example above, we have 120 TB of Exchange database storage and 7.68 TB of MCDB storage which is
roughly 6.4% the traditional database storage space. With this amount of MCBD storage we are perfectly aligned
within the guidance of 5-10%. Each of the 10 TB drives will hold four database copies and each MCDB drive would
hold twelve MCDBs.
Common storage settings
Whether Traditional or Solid-State, all disks that houses an Exchange data are formatted with ReFS (with the
integrity feature disabled) and the DAG is configured such that AutoReseed formats the disks with ReFS:
Set-DatabaseAvailabilityGroup -Identity <DAGIdentity> -FileSystem ReFS
BitLocker is used to encrypt each disk, thereby providing data encryption at rest and mitigating concerns around
data theft or disk replacement. For more information, see Enabling BitLocker on Exchange Servers.
Summary
Exchange Server 2019 continues to improve upon the investments introduced in previous versions of Exchange as
well as introduces additional technologies originally invented for use in Office 365.
By aligning with the Preferred Architecture you will take advantage of these changes and provide the best on-
premises user experience possible. You will continue the tradition of having a highly reliable, predictable, and
resilient Exchange deployment.
Exchange Server permissions
8/23/2019 • 12 minutes to read • Edit Online
Microsoft Exchange Server includes a large set of predefined permissions, based on the Role Based Access
Control (RBAC ) permissions model, which you can use right away to easily grant permissions to your
administrators and users. You can use the permissions features in Exchange Server so that you can get your new
organization up and running quickly.
Role-based permissions
In Exchange Server, the permissions that you grant to administrators and users are based on management roles.
A role defines the set of tasks that an administrator or user can perform. For example, a management role called
Mail Recipients defines the tasks that someone can perform on a set of mailboxes, contacts, and distribution
groups. When a role is assigned to an administrator or user, that person is granted the permissions provided by
the role.
There are two types of roles, administrative roles and end-user roles:
Administrative roles: These roles contain permissions that can be assigned to administrators or specialist
users using role groups that manage a part of the Exchange organization, such as recipients, servers, or
databases.
End-user roles: These roles, assigned using role assignment policies, enable users to manage aspects of
their own mailbox and distribution groups that they own. End-user roles begin with the prefix My .
Roles give permissions to perform tasks to administrators and users by making cmdlets available to those who are
assigned the roles. Because the Exchange admin center (EAC ) and the Exchange Management Shell use cmdlets to
manage Exchange, granting access to a cmdlet gives the administrator or user permission to perform the task in
each of the Exchange management interfaces.
NOTE
It's possible to assign a role directly to a user or USG without using a role group. However, that method of role assignment
is an advanced procedure and isn't covered in this topic. We recommend that you use role groups to manage permissions.
The following figure shows the relationship between users, role groups, and roles.
Roles, role groups, and role group members
Exchange Server includes several built-in role groups, each one providing permissions to manage specific areas in
Exchange Server. Some role groups may overlap with others. The following table lists each role group with a
description of its use. If you want to see the roles assigned to each role group, click the name of the role group in
the "Role group" column, and then open the "Management Roles Assigned to This Role Group" section.
IMPORTANT
If an administrator is a member of more than one role group, Exchange Server grants the administrator all of the
permissions provided by the role groups he or she is a member of.
View-Only Organization Management Administrators who are members of the View Only
Organization Management role group can view the properties
of any object in the Exchange organization.
ROLE GROUP DESCRIPTION
Help Desk The Help Desk role group, by default, enables members to
view and modify the Outlook on the web (formerly known as
Outlook Web App) options of any user in the organization.
These options might include modifying the user's display
name, address, and phone number. They don't include options
that aren't available in Outlook on the web options, such as
modifying the size of a mailbox or configuring the mailbox
database on which a mailbox is located.
Records Management Users who are members of the Records Management role
group can configure compliance features, such as retention
policy tags, message classifications, and mail flow rules (also
known as transport rules).
Public Folder Management Administrators who are members of the Public Folder
Management role group can manage public folders on
servers running Exchange Server.
Delegated Setup Administrators who are members of the Delegated Setup role
group can deploy servers running Exchange Server that have
been previously provisioned by a member of the Organization
Management role group.
ROLE GROUP DESCRIPTION
Compliance Management Users who are members of the Compliance Management role
group can configure and manage Exchange compliance
settings in accordance with their organization's policy.
If you work in a small organization that has only a few administrators, you might only ever use the Organization
Management role group, and none of the others. If you work in a larger organization, you might have
administrators who perform specific tasks administering Exchange, such as recipient or server management. In
those cases, you might add one administrator to the Recipient Management role group, and another administrator
to the Server Management role group. Those administrators can then manage their specific areas of Exchange
Server but won't have permissions to manage areas they're not responsible for.
If you can't find a built-in role group that fits the jobs your administrators need to do, you can create role groups
and add roles to them. For more information, see Work with role groups later in this topic.
Role assignment policies
Exchange Server provides role assignment policies so that you can control what settings your users can configure
on their own mailboxes and on distribution groups they own. These settings include their display name, contact
information, voice mail settings, and distribution group membership.
Your Exchange Server organization can have multiple role assignment policies that provide different levels of
permissions for the different types of users in your organizations. Some users can be allowed to change their
address or create distribution groups, while others can't. It all depends on the role assignment policy associated
with their mailbox. Role assignment policies are added directly to mailboxes, and each mailbox can only be
associated with one role assignment policy at a time.
Of the role assignment policies in your organization, one is marked as default. The default role assignment policy
is associated with new mailboxes that aren't explicitly assigned a specific role assignment policy when they're
created. The default role assignment policy should contain the permissions that should be applied to the majority
of your mailboxes.
Permissions are added to role assignment policies using end-user roles. End-user roles begin with My and grant
permissions for users to manage only their mailbox or distribution groups they own. They can't be used to
manage any other mailbox. Only end-user roles can be assigned to role assignment policies.
When an end-user role is assigned to a role assignment policy, all of the mailboxes associated with that role
assignment policy receive the permissions granted by the role. This enables you to add or remove permissions to
sets of users without having to configure individual mailboxes. The following figure shows:
End-user roles are assigned to role assignment policies. Role assignment policies can share the same end-
user roles.
Role assignment policies are associated with mailboxes. Each mailbox can only be associated with one role
assignment policy.
After a mailbox is associated with a role assignment policy, the end-user roles are applied to that mailbox.
The permissions granted by the roles are granted to the user of the mailbox.
Roles, role assignment policies, and mailboxes
The Default Role Assignment Policy role assignment policy is included with Exchange Server. As the name implies,
it's the default role assignment policy. If you want to change the permissions provided by this role assignment
policy, or if you want to create role assignment policies, see Work with role assignment policies later in this topic.
Exchange Server includes a role assignment policy named Default Role Assignment Policy. This role assignment
policy enables users whose mailboxes are associated with it to do the following:
Join or leave distribution groups that allow members to manage their own membership.
View and modify basic mailbox settings on their own mailbox, such as Inbox rules, spelling behavior, junk
mail settings, and Microsoft ActiveSync devices.
Modify their contact information, such as work address and phone number, mobile phone number, and
pager number.
Create, modify, or view text message settings.
View or modify voice mail settings.
View and modify their marketplace apps.
Create team mailboxes and connect them to Microsoft SharePoint lists.
If you want to add or remove permissions from the Default Role Assignment Policy or any other role assignment
policy, you can use the EAC. When you open the role assignment policy in the EAC, select the check box next to the
roles you want to assign to it or clear the check box next to the roles you want to remove. The change you make to
the role assignment policy is applied to every mailbox associated with it.
If you want to assign different end-user permissions to the various types of users in your organization, you can
create role assignment policies. You can specify a new name for the role assignment policy, and then select the
roles you want to assign to the role assignment policy. After you create a role assignment policy, you can associate
it with mailboxes using the EAC.
If you want to change which role assignment policy is the default, you needs to use the Exchange Management
Shell. When you change the default role assignment policy, any mailboxes that are created will be associated with
the new default role assignment policy if one wasn't explicitly specified. The role assignment policy associated with
existing mailboxes doesn't change when you select a new default role assignment policy.
Notes:
If you select a check box for a role that has child roles, the check boxes for the child roles are also selected. If
you clear the check box for a role with child roles, the check boxes for the child roles are also cleared.
For detailed steps about how to create role assignment policies or make changes to existing role
assignment policies, see the following topics:
Manage role assignment policies
Change the assignment policy on a mailbox
Manage role groups
8/23/2019 • 24 minutes to read • Edit Online
A management role group is a universal security group (USG ) used in the Role Based Access Control (RBAC )
permissions model in Exchange Server. A management role group simplifies the assignment of management
roles to a group of users. All members of a role group are assigned the same set of roles. For more information
about role groups in Exchange Server, see Understanding Management Role Groups.
For additional management tasks related to role groups, see Permissions.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
IMPORTANT
You can't use the EAC to copy a role group if you've used the Exchange Management Shell to configure multiple
management role scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on
the role group, you must use the Exchange Management Shell procedures later in this topic to copy the role group. For
more information about management role scopes, see Understanding Management Role Scopes.
2. Create the new role group, and also add members to the role group and specify who can delegate the new
role group to other users, using the following syntax.
New-RoleGroup <name of new role group> -Roles $RoleGroup.Roles -Members <member1, member2, member3...>
-ManagedBy <user1, user2, user3...>
For example, the following commands copy the Organization Management role group, and name the new
role group "Limited Organization Management". It adds the members Isabelle, Carter, and Lukas and can
be delegated by Jenny and Katie.
After the new role group is created, you can add or remove roles, change the scope of role assignments on the
role, and more.
For detailed syntax and parameter information, see Get-RoleGroup and New -RoleGroup.
Use the Exchange Management Shell to copy a role group with a custom scope
1. Store the role group that you want to copy in a variable using the following syntax.
2. Create the new role group with a custom scope using the following syntax.
For example, the following commands copy the Organization Management role group and create a new role
group called Vancouver Organization Management with the Vancouver Users recipient scope and Vancouver
Servers configuration scope.
You can also add members to the role group when you create it by using the Members parameter as shown in Use
the Exchange Management Shell to create a role assignment with no scope earlier in this topic. For more
information about management scopes, see Understanding Management Scopes.
After the new role group is created, you can add or remove roles, change the scope of role assignments on the
role, and perform other tasks.
For detailed syntax and parameter information, see Get-RoleGroup and New -RoleGroup.
Use the Exchange Management Shell to copy a role group with an OU scope
1. Store the role group that you want to copy in a variable using the following syntax.
2. Create the new role group with a custom scope using the following syntax.
For example, the following commands copy the Recipient Management role group and create a new role group
called Toronto Recipient Management that allows management of only users in the Toronto Users OU.
You can also add members to the role group when you create it by using the Members parameter as shown in Use
the Exchange Management Shell to create a role assignment with no scope earlier in this topic. For more
information about management scopes, see Understanding Management Scopes.
After the new role group is created, you can add or remove roles, change the scope of role assignments on the
role, and more.
For detailed syntax and parameter information, see Get-RoleGroup and New -RoleGroup.
How do you know this worked?
To verify that you have successfully copied a role group, do the following:
1. In the EAC, navigate to Permissions > Admin Roles.
2. Verify that the copied role group appears in the role group list, and then select it.
3. Verify that members, assigned roles, and scope that you specified on the copied role group are listed in the
role group details pane.
This example assigns the Transport Rules management role to the Seattle Compliance role group.
New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -RecipientRelativeWriteScope <
MyGAL | MyDistributionGroups | Organization | Self >
This example assigns the Message Tracking role to the Enterprise Support role group and applies the
Organization predefined scope.
This example assigns the Message Tracking role to the Seattle Recipient Admins role group and applies the Seattle
Recipients scope.
New-ManagementRoleAssignment -SecurityGroup <role group name> -Role <role name> -CustomConfigWriteScope <role
scope name>
This example assigns the Databases role to the Seattle Server Admins role group and applies the Seattle Servers
scope.
This example assigns the Mail Recipients role to the Seattle Recipient Admins role group and scopes the
assignment to the Sales\Users OU in the Contoso.com domain.
NOTE
Some role groups, such as the Organization Management role group, restrict what roles can be removed from a role group.
For more information, see Understanding Management Role Groups. > If an administrator is a member of another role
group that contains management roles that grants permissions to manage the feature, you need to either remove the
administrator from the other role groups, or remove the role that grants permissions to manage the feature from the other
role groups.
IMPORTANT
You can't use the EAC to remove roles from a role group if you've used the Exchange Management Shell to configure
multiple scopes or exclusive scopes on the role group. If you've configured multiple scopes or exclusive scopes on the role
group, you must use the Exchange Management Shell procedures later in this topic to remove roles from the role group. For
more information about management role scopes, see Understanding Management Role Scopes.
Get-ManagementRoleAssignment -RoleAssignee <role group name> -Role <role name> -Delegating <$true | $false> |
Remove-ManagementRoleAssignment
This example removes the Distribution Groups role, which enables administrators to manage distribution groups,
from the Seattle Recipient Administrators role group. Because we want to remove the role assignment that
provides permissions to manage distribution groups, the Delegating parameter is set to $False , which returns
only regular role assignments.
IMPORTANT
You can't use the EAC to manage scopes on role assignments between roles and a role group if you've used the Exchange
Management Shell to configure multiple scopes or exclusive scopes on those role assignments. If you've configured multiple
scopes or exclusive scopes on those role assignments, you must use the Exchange Management Shell procedures later in
this topic to manage scopes. For more information about management role scopes, see Understanding Management Role
Scopes.
You use only the parameters you need to configure the scope you want to use. For example, if you want to change
the recipient scope for all role assignments on the Sales Recipient Management role group to Direct Sales
Employees, use the following command.
NOTE
You can use the WhatIf switch to verify that only the role assignments you want to change are changed. Run the preceding
command with the WhatIf switch to verify the results, and then remove the WhatIf switch to apply the changes.
For more information about changing management role assignments, see Change a Role Assignment.
For detailed syntax and parameter information, see Get-ManagementRoleAssignment.
Use the Exchange Management Shell to change the scope of individual role assignments on a role group
Role assignments between the role group and the roles assigned to it can use the implicit scope obtained from the
roles themselves, the same custom scope, or different custom scopes. For more information about role
assignments, see Understanding Management Role Assignments.
The scopes on the role assignments are managed using the Set-ManagementRoleAssignment cmdlet. You
can't manage scopes using the Set-RoleGroup cmdlet.
This procedure uses the concepts of pipelining and the Format-List cmdlet. For more information, see the
following topics:
Pipelining
Working with Command Output
To change the scope on a role assignment between a role group and a management role, you first find the name
of the role assignment, and then set the scope on the role assignment.
1. To find the names of all the role assignments on a role group, use the following command. By piping the
management role assignments to the Format-List cmdlet, you can view the full name of the assignment.
2. Find the name of the role assignment you want to change. Use the name of the role assignment in the next
step.
3. To set the scope on an individual assignment, use the following syntax.
You use only the parameters you need to configure the scope you want to use. For example, if you want to change
the recipient scope for the Mail Recipients_Sales Recipient Management role assignment to All Sales Employees,
use the following command.
Set-ManagementRoleAssignment "Mail Recipients_Sales Recipient Management" -CustomRecipientWriteScope "All
Sales Employees"
For more information about changing management role assignments, see Change a Role Assignment.
For detailed syntax and parameter information, see Set-ManagementRoleAssignment.
How do you know this worked?
To verify that you have successfully changed the scope of a role assignment on a role group, do the following:
If you used the EAC to configure the scope on the role group, do the following:
1. In the EAC, navigate to Permissions> Admin Roles. All the role groups in your organization are
listed here.
2. Select a role group to view the scope that's configured on the role group.
If you used the Exchange Management Shell to configure the scope on the role group, do the following:
1. Run the following command in the Exchange Management Shell.
2. Verify that the write scope on the role assignments has been changed to the scope you specified.
IMPORTANT
After you add a delegate to a role group, the role group can only be managed by the delegates on the role group, or by
users who are assigned, either directly or indirectly, the Role Management management role. > If a user is assigned, either
directly or indirectly, the Role Management role and isn't added as a delegate of the role group, the user must use the
BypassSecurityGroupManagerCheck switch on the Add-RoleGroupMember, Remove-RoleGroupMember, Update-
RoleGroupMember, and Set-RoleGroup cmdlets to manage a role group.
NOTE
You can't use the EAC to add a delegate to a role group.
2. Add the delegate to the role group stored in the variable using the following command.
$RoleGroup.ManagedBy += (Get-User <user to add>).Identity
NOTE
Use the Get-Group cmdlet if you want to add a USG.
This example adds the user David Strome as a delegate on the Organization Management role group.
2. Remove the delegate from the role group stored in the variable using the following command.
NOTE
Use the Get-Group cmdlet if you want to remove a USG.
This example removes the user David Strome as a delegate on the Organization Management role group.
2. Verify that the delegates listed on the ManagedBy property include only the delegates that should be able
to manage the role group.
Manage role group members
8/23/2019 • 3 minutes to read • Edit Online
To learn about role groups in Exchange Server, see Understanding Management Role Groups.
For additional management tasks related to role groups, see Permissions.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
If you want to customize the permissions that you assign to a group of end users, create a new custom
management role assignment policy. The assignment policy you create can be customized to suit your end user's
specific requirements. For more information about assignment policies in Exchange Server, see Understanding
Management Role Assignment Policies.
Looking for other management tasks related to managing permissions? Check out Permissions.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
You can only create explicit assignment policies using the Exchange admin center (EAC). If you want to create a new default
assignment policy, you must use the Exchange Management Shell. For more information, see the "Use the Exchange
Management Shell to create a default assignment policy" section later in this topic.
1. In the EAC, navigate to Permissions > User Roles and then click Add .
2. In the role assignment policy window, provide a name for the new assignment policy.
3. Select the check box next to the role or roles you want to add to the assignment policy. You can select
multiple roles, including end-user roles you've added. If you select a role that has child roles, the child roles
are automatically selected.
4. Click Save to save the changes to the assignment policy.
Use the Exchange Management Shell to create an explicit assignment policy
To create an explicit assignment policy that can be manually assigned to mailboxes, use the following syntax.
This example creates the explicit assignment policy Limited Mailbox Configuration and assigns the MyBaseOptions ,
MyAddressInformation , and MyDisplayName roles to it.
This example creates the default assignment policy Limited Mailbox Configuration and assigns the MyBaseOptions ,
MyAddressInformation , and MyDisplayName roles to it.
This example removes the New York Temporary Users assignment policy.
Get-RoleAssignmentPolicy
To return a list of specific properties for all the assignment policies in your organization, you can pipe the results to
the Format-Table cmdlet and specify the properties you want in the list of results. Use the following syntax.
This example returns a list of all the assignment policies in your organization and includes the Name and
IsDefault properties.
This example views the details about the Redmond Users - no Text Messaging assignment policy.
This example finds all the mailboxes assigned the policy Vancouver End Users.
Use the Exchange Management Shell to change the default assignment policy
To change the default assignment policy, use the following syntax.
This example sets the Vancouver End Users assignment policy as the default assignment policy.
IMPORTANT
New mailboxes are assigned the default assignment policy even if the policy hasn't been assigned management roles.
Mailboxes assigned assignment policies with no assigned management roles can't access any mailbox configuration features
in Outlook on the web.
New-ManagementRoleAssignment -Name <role assignment name> -Role <role name> -Policy <assignment policy name>
This example creates the role assignment Seattle Users - Voicemail between the MyVoicemail role and the Seattle
Users assignment policy.
New-ManagementRoleAssignment -Name "Seattle Users - Voicemail" -Role MyVoicemail -Policy "Seattle Users"
This example removes the MyVoicemail management role, which enables users to manage their voice mail
options, from the Seattle Users assignment policy.
When you change a mailbox's assignment policy, the change takes effect as soon as the user refreshes the
connection, such as the next time they log into their mailbox or open the mailbox options page. For more
information about assignment policies in Exchange Server, see Understanding Management Role Assignment
Policies.
Looking for other management tasks related to permissions? Check out Permissions.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example sets the assignment policy to Engineering Users on the mailbox Brian.
This procedure makes use of pipelining, the Where cmdlet, and the WhatIf parameter. For more information
about these concepts, see the following topics:
Pipelining
Working with Command Output
WhatIf, Confirm, and ValidateOnly Switches
If you want to change the assignment policy for a group of mailboxes that are assigned a specific policy, use the
following syntax.
This example finds all the mailboxes assigned to the Redmond Users - No Voicemail assignment policy and
changes the assignment policy to Redmond Users - Voicemail Enabled.
This example includes the WhatIf parameter so that you can see all the mailboxes that would be changed without
committing any changes.
Permissions in Microsoft Exchange Server are managed using the Role Based Access Control (RBAC ) permissions
model. The following topics identify the management role groups required to administer the features associated
with each functional area in Exchange Server.
Role management permissions
Messaging policy and compliance in Exchange Server
Antispam and antimalware permissions
Mail flow permissions
Recipients Permissions
Email address and address book permissions
Sharing and collaboration permissions
Clients and mobile devices permissions
Unified Messaging permissions
High availability and site resilience permissions
Exchange infrastructure and PowerShell permissions
Server health and performance permissions
Role management permissions
8/23/2019 • 2 minutes to read • Edit Online
The permissions required to perform tasks to configure management roles vary depending on the procedure
being performed or the cmdlet you want to run. For more information about management roles, see
Understanding Management Roles.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles
assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
The permissions required to configure messaging policy and compliance vary depending on the procedure
being performed or the cmdlet you want to run. For more information about messaging policy and compliance,
see Messaging policy and compliance in Exchange Server.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to
see its management roles. If a feature lists more than one role group, you only need to be assigned one of
the role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
Delete mailbox content (using the Search-Mailbox cmdlet Discovery Management and
with the DeleteContent switch) Mailbox Import Export Role
Note: By default, the Mailbox Import Export role isn't
assigned to any role group. You can assign a management
role to a built-in or custom role group, a user, or a universal
security group. Assigning a role to a role group is
recommended. For more information, see Add a Role to a
User or USG.
FEATURE PERMISSIONS REQUIRED
Retention policies - Create See the entry for Messaging records management
FEATURE PERMISSIONS REQUIRED
The permissions required to perform tasks related to antispam and antimalware vary depending on the
procedure being performed or the cmdlet you want to run. For more information about transport features, see
Mail flow and the transport pipeline.
This topic lists the permissions required to manage the mail flow features in Microsoft Exchange Server.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
NOTE
Some features that you want to manage might exist on Edge Transport servers. To manage features on Edge Transport
servers, you need to become a member of the Local Administrators group on the Edge Transport server you want to
manage. Edge Transport servers don't use Role Based Access Control (RBAC). Features that can be managed on Edge
Transport servers have Edge Transport Local Administrator in the "Permissions required" column in the table below.
NOTE
Some features may require that you have local administrator permissions on the server you want to manage. To manage
these features, you must be a member of the Local Administrators group on that server.
The permissions required to perform tasks related to mail flow vary depending on the procedure being
performed or the cmdlet you want to run. For more information about transport features, see Mail flow and
the transport pipeline.
This topic lists the permissions required to manage the mail flow features in Exchange Server 2016 and
Exchange Server 2019. For information about how Office 365 permissions relate to Exchange permissions,
see Permissions in Office 365.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups,
an equivalent custom role group, or an equivalent management role. You can also click a role group to
see its management roles. If a feature lists more than one role group, you need to be assigned to only
one of the role groups to use the feature. For more information about role groups and management
roles, see Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
NOTE
Some features that you want to manage might exist on Edge Transport servers. To manage features on Edge Transport
servers, you need to become a member of the Local Administrators group on the Edge Transport server you want to
manage. Edge Transport servers don't use Role Based Access Control (RBAC). Features that can be managed on Edge
Transport servers have Edge Transport Local Administrator in the "Permissions required" column in the table below.
NOTE
Some features may require that you have local administrator permissions on the server you want to manage. To
manage these features, you must be a member of the Local Administrators group on that server.
Testing mail flow rule (also known as transport rule) Organization Management
processing
Mail flow rules (also known as transport rules) - Edge Edge Transport server local administrator
Transport
Recipients Permissions
8/23/2019 • 4 minutes to read • Edit Online
The permissions required to perform tasks to manage recipients vary depending on the procedure being
performed or the cmdlet you want to run.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups,
an equivalent custom role group, or an equivalent management role. You can also click on a role group
to see its management roles. If a feature lists more than one role group, you need to be assigned to
only one of the role groups to use the feature. For more information about role groups and
management roles, see Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your
Exchange administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
Manage Exchange Search Indexer service on a Mailbox Local Administrator on the Mailbox server
server
The permissions required to configure email address and address book features vary depending on the procedure
being performed or the cmdlet you want to run. For more information about email addresses and address books,
see Email addresses and address books in Exchange Server.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles
assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
The permissions required to configure sharing and collaboration features vary depending on the procedure being
performed or the cmdlet you want to run. For more information about sharing and collaboration, see
Collaboration and Sharing.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles
assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
The permissions required to perform tasks for clients and mobile devices vary depending on the procedure
being performed or the cmdlet you want to run. For more information about client and mobile device
features, see Clients and mobile.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups,
an equivalent custom role group, or an equivalent management role. You can also click on a role group
to see its management roles. If a feature lists more than one role group, you only need to be assigned
one of the role groups to use the feature. For more information about role groups and management
roles, see Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your
Exchange administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
NOTE
Some features may require that you have local administrator permissions on the server you want to manage. To
manage these features, you must be a member of the Local Administrators group on that server.
Autodiscover permissions
You can configure the following for the Autodiscover service.
Users who are assigned the View -Only Management role group can view the configuration of the features in
the following table. For more information, see View -only Organization Management.
FEATURE PERMISSIONS REQUIRED
The permissions required to manage Unified Messaging services and features on Exchange 2016 Mailbox servers
vary depending on the procedure being performed or the cmdlet you want to run.
NOTE
Unified Messaging is not available in Exchange 2019.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles
assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
UM component permissions
You can configure settings for the UM components and features in the following table.
Users who are assigned the View -Only Management role group can view the configuration of the features in the
following table. For more information, see View -only Organization Management.
The permissions required to configure high availability vary depending on the procedure being performed or
the cmdlet you want to run. For more information about high availability, see High Availability and Site
Resilience.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the
cmdlet you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to
see its management roles. If a feature lists more than one role group, you only need to be assigned one of
the role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management
roles assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
The permissions required to perform tasks to configure various components of Exchange Server depend on the
procedure being performed or the cmdlet you want to run. See each of the sections in this topic for more
information about their respective features.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles
assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
NOTE
Some features may require that you have local administrator permissions on the server you want to manage. To manage
these features, you must be a member of the Local Administrators group on that server.
Write to audit log Users that are members of any role group or assigned any
management role can write to the administrator audit log.
The permissions required to perform tasks to configure various components of Exchange Server depend on the
procedure being performed or the cmdlet you want to run. See each of the sections in this topic for more
information about their respective features.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet
you want to run.
2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an
equivalent custom role group, or an equivalent management role. You can also click on a role group to see
its management roles. If a feature lists more than one role group, you only need to be assigned one of the
role groups to use the feature. For more information about role groups and management roles, see
Understanding Role Based Access Control.
3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles
assigned to you to see if you have the permissions that are necessary to manage the feature.
NOTE
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment
cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange
administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
NOTE
Some features may require that you have local administrator permissions on the server you want to manage. To manage
these features, you must be a member of the Local Administrators group on that server.
The people and resources that send and receive messages are the core of any messaging and collaboration
system. In an Exchange organization, these people and resources are referred to as recipients. A recipient is any
mail-enabled object in Active Directory to which Microsoft Exchange can deliver or route messages.
Dynamic distribution group A distribution group that uses recipient filters and conditions
to derive its membership at the time messages are sent.
Mail forest contact A mail contact that represents a recipient object from
another forest. Mail forest contacts are typically created by
Microsoft Identity Integration Server (MIIS) synchronization.
Note: Mail forest contacts are read-only recipient objects
that are updated only through MIIS or similar custom
synchronization. You can't use the EAC or the Exchange
Management Shell to remove or modify a mail forest contact.
RECIPIENT TYPE DESCRIPTION
Mail-enabled non-universal group A mail-enabled Active Directory global or local group object.
Mail-enabled non-universal groups were discontinued in
Exchange Server 2007 and can exist only if they were
migrated from Exchange 2003 or earlier versions of
Exchange. You can't use Exchange Server 2013 to create non-
universal distribution groups.
Microsoft Exchange recipient A special recipient object that provides a unified and well-
known message sender that differentiates system-generated
messages from other messages. It replaces the System
Administrator sender used for system-generated messages
in earlier versions of Exchange.
Shared mailbox A mailbox that's not primarily associated with a single user
and is generally configured to allow access for multiple users.
Mailboxes
Mailboxes are the most common recipient type used by information workers in an Exchange organization. Each
mailbox is associated with an Active Directory user account. The user can use the mailbox to send and receive
messages, and to store messages, appointments, tasks, notes, and documents. Mailboxes are the primary
messaging and collaboration tool for the users in your Exchange organization.
Mailbox components
Each mailbox consists of an Active Directory user and the mailbox data that's stored in the Exchange mailbox
database (as shown in the following figure). All configuration data for the mailbox is stored in the Exchange
attributes of the Active Directory user object. The mailbox database contains the actual data that's in the mailbox
associated with the user account.
IMPORTANT
When you create a mailbox for a new or existing user, the Exchange attributes required for a mailbox are added to the user
object in Active Directory. The associated mailbox data isn't created until the mailbox either receives a message or the user
signs in to it.
Mailbox components
Cau t i on
If you remove a mailbox, the mailbox data stored in the Exchange mailbox database is marked for deletion and
the associated user account is also deleted from Active Directory. To retain the user account and delete only the
mailbox data, you must disable the mailbox.
Mailbox types
Exchange supports the following mailbox types:
User mailboxes: User mailboxes are assigned to individual users in your Exchange organization. User
mailboxes provide your users with a rich collaboration platform. Users can send and receive messages,
manage their contacts, schedule meetings, and maintain a task list. They can also have voice mail
messages delivered to their mailboxes. User mailboxes are the most commonly used mailbox type and are
typically the mailbox type assigned to users in your organization.
Linked mailboxes: Linked mailboxes are mailboxes that are accessed by users in a separate, trusted
forest. Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest.
The resource forest scenario allows an organization to centralize Exchange in a single forest, while
allowing access to the Exchange organization with user accounts in one or more trusted forests.
As stated earlier, every mailbox must have a user account associated with it. However, the user account
that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a
disabled user account that exists in the same forest as Exchange is associated with each linked mailbox.
The following figure illustrates the relationship between the linked user account used to access the linked
mailbox and the disabled user account in the Exchange resource forest associated with the linked mailbox.
Linked mailbox
Office 365 mailboxes: When you create an Office 365 mailbox in Exchange Online in a hybrid
deployment, the mail user is created in Active Directory on-premises. Directory synchronization, if it's
configured, automatically synchronizes this new user object to Office 365, where it's converted to a cloud
mailbox in Exchange Online. You can create Office 365 mailboxes as regular user mailboxes, resource
mailboxes for meeting rooms and equipment, and shared mailboxes.
Shared mailboxes: Shared mailboxes aren't primarily associated with individual users and are generally
configured to allow access by multiple users.
Although it's possible to assign additional users the logon access permissions to any mailbox type, shared
mailboxes are dedicated for this functionality. The Active Directory user associated with a shared mailbox
must be a disabled account. After you create a shared mailbox, you must assign permissions to all users
that require access to the shared mailbox.
Resource mailboxes: Resource mailboxes are special mailboxes designed to be used for scheduling
resources. Like all mailbox types, a resource mailbox has an associated Active Directory user account, but
it must be a disabled account. The following are the types of resource mailboxes:
Room mailboxes: These mailboxes are assigned to meeting locations, such as conference rooms,
auditoriums, and training rooms.
Equipment mailboxes: These mailboxes are assigned to resources that aren't location-specific,
such as portable computers, projectors, microphones, or company cars.
You can include both types of resource mailboxes in meeting requests, providing a simple and
efficient way for your users to use resources. You can configure resource mailboxes to
automatically process incoming meeting requests based on the resource booking policies that are
defined by the resource owners. For example, you can configure a conference room to
automatically accept incoming meeting requests except recurring meetings, which can be subject to
approval by the resource owner.
System mailboxes
System mailboxes are created by Exchange in the root domain of the Active Directory forest during installation.
Users or administrators can't sign in to these mailboxes. System mailboxes are created for Exchange features
such as Unified Messaging (UM ), migration, message approval, and In-Place eDiscovery. This table lists
information about system mailboxes as they're displayed in Active Directory.
NOTE
Unified Messaging is not available in Exchange 2019
MAILBOX NAME
Migration Migration.8f3e7716-2011-43e4-96b1-aba62d229136
If you want to decommission the last Mailbox server in your Exchange organization, you should first disable
these system mailboxes by using the Disable-Mailbox cmdlet. When you decommission a Mailbox server that
contains these system mailboxes, you should move the system mailboxes to another Mailbox server to make
sure that you don't lose functionality.
Planning for mailboxes
Mailboxes are created in mailbox databases on Exchange servers that have the Mailbox server role installed. To
help provide a reliable and effective platform for your mailbox users, detailed planning for the deployment of
Mailbox servers and databases is essential. To learn more about planning for Mailbox servers and databases, see
Planning and deployment.
Distribution groups
Distribution groups are mail-enabled Active Directory group objects that are primarily used for distributing
messages to multiple recipients. Any recipient type can be a member of a distribution group.
IMPORTANT
Note the terminology differences between Active Directory and Exchange. In Active Directory, a distribution group refers to
any group that doesn't have a security context, whether it's mail-enabled or not. In Exchange, all mail-enabled groups are
referred to as distribution groups, whether they have a security context or not.
NOTE
To convert a domain-local or a global group to a universal group, you can use the Set-Group cmdlet in the
Exchange Management Shell.
IMPORTANT
A dynamic distribution group includes any recipient in Active Directory that has attributes that match the group's filter at
the time a message is sent. If a recipient's properties are modified to match the group's filter, that recipient could
inadvertently become a group member and start receiving messages that are sent to the dynamic distribution group.
Well-defined, consistent account provisioning processes can reduce the chances of this issue occurring.
To help you create recipient filters for dynamic distribution groups, you can use precanned filters. A precanned
filter is a commonly used filter that you can use to meet a variety of recipient-filtering criteria. You can use these
filters to specify the recipient types that you want to include in a dynamic distribution group. In addition, you can
also specify a list of conditions that the recipients must meet. You can create precanned conditions based on the
following properties:
Custom attributes 1-15
State or province
Company
Department
Recipient container
You can also specify conditions based on recipient properties other than those previously listed. To do this, you
must use the Exchange Management Shell to create a custom query for the dynamic distribution group.
Remember that the filter and condition settings for dynamic distribution groups that have custom recipient
filters can be managed only by using the Exchange Management Shell. For an example of how to create a
dynamic distribution group by using a custom query, see Manage dynamic distribution groups.
Mail contacts
Mail contacts typically contain information about people or organizations that exist outside your Exchange
organization. Mail contacts can appear in your organization's shared address book (also called the global address
list or GAL ) and other address lists, and can be added as members to distribution groups. Each contact has an
external email address, and all email messages that are sent to a contact are automatically forwarded to that
address. Contacts are ideal for representing people external to your Exchange organization (in the shared
address book) who don't need access to any internal resources. The following are mail contact types:
Mail contacts: These are mail-enabled Active Directory contacts that contain information about people
or organizations that exist outside your Exchange organization.
Mail forest contacts: These represent recipient objects from another forest. These contacts are typically
created by directory synchronization. Mail forest contacts are read-only recipient objects that can be
updated or removed only by means of synchronization. You can't use Exchange management interfaces to
modify or remove a mail forest contact.
Mail users
Mail users are similar to mail contacts. Both have external email addresses, both contain information about
people outside your Exchange organization, and both can be displayed in the shared address book and other
address lists. However, unlike a mail contact, mail users have Active Directory logon credentials and can access
resources to which they are assigned permissions.
If a person external to your organization requires access to resources on your network, you should create a mail
user instead of a mail contact. For example, you may want to create mail users for short-term consultants who
require access to your server infrastructure, but who will use their own external addresses.
Another scenario is to create mail users in your organization for users who you don't want to maintain an
Exchange mailbox. For example, after an acquisition, the acquired company may maintain their separate
messaging infrastructure, but may also need access to resources on your network. For those users, you may
want to create mail users instead of mailbox users.
NOTE
In the EAC, you use the Recipients > Contacts page to create and manage mail users. There isn't a separate page for mail
users.
NOTE
When system-generated messages are sent to an external sender, the Microsoft Exchange recipient isn't used as the
sender of the message. Instead, the email address specified by the ExternalPostmasterAddress parameter in the Set-
TransportConfig cmdlet is used.
Recipients documentation
The following table contains links to topics that will help you learn about and manage Exchange recipients.
TOPIC DESCRIPTION
Create user mailboxes in Exchange Server Learn how to create user mailboxes using the Exchange
admin center or the Exchange Management Shell.
Manage user mailboxes Learn how to create user mailboxes, change mailbox
properties, and bulk-edit selected properties for multiple
mailboxes.
Manage distribution groups Learn how to create and manage distribution groups, and
create a group naming policy for your organization.
Manage dynamic distribution groups Learn how to create dynamic distribution groups and
manage dynamic distribution group properties, such as using
custom attributes and other properties to determine group
membership.
Manage mail contacts Learn how to create and manage mail contacts.
Manage mail users Learn how to create and manage mail users.
Create and manage room mailboxes Learn how to create room mailboxes and manage room
mailbox properties, such as enabling recurring meetings and
configuring booking and scheduling options.
Manage equipment mailboxes Learn how to create equipment mailboxes, configure booking
and scheduling options, and manage other mailbox
properties.
Disconnected mailboxes Learn about the two types of disconnected mailboxes and
how to work with them.
Filters in recipient Shell commands Learn how to use precanned or custom filters with
commands to filter a set of recipients.
Manage permissions for recipients Learn how to use the EAC or the Exchange Management
Shell to assign permissions to users and groups.
Automatic Mailbox Distribution Learn about how automatic mailbox distribution works and
how to control which mailbox databases are selected for new
and moved mailboxes.
Create user mailboxes in Exchange Server
8/23/2019 • 8 minutes to read • Edit Online
User mailboxes are Exchange mailboxes that are associated with people, typically one mailbox per person. Each
user mailbox has an associated Active Directory account that gives the person access to the mailbox to send and
receive email messages, and create meetings and appointments.
When you create a new user mailbox in Exchange, you also create the corresponding Active Directory user at the
same time. Or, you can create a new mailbox for an existing Active Directory account that doesn't have an
associated mailbox. This is known as mailbox-enabling an existing user.
You can create user mailboxes in Exchange Server by using the Exchange admin center (EAC ) or the Exchange
Management Shell. The following table describes some of the important properties for user mailboxes.
Display name EAC: Required Identifies the mailbox in the EAC, and in
Exchange Management Shell: Optional address lists in Outlook and Outlook on
the web (formerly known as Outlook
Web App). The maximum length is 256
characters. Spaces and other text
characters are allowed.
In the EAC, the display name is
populated by the values that you enter
for the first name, middle initial, and
last name, but you can specify a custom
value.
In the Exchange Management Shell, if
you don't specify a value for the display
name, the value of the Name property
is used.
The display name value doesn't need to
be unique, but having multiple
mailboxes with the same display name
would be confusing.
PROPERTY REQUIRED OR OPTIONAL DESCRIPTION
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Note: A linked mailbox is a local mailbox that's associated with a user account in a different (trusted) Active
Directory forest. For more information, see Manage linked mailboxes.
3. On the New user mailbox page, configure the following settings. Settings marked with an asterisk (*) are
required.
Alias
Existing user or New user: Select New user.
First name
Initials
Last name
* Display name: By default, this field is populated with the names you enter in the First name,
Initials, and Last name fields, but you can override it. The maximum length is 256 characters.
* Name: By default, this field is populated with the names you enter in the First name, Initials, and
Last name field, but you can override it. The maximum length is 64 characters, and the value must
be unique in your organization.
Organizational unit: Typically, the default location for the user account is the Users container. To
change it, click Browse and select the OU or container where you want to create the account.
* User logon name: This is the Active Directory user account that's created and associated with the
mailbox.
Notes:
Don't use apostrophes (') or quotation marks ("). Although these characters are allowed, they might
cause problems later (for example, assigning access permissions to the mailbox).
If this value is different than the Alias value, the user's email address and account name will be
different (important if the email domain and the Active Directory domain are the same).
* New Password: Verify the value complies with your organization's password length, complexity,
and history requirements.
* Confirm password
Require password change on next logon: Select this check box to force the user to change the
initial password when they first sign in to the mailbox.
4. You can click Save to create the mailbox and the associated Active Directory user account, or you can click
More options to configure the following additional settings:
Mailbox database: Click Browse to select the mailbox database that holds the mailbox.
Create an on-premises archive mailbox for this user: Select this check box to create an archive
mailbox for the mailbox, and then click Browse to select the mailbox database that holds the archive
mailbox. Items are automatically moved from the primary mailbox to the archive based on the
retention policy settings. For more information, see In-Place Archiving in Exchange Server.
Address book policy: ABPs define a global address list (GAL ), an offline address book (OAB ), a
room list, and a set of address lists. An ABP gives the user access to a customized GAL in Outlook
and Outlook on the web. For more information, see Address book policies in Exchange Server.
When you're finished, click Save.
Use the Exchange Management Shell to create user mailboxes
To create a user mailbox in the Exchange Management Shell, use the following syntax:
New-Mailbox -Name <Name> -UserPrincipalName <UPN> -Password (ConvertTo-SecureString -String '<Password>' -
AsPlainText -Force) [-Alias <Alias>] [-FirstName <FirstName>] [-LastName <LastName>] [-DisplayName
<DisplayName>] -[OrganizationalUnit <OU>]
This example creates a new mailbox and Active Directory user account for Pilar Pinilla with the following settings:
Required parameters:
Name: Pilar Pinilla. This value is also used for the display name, because we aren't using the
DisplayName parameter.
UserPrincipalName: The Active Directory account name is pilarp@contoso.com .
Password: Pa$$word1
Optional parameters:
FirstName: Pilar
LastName: Pinilla
The alias value is pilarp because we aren't using the Alias parameter, and pilarp is taken from the
UserPrincipalName parameter value.
This example creates a mailbox in the mailbox database named UsersMailboxDatabase for the existing user
named Kathleen Reiter, whose account name (user principal name) is kreiter@contoso.com.
Because we aren't using the Alias parameter, the alias value is kreiter .
Because we aren't using the DisplayName parameter, the value of the name attribute in Active Directory is
used as the display name.
Enable-Mailbox -Identity kreiter@contoso.com -Database UsersMailboxDatabase
This example finds all user accounts that aren't mail-enabled and that aren't system accounts (the
userPrincipalName attribute isn't blank), and then creates mailboxes for those accounts.
Get-User -RecipientTypeDetails User -Filter {UserPrincipalName -ne $null} -ResultSize unlimited | Enable-
Mailbox
For detailed syntax and parameter information, see Enable-Mailbox and Get-User.
How do you know this worked?
To verify that you've successfully created a mailbox for an existing user, use either of the following procedures:
In the EAC, go to Recipients > Mailboxes and verify the mailbox is displayed in the list.
In the Exchange Management Shell, replace <Name> with the name attribute of the user, and run the
following command:
After you create a user mailbox, you can make changes and set additional properties by using the EAC or the
Exchange Management Shell.
You can also change properties for multiple user mailboxes at the same time. For more information, see Use the
EAC to bulk edit user mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
To obtain the information that's displayed in the previous two boxes, the EAC queries the mailbox database that hosts the
mailbox. If the EAC is unable to communicate with the Exchange store that contains the mailbox database, these boxes will
be blank. A warning message is displayed if the user hasn't signed in to the mailbox for the first time.
Click More options to view or change the mailbox storage quota and the deleted item retention settings for the
mailbox.
Storage quota settings: To customize these settings for the mailbox and not use the mailbox database
defaults, click Customize the settings for this mailbox, type a new value, and then click Save.
The value range for any of the storage quota settings is from 0 through 2047 gigabytes (GB ).
Issue a warning at (GB ): This box displays the maximum storage limit before a warning is issued to
the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning
message to the user.
Prohibit send at (GB ): This box displays the prohibit send limit for the mailbox. If the mailbox size
reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and
displays a descriptive error message.
Prohibit send and receive at (GB ): This box displays the prohibit send and receive limit for the
mailbox. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox
user from sending new messages and won't deliver any new messages to the mailbox. Any
messages sent to the mailbox are returned to the sender with a descriptive error message.
Deleted item retention settings: To customize these settings for the mailbox and not use the mailbox
database defaults, click Customize the settings for this mailbox, type a new value, and then click Save.
Keep deleted items for (days): This box displays the length of time that deleted items are retained
before they are permanently deleted and can't be recovered by the user. When the mailbox is
created, this value is based on the deleted item retention settings configured for the mailbox
database. By default, a mailbox database is configured to retain deleted items for 14 days. The value
range for this property is from 0 through 24855 days.
Don't permanently delete items until the database is backed up: Select this check box to
prevent mailboxes and email messages from being deleted until after the mailbox database on which
the mailbox is located has been backed up.
Contact Information
Use the Contact Information section to view or change the user's contact information. The information on this
page is displayed in the address book. Click More options to display additional boxes.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies,
or address lists.
Mailbox users can use Outlook or Outlook on the web (formerly known as Outlook Web App) to view and change
their own contact information. But they can't change the information in the Notes and Web page boxes.
Organization
Use the Organization section to record detailed information about the user's role in the organization. This
information is displayed in the address book. Also, you can create a virtual organization chart that is accessible
from email clients such as Outlook.
Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user works. You can use this box
to create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works. You can use this box to
create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a specific manager. If
you've specified a manager for the user, that user appears as a direct report in the details of the manager's
mailbox. For example, Kari manages Chris and Kate, so Kari's mailbox is specified in the Manager box of
Chris's mailbox and Kate's mailbox, and Chris and Kate appear in the Direct reports box in the properties
of Kari's mailbox.
Email Address
Use the Email Address section to view or change the email addresses associated with the user mailbox. This
includes the user's primary SMTP address and any associated proxy addresses. The primary SMTP address (also
known as the default reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Microsoft Exchange Unified
Messaging service in Exchange 2016 to locate UM -enabled users within an Exchange organization.
EUM addresses consist of the extension number and the UM dial plan for the UM -enabled user.
Click this button and type the extension number in the Address/Extension box. Then click Browse
and select a dial plan for the user. (Note: Unified Messaging is not available in Exchange 2019.)
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Make this the reply address: In Exchange Online, you can select this check box to make the new
email address the primary SMTP address for the mailbox. This check box isn't available in the EAC in
Exchange Server.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. This box is selected by default.
Mailbox Features
Use the Mailbox Features section to view or change the following mailbox features and settings:
Sharing policy: This box shows the sharing policy applied to the mailbox. A sharing policy controls how
users in your organization can share calendar and contact information with users outside your Exchange
organization. The Default Sharing Policy is assigned to mailboxes when they are created. To change the
sharing policy that's assigned to the user, select a different one from the drop-down list.
Role assignment policy: This box shows the role assignment policy assigned to the mailbox. The role
assignment policy specifies the role-based access control (RBAC ) roles that are assigned to the user and
control what specific mailbox and distribution group configuration settings users can modify. To change the
role assignment policy that's assigned to the user, select a different one from the drop-down list.
Retention policy: This box shows the retention policy assigned to the mailbox. A retention policy is a
group of retention tags that are applied to the user's mailbox. They allow you to control how long to keep
items in users' mailboxes and define what action to take on items that have reached a certain age. A
retention policy isn't assigned to mailboxes when they are created. To assign a retention policy to the user,
select one from the drop-down list.
Address book policy: This box shows the address book policy applied to the mailbox. An address book
policy allows you to segment users into specific groups to provide customized views of the address book.
To apply or change the address book policy applied to the mailbox, select one from the drop-down list.
Unified Messaging (not available in Exchange 2019): This feature is disabled by default. When you
enable Unified Messaging (UM ) in Exchange 2016, the user will be able to use your organization's UM
features and a default set of UM properties are applied to the user. Click Enable to enable UM for the
mailbox. For information about how to enable UM, see Enable a User for Unified Messaging.
NOTE
A UM dial plan and a UM mailbox policy must exist before you can enable UM.
Mobile Devices: Use this section to view and change the settings for Exchange ActiveSync, which is
enabled by default. Exchange ActiveSync enables access to an Exchange mailbox from a mobile device.
Click Disable Exchange ActiveSync to disable this feature for the mailbox.
Outlook Web App: This feature is enabled by default. Outlook on the web enables access to an Exchange
mailbox from a web browser. Click Disable to disable Outlook on the web for the mailbox. Click Edit
details to add or change an Outlook on the web mailbox policy for the mailbox.
IMAP: This feature is enabled by default. Click Disable to disable IMAP for the mailbox.
POP3: This feature is enabled by default. Click Disable to disable POP3 for the mailbox.
MAPI: This feature is enabled by default. MAPI enables access to an Exchange mailbox from a MAPI client
such as Outlook. Click Disable to disable MAPI for the mailbox.
Litigation hold: This feature is disabled by default. Litigation hold preserves deleted mailbox items and
records changes made to mailbox items. Deleted items and all instances of changed items are returned in a
discovery search. Click Enable to put the mailbox on litigation hold. If the mailbox is on litigation hold, click
Disable to remove the litigation hold. Mailboxes on litigation hold are inactive mailboxes and can't be
deleted. To delete the mailbox, remove the litigation hold. If the mailbox is on litigation hold, click Edit
details to view and change the following litigation hold settings:
Hold date: This read-only box indicates the date and time when the mailbox was put on litigation
hold.
Put on hold by: This read-only box indicates the user who put the mailbox on litigation hold.
Note: Use this box to notify the user about the litigation hold, explain why the mailbox is on
litigation hold, or provide additional guidance to the user, such as informing them that the litigation
hold won't affect their day-to-day use of email.
URL: Use this box to provide a URL to a website that provides information or guidance about the
litigation hold on the mailbox.
NOTE
The text from these boxes appears in the user's mailbox only if they are using Outlook 2010 or later versions.
It doesn't appear in Outlook on the web or other email clients. To view the text from the Note and URL boxes
in Outlook, click the File tab, and on the Info page, under Account Settings, you'll see the litigation hold
comment.
Archiving: If an archive mailbox doesn't exist for the user, this feature is disabled. To enable an archive
mailbox, click Enable. If the user has an archive mailbox, the size of the archive mailbox and usage statistics
are displayed. Click Edit details to view and change the following archive mailbox settings:
Status: This read-only box indicates whether an archive mailbox exists.
Database: This read-only box shows the name of the mailbox database that hosts the archive
mailbox.
Name: Type the name of the archive mailbox in this box. This name is displayed under the folder list
in Outlook or Outlook on the web.
Archive quota (GB ): This box shows the total size of the archive mailbox. To change the size, type a
new value in the box or select a value from the drop-down list.
Issue warning at (GB ): This box shows the maximum storage limit for the archive mailbox before a
warning is issued to the user. If the archive mailbox size reaches or exceeds the value specified,
Exchange sends a warning message to the user. To change this limit, type a new value in the box or
select a value from the drop-down list.
Delivery Options: Use to forward email messages sent to the user to another recipient and to set the
maximum number of recipients that the user can send a message to. Click View details to view and
change these settings.
Forwarding address: Select the Enable forwarding check box and then click Browse to display
the Select Mail User and Mailbox page. Use this page to select a recipient to whom you want to
forward all email messages that are sent to this mailbox.
Deliver message to both forwarding address and mailbox: Select this check box so that
messages will be delivered to both the forwarding address and the user's mailbox.
Recipient limit: This setting controls the maximum number of recipients the user can send a
message to. Select the Maximum recipients check box to limit the number of recipients allowed in
the To:, Cc:, and Bcc: boxes of an email message and then specify the maximum number of recipients.
For on-premises Exchange organizations, the recipient limit is unlimited.
Message Size Restrictions: These settings control the size of messages that the user can send and receive.
Click View details to view and change maximum size for sent and received messages.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be
returned to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this user. Click
View details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to this user.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the
Select Recipients page, which displays a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
Reject messages from: Use this section to block people from sending messages to this user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders
in the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or more
dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed on this
page because their membership is calculated each time they are used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues if they send a message to this recipient.
A MailTip is text that is displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc boxes of a new
email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Mailbox Delegation
Use the Mailbox Delegation section to assign permissions to other users (also called delegates) to allow them
to sign in to the user's mailbox or send messages on behalf of the user. You can assign the following permissions:
Send As: This permission allows users other than the mailbox owner to use the mailbox to send messages.
After this permission is assigned to a delegate, any message that a delegate sends from this mailbox will
appear as if it was sent by the mailbox owner. However, this permission doesn't allow a delegate to sign in
to the user's mailbox.
Send on Behalf Of: This permission also allows a delegate to use this mailbox to send messages.
However, after this permission is assigned to a delegate, the From: address in any message sent by the
delegate indicates that the message was sent by the delegate on behalf of the mailbox owner.
Full Access: This permission allows a delegate to sign in to the user's mailbox and view the contents of the
mailbox. However, after this permission is assigned to a delegate, the delegate can't send messages from
the mailbox. To allow a delegate to send email from the user's mailbox, you still have to assign the delegate
the Send As or the Send on Behalf Of permission.
To assign permissions to delegates, click Add under the appropriate permission to display a page that displays
a list of all recipients in your Exchange organization that can be assigned the permission. Select the recipients you
want, add them to the list, and then click OK. You can also search for a specific recipient by typing the recipient's
name in the search box and then clicking Search .
Use the Exchange Management Shell to change user mailbox properties
Use the Get-Mailbox and Set-Mailbox cmdlets to view and change properties for user mailboxes. One
advantage of using the Exchange Management Shell is the ability to change the properties for multiple mailboxes.
For information about what parameters correspond to mailbox properties, see the following topics:
Get-Mailbox
Set-Mailbox
Here are some examples of using the Exchange Management Shell to change user mailbox properties.
This example shows how to forward Pat Coleman's email messages to Sunil Koduri's (sunilk@contoso.com)
mailbox.
This example uses the Get-Mailbox command to find all user mailboxes in the organization, and then uses the
Set-Mailbox command to set the recipient limit to 500 recipients allowed in the To:, Cc:, and Bcc: boxes of an
email message.
This example uses the Get-Mailbox command to find all the mailboxes in the Marketing organizational unit, and
then uses the Set-Mailbox command to configure these mailboxes. The custom warning, prohibit send, and
prohibit send and receive limits are set to 200 megabytes (MB ), 250 MB, and 280 MB respectively, and the
mailbox database's default limits are ignored. This command can be used to configure a specific set of mailboxes
to have larger or smaller limits than other mailboxes in the organization.
This example uses the Get-Mailbox cmdlet to find all users in the Customer Service department, and then uses
the Set-Mailbox cmdlet to change the maximum message size for sending messages to 2 MB.
For the example above where the message limits were changed, run this command.
NOTE
The estimated time to complete this task is 2 minutes, but may take longer if you change multiple properties or features.
TIP
You can select multiple adjacent mailboxes by holding down the Shift key and clicking the first mailbox, and then
clicking the last mailbox you want to edit. You can also select multiple non-adjacent mailboxes by holding down the
Ctrl key and clicking each mailbox that you want to edit.
3. In the Details pane, under Bulk Edit, select the mailbox properties or feature that you want to edit.
4. Make the changes on the properties page and then save your changes.
How do you know this worked?
To verify that you've successfully bulk edited user mailboxes, do one of the following:
In the EAC, select each of the mailboxes that you bulk edited and then click Edit to view the property or
feature that you changed.
In the Exchange Management Shell, use the Get-Mailbox cmdlet to verify the changes. One advantage of
using the Exchange Management Shell is that you can view multiple properties for multiple mailboxes. For
example, say you used the bulk edit feature in the EAC to enable the archive mailbox and assign a retention
policy to all users in your organization. To verify these changes, you could run the following command:
For more information about the available parameters for the Get-Mailbox cmdlet, see Get-Mailbox.
Add or remove email addresses for a mailbox
8/23/2019 • 6 minutes to read • Edit Online
You can use the EAC or the Exchange Management Shell to add or remove an email address for a user mailbox.
You can configure more than one email address for the same mailbox. The additional addresses are called proxy
addresses. A proxy address lets a user receive email that's sent to a different email address. Any email message sent
to the user's proxy address is delivered to their primary email address, which is also known as the primary SMTP
address or the default reply address.
NOTE
The procedures in this topic show how to add or remove email addresses for a user mailbox. You can use similar procedures
to add or remove email addresses for other recipient types.
For additional management tasks related to managing recipients, see the "Recipients documentation" table in
Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
On the Email Address page, the primary SMTP address is displayed in bold text in the address list, with the
uppercase SMTP value in the Type column.
4. Click Add , and then click SMTP to add an SMTP email address to this mailbox.
NOTE
SMTP is the default email address type. You can also add Exchange Unified Messaging (EUM) addresses or custom
addresses to a mailbox in Exchange 2016. For more information, see "Change user mailbox properties" in the Manage
user mailboxes topic. (Note: Unified Messaging is not available in Exchange 2019.)
5. Type the new SMTP address in the Email address box, and then click OK.
The new address is displayed in the list of email addresses for the selected mailbox.
6. Click Save to save the change.
Use the Exchange Management Shell to add an email address
The email addresses associated with a mailbox are contained in the EmailAddresses property for the mailbox.
Because it can contain more than one email address, the EmailAddresses property is known as a multivalued
property. The following examples show different ways to modify a multivalued property.
This example shows how to add an SMTP address to the mailbox of Dan Jump.
For more information about how to use this method of adding and removing values for multivalued properties, see
Modifying Multivalued Properties.
This example shows another way to add email addresses to a mailbox by specifying all addresses associated with
the mailbox. In this example, danj@tailspintoys.com is the new email address that you want to add. The other two
email addresses are existing addresses. The address with the case-sensitive qualifier SMTP is the primary SMTP
address. You have to include all email addresses for the mailbox when you use this command syntax. If you don't,
the addresses specified in the command will overwrite the existing addresses.
For more information about how to use this method of adding and removing values for multivalued properties, see
Modifying Multivalued Properties.
You can also remove an email address by omitting it from the command to set email addresses for a mailbox. For
example, let's say Janet Schorr's mailbox has three email addresses: janets@contoso.com (the primary SMTP
address), janets@corp.contoso.com, and janets@tailspintoys.com. To remove the address
janets@corp.contoso.com, you would run the following command.
Because janets@corp.contoso.com was omitted in the previous command, it's removed from the mailbox.
For detailed syntax and parameter information, see Set-Mailbox.
How do you know this worked?
To verify that you've successfully removed an email address from a mailbox, do one of the following:
In the EAC, navigate to Recipients > Mailboxes, click the mailbox, and then click Edit .
On the mailbox properties page, click Email Address.
In the list of email addresses for the mailbox, verify that the email address isn't included.
Or
Run the following command in the Exchange Management Shell.
Get-Mailbox <identity> | Format-List EmailAddresses
Mailbox,NewEmailAddress
Dan Jump,danj@northamerica.contoso.com
David Pelton,davidp@northamerica.contoso.com
Kim Akers,kima@northamerica.contoso.com
Janet Schorr,janets@northamerica.contoso.com
Jeffrey Zeng,jeffreyz@northamerica.contoso.com
Spencer Low,spencerl@northamerica.contoso.com
Toni Poe,tonip@northamerica.contoso.com
...
Run the following command to use the data in the CSV file to add the email address to each mailbox specified in
the CSV file.
NOTE
The column names in the first row of this CSV file ( Mailbox,NewEmailAddress ) are arbitrary. Whatever you use for column
names, make sure you use the same column names in the Exchange Management Shell command.
Verify that the new email address is included in the results for each mailbox.
Configure email forwarding for a mailbox
8/23/2019 • 3 minutes to read • Edit Online
Email forwarding lets you to set up a mailbox to forward email messages sent to a user's mailbox to another user's
mailbox in or outside of your organization.
Use the Exchange admin center and the Exchange Management Shell
You can use either the Exchange admin center (EAC ) or Exchange Management Shell to set up email forwarding.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Recipient Provisioning Permissions" entry in the Recipients Permissions topic.
Use the Exchange admin center to set up email forwarding
1. In the Exchange admin center, navigate to Recipients > Mailboxes.
2. In the list of user mailboxes, click or tap the mailbox that you want to set up mail forwarding for, and then
click or tap Edit .
3. On the mailbox properties page, click Mailbox Features.
4. Under Mail Flow, select View details to view or change the setting for forwarding email messages.
On this page, you can set the maximum number of recipients that the user can send a message to. The
recipient limit is unlimited by default. If you want to specify a limit, click the Maximum recipients check
box and then type the limit in the text box beneath the check box.
5. Check the Enable forwarding check box, and then click or tap Browse.
6. On the Select Recipient page, select a user you want to forward all email to. Select the Deliver message
to both forwarding address and mailbox check box if you want both the recipient and the forwarding
email address to get copies of the emails sent. Click or tap OK, and then click or tap Save.
NOTE
What if you want to forward emails to an email address outside your organization? You can use the Exchange Management
Shell to do this. See the following example in "Use the Exchange Management Shell to configure mail forwarding".
This example forwards all email sent to the mailbox of Ken Sanchez, an employee of Contoso Suites, to one of his
coworkers, pilarp@contoso.com.
Set-Mailbox -Identity "Ken Sanchez" -ForwardingSMTPAddress "pilarp@contoso.com"
Make sure that the forwarding address is listed in the ForwardingSMTPAddress parameter. Also, if the
DeliverToMailboxAndForward parameter is set to $true , messages will be delivered to the mailbox and to the
forwarding address. If the parameter is set to $false , messages are delivered only to the forwarding address.
End users
Check out the following topics on how to forward your email to another email address by using Outlook and
Outlook Web App.
Forward email to another email account
Manage email messages by using rules
Additional information
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in
the Exchange admin center.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or
Exchange Online Protection.
Configure message delivery restrictions for a mailbox
8/23/2019 • 4 minutes to read • Edit Online
You can use the EAC or the Exchange Management Shell to place restrictions on whether messages are delivered
to individual recipients. Message delivery restrictions are useful to control who can send messages to users in your
organization. For example, you can configure a mailbox to accept or reject messages sent by specific users or to
accept messages only from users in your Exchange organization.
The message delivery restrictions covered in this topic apply to all recipient types. To learn more about the
different recipient types, see Recipients.
For additional management tasks related to recipients, see the following topics:
Manage user mailboxes
Manage distribution groups
Manage dynamic distribution groups
Manage mail users
Manage mail contacts
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
If you're configuring a mailbox to accept messages only from individual senders, you have to use the
AcceptMessagesOnlyFrom parameter. If you're setting up a mailbox to accept messages only from senders that are members
of a specific distribution group, use the AcceptMessagesOnlyFromDLMembers parameter.
This example adds the user named David Pelton to the list of users whose messages will be accepted by the
mailbox of Robin Wood.
This example configures the mailbox of Robin Wood to require all senders to be authenticated. This means the
mailbox will only accept messages sent by other users in your Exchange organization.
This example configures the mailbox of Robin Wood to also reject messages sent by members of the group Legal
Team 3.
NOTE
If you're setting up a mailbox to reject messages from individual senders, you have to use the RejectMessagesFrom
parameter. If you're setting up a mailbox to reject messages from senders that are members of a specific distribution group,
use the RejectMessagesFromDLMembers parameter.
For detailed syntax and parameter information related to placing delivery restrictions for different types of
recipients, see the following topics:
Set-DistributionGroup
Set-DynamicDistributionGroup
Set-Mailbox
Set-MailContact
Set-MailUser
Message size limits control the size of messages that a user can send and receive. By default, when a mailbox is
created, there isn't a size limit for sent and received messages.
Keep in mind that there are other settings in an Exchange organization that determine the maximum message size
a mailbox can send and receive (for example, the maximum message size configured on a Mailbox server). To learn
more about the message size restrictions in Exchange, including the types of message size limits, their scope, and
the order of precedence, see Message size limits in Exchange Server.
For additional management tasks related to user mailboxes, see Manage user mailboxes.
NOTE
You can also control the size of messages sent and received by mail users and from shared mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
You can use the Exchange admin center (EAC ) or the Exchange Management Shell to customize the mailbox
storage quotas for specific mailboxes. Storage quotas let you control the size of mailboxes and manage the growth
of mailbox databases. When a mailbox reaches or exceeds a specified storage quota, Exchange sends a descriptive
notification to the mailbox owner.
Storage quotas are typically configured on a per-database basis. This means that the quotas configured for a
mailbox database apply to all mailboxes in that database. For more information about managing per-database
mailbox settings, see Manage mailbox databases in Exchange Server.
This topic shows you how to customize storage settings for a specific mailbox instead of using the storage settings
from the mailbox database. For additional management tasks related to user mailboxes, see Manage user
mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Prohibit send at (GB ): If the mailbox size reaches or exceeds the specified limit, Exchange prevents
the user from sending new messages and displays a descriptive error message.
Prohibit send and receive at (GB ): If the mailbox size reaches or exceeds the specified limit,
Exchange prevents the mailbox user from sending new messages and won't deliver any new
messages to the mailbox. Any messages sent to the mailbox are returned to the sender with a
descriptive error message.
5. Click Save to save your changes.
NOTE
To ensure that the custom settings for the mailbox are used rather than the mailbox database defaults, you must set the
UseDatabaseQuotaDefaults parameter to $false .
This example sets the issue warning, prohibit send, and prohibit send and receive quotas for Ayla Kol's mailbox to
900 megabytes (MB ), 950 MB, and 1 GB respectively, and configures the mailbox to use custom settings.
When a user deletes items from the Deleted Items default folder by using the Delete, Shift+Delete, or Empty
Deleted Items Folder actions, the items are moved to the Recoverable Items\Deletions folder. The duration
that deleted items remain in this folder is based on the deleted item retention settings configured for the mailbox
database or the mailbox. By default, a mailbox database is configured to retain deleted items for 14 days, and the
recoverable items warning quota and recoverable items quota are set to 20 gigabytes (GB ) and 30 GB
respectively.
NOTE
Before the retention time for deleted items elapses,Outlook and Outlook on the web users can recover deleted items by
using the Recover Deleted Items feature. To learn more about these features, see the "Recover deleted items" topic for
Outlook 2013 and Outlook 2016 or Outlook on the web.
You can use the Exchange Management Shell to configure deleted item retention settings and recoverable items
quotas for a mailbox or mailbox database. Deleted item retention settings are ignored when a mailbox is placed on
In-Place Hold or litigation hold.
To learn more about deleted item retention, the Recoverable Items folder, In-Place Hold, and litigation hold, see
Recoverable Items folder in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Use the Exchange Management Shell to configure deleted item retention for a mailbox
This example configures April Stewart's mailbox to retain deleted items for 30 days.
This example configures a recoverable items warning quota of 12 GB and a recoverable items quota of 15 GB for
April Stewart's mailbox.
NOTE
To configure a mailbox to use different recoverable items quotas than the mailbox database in which it resides, you must set
the UseDatabaseQuotaDefaults parameter to $false .
This example configures a deleted item retention period of 10 days for the mailbox database MDB2.
This example configures a recoverable items warning quota of 15 GB and a recoverable items quota of 20 GB on
mailbox database MDB2.
In Exchange Server 2013 or later, converting a mailbox from one type of mailbox to another is mostly unchanged
from the experience in Exchange 2010. You still need to use the Set-Mailbox cmdlet in the Exchange Management
Shell to do the conversion.
You can convert the following mailboxes to a different type:
User mailbox to room or equipment mailbox
User mailbox to shared mailbox
Shared mailbox to user mailbox
Shared mailbox to room or equipment mailbox
Room or equipment mailbox to user mailbox
Room or equipment mailbox to shared mailbox
Note: If your organization uses a hybrid Exchange environment, you need to manage your mailboxes by using the
on-premises Exchange management tools. To convert a mailbox in a hybrid environment, you might need to move
the mailbox back to on-premises Exchange, convert the mailbox type, and then move it back to Office 365.
Set-Mailbox -Identity <MailboxIdentity> -Type <Regular | Room | Equipment | Shared> [-Password (ConvertTo-
SecureString -String '<Password>' -AsPlainText -Force)] [-EnableRoomMailboxAccount <$true | $false>] [-
RoomMailboxPassword (ConvertTo-SecureString -String '<Password>' -AsPlainText -Force)] [-
ResetPasswordOnNextLogon <$true | $false>]
This example converts the shared mailbox named Marketing Dept 01 to a user mailbox with the new password
P@ssw0rd25, and the requirement to change the password the next time the user logs in to the mailbox.
Set-Mailbox -Identity "Marketing Dept 01" -Type Regular -Password (ConvertTo-SecureString -String 'P@ssw0rd25'
-AsPlainText -Force) -ResetPasswordOnNextLogon $true
This example converts the user mailbox named Conference Room 01 to a room mailbox.
This is the same example, but the user account for the room mailbox is enabled, and the password is P@ssw0rd25
Set-Mailbox -Identity "Conference Room 01" -Type Room -EnableRoomMailboxAccount $true -RoomMailboxPassword
(ConvertTo-SecureString -String 'P@ssw0rd25' -AsPlainText -Force)
Note: Even when you convert a user mailbox with a known password to a room mailbox, you still need to use the
RoomMailboxPassword parameter to specify a password.
For detailed syntax and parameter information, see Set-Mailbox.
You can use the Exchange Management Shell to enable or disable single item recovery on a mailbox. In Exchange
Server, single item recovery is disabled when a mailbox is created. If single item recovery is enabled, messages that
are purged (hard-deleted) by the user are retained in the Recoverable Items folder of the mailbox until the deleted
item retention period expires. This lets an administrator recover messages purged by the user before the deleted
item retention period expires. Also, if a message is changed by a user or a process, copies of the original item are
also retained when single item recovery is enabled.
This example enables single item recovery for the mailbox of Pilar Pinilla and sets the number of days that deleted
items are retained to 30 days.
This example enables single item recovery for all user mailboxes in the organization.
This example enables single item recovery for all user mailboxes in the organization and sets the number of days
that deleted items are retained to 30 days
You can use this same command to verify that single item recovery is disabled for a mailbox.
More information
To learn more about single item recovery, see Recoverable Items folder in Exchange Server. To recover
messages purged by the user before the deleted item retention period expires, see Recover deleted
messages in a user's mailbox .
If a mailbox is placed on In-Place Hold or Litigation Hold, messages in the Recoverable Items folder are
retained until the hold duration expires. If the hold duration is unlimited, then items are retained until the
hold is removed or the hold duration is changed.
Recover deleted messages in a user's mailbox
8/23/2019 • 6 minutes to read • Edit Online
Administrators can search for items that are purged (hard-deleted) by a user by using the Recover Deleted Items
feature in Outlook or Outlook on the web. They can also search for items deleted by an automated process, such
as the retention policy assigned to user mailboxes. In these situations, the purged items can't be recovered by a
user. But administrators can recover purged messages if the deleted item retention period for the item hasn't
expired.
NOTE
In addition to using this procedure to search for and recover deleted items, you can also use this procedure to search for
items residing in other folders in the mailbox and to delete items from the source mailbox (also known as search and purge).
NOTE
When using the Search-Mailbox cmdlet, you can also specify a target mailbox that isn't a discovery mailbox.
However, you can't specify the same mailbox as the source and target mailbox.
Search criteria: Criteria include sender or recipient, or keywords (words or phrases) in the message.
The first step in the recovery process is to search for messages in the source mailbox. Use one of the following
methods to search a user mailbox and copy messages to a discovery mailbox.
Use the Exchange Management Shell to search for messages
This example searches for messages in April Stewart's mailbox that meet the following criteria:
Sender: Ken Kwok
Keyword: Seattle
Search-Mailbox "April Stewart" -SearchQuery "from:'Ken Kwok' AND seattle" -TargetMailbox "Discovery Search
Mailbox" -TargetFolder "April Stewart Recovery" -LogLevel Full
NOTE
When using the Search-Mailbox cmdlet, you can scope the search by using the SearchQuery parameter to specify a query
formatted using Keyword Query Language (KQL). You can also use the SearchDumpsterOnly switch to search only items in
the Recoverable Items folder.
NOTE
You can't use the EAC to restore recovered items.
After messages have been recovered to a discovery mailbox, you can restore them to the user's mailbox by using
the Search-Mailbox cmdlet. In Exchange Server, you can also use the New-MailboxExportRequest and New-
MailboxImportRequest cmdlets to export the messages to or import the messages from a .pst file.
Use the Exchange Management Shell to restore messages
This example restores messages to April Stewart's mailbox and deletes them from the Discovery Search Mailbox.
Search-Mailbox "Discovery Search Mailbox" -SearchQuery "from:'Ken Kwok' AND seattle" -TargetMailbox "April
Stewart" -TargetFolder "Recovered Messages" -LogLevel Full -DeleteContent
More information
The ability to recover deleted items is enabled by single item recovery, which lets an administrator recover a
message that's been purged by a user or by retention policy as long as the deleted item retention period
hasn't expired for that item. To learn more about single item recovery, see Recoverable Items folder in
Exchange Server.
In Exchange Server, a mailbox database is configured to retain deleted items for 14 days, by default. You
can configure deleted item retention settings for a mailbox or mailbox database. For more information, see:
Change the Deleted Item Retention Period for a Mailbox in Exchange Online
Configure Deleted Item retention and Recoverable Items quotas
Users can recover a deleted item if it hasn't been purged and if the deleted item retention period for that
item hasn't expired. If users need to recover deleted items from the Recoverable Items folder, point them to
the following topics:
Recover deleted items in Outlook for Windows
Recover deleted items or email in Outlook on the web
This topic shows you how to use the Search-Mailbox cmdlet to search for and recover missing items. If
you use this cmdlet, you can search only one mailbox at a time. If you want to search multiple mailboxes at
the same time, you can use In-Place eDiscovery in Exchange Server in the Exchange admin center (EAC ) or
the New -ComplianceSearch cmdlet in Windows PowerShell.
In addition to using this procedure to search for and recover deleted items, you can also use a similar
procedure to search for items in user mailboxes and then delete those items from the source mailbox. For
more information, see Search for and delete messages in Exchange Server.
Manage linked mailboxes
8/23/2019 • 25 minutes to read • Edit Online
Linked mailboxes may be necessary for organizations that deploy Exchange in a resource forest. The resource
forest scenario lets an organization centralize Exchange in a single forest, while allowing access to the Exchange
organization with user accounts that are located in one or more trusted forests (called account forests). The user
account that accesses the linked mailbox doesn't exist in the forest where Exchange is deployed. Therefore, a
disabled user account that exists in the same forest as Exchange is created and associated with the corresponding
linked mailbox.
The following figure illustrates the relationship between the linked user account used to access the linked mailbox
(located in the account forest) and the disabled user account in the Exchange resource forest that's associated with
the linked mailbox.
Linked mailboxes
NOTE
A trust between the Exchange forest and at least one account forest must be set up before you can create linked mailboxes.
At a minimum, you must set up a one-way, outgoing trust so that the Exchange forest trusts the account forest. For more
information, see Learn more about setting up a forest trust to support linked mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
You won't be prompted for administrator credentials if you've created a two-way trust or have created another one-
way outgoing trust where the account forest trusts the Exchange forest.
5. Complete the following boxes on the Select linked master account page.
Linked domain controller: Select a domain controller in the account forest. Exchange will connect
to this domain controller to retrieve the list of user accounts in the account forest so that you can
select the linked master account.
Linked master account: Click Browse, select a user account in the account forest, and then click
OK. The new linked mailbox will be associated with this account.
6. Click Next and complete the following boxes on the Enter general information page.
* Name: Use this box to type a name for the user. This is the name used as the display name in the
EAC and your organization's address book, and the name that's listed in Active Directory. This name
is required.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users
container in the Active Directory domain that contains the computer on which the EAC is running. If
the recipient scope is set to a specific domain, the Users container in that domain is selected by
default. If the recipient scope is set to a specific OU, that OU is selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the Exchange forest that are
within the specified scope. Select the OU you want, and then click OK.
* User logon name: Use this box to type the user logon name, which is required to create a linked
mailbox. Type the user name here. This name will be used in the left portion of the email address for
the linked mailbox if you don't specify an alias.
NOTE
Because the user account that is created in the Exchange forest is disabled when you create a linked mailbox,
the user doesn't use the user logon name to sign in to the linked mailbox. They sign in using their credentials
from the account forest.
7. Click More options to configure the following boxes. Otherwise, skip to Step 8 to save the new linked
mailbox.
Alias: Type the alias, which specifies the email alias for the linked mailbox. The user's alias is the
portion of the email address on the left side of the at (@) symbol. It must be unique in the forest.
NOTE
If you leave this box blank, the value from the user name portion of the User Logon Name is used for the
email alias.
IMPORTANT
The estimated time to complete this task will vary based on the number of properties you want to view or change.
NOTE
To obtain the information that's displayed in the previous two boxes, the EAC queries the mailbox database that hosts the
mailbox. If the EAC can't communicate with the Exchange store that contains the mailbox database, these boxes will be blank.
A warning message is displayed if the user hasn't signed in to the mailbox for the first time.
Click More options to view or change the mailbox storage quota and the deleted item retention settings for the
mailbox.
Storage quota settings: To customize these settings for the mailbox and not use the mailbox database
defaults, click Customize settings for this mailbox, type a new value, and then click Save.
The value range for any of the storage quota settings is from 0 through 2047 gigabytes (GB ).
Issue a warning at (GB ): This box displays the maximum storage limit before a warning is issued to
the user. If the mailbox size reaches or exceeds the value specified, Exchange sends a warning
message to the user.
Prohibit send at (GB ): This box displays the prohibit send limit for the mailbox. If the mailbox size
reaches or exceeds the specified limit, Exchange prevents the user from sending new messages and
displays a descriptive error message.
Prohibit send and receive at (GB ): This box displays the prohibit send and receive limit for the
mailbox. If the mailbox size reaches or exceeds the specified limit, Exchange prevents the mailbox
user from sending new messages and won't deliver any new messages to the mailbox. Any messages
sent to the mailbox are returned to the sender with a descriptive error message.
Deleted item retention settings: To customize these settings for the mailbox and not use the mailbox
database defaults, click Customize settings for this mailbox, type a new value, and then click Save.
Keep deleted items for (days): This box displays the length of time that deleted items are retained
before they're permanently deleted and can't be recovered by the user. When the mailbox is created,
this length of time is based on the deleted item retention settings configured for the mailbox
database. By default, a mailbox database is configured to retain deleted items for 14 days. The value
range for this property is from 0 through 24855 days.
Don't permanently delete items until the database is backed up: Select this check box to
prevent mailboxes and email messages from being deleted until after the mailbox database on which
the mailbox is located has been backed up.
Email Address
Use the Email address section to view or change the email addresses associated with the linked mailbox. This
includes the user's primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also
known as the default reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this radio button and then type the new SMTP address
in the * Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Exchange Unified Messaging
service in Exchange 2016 to locate UM -enabled users within an Exchange organization. EUM
addresses consist of the extension number and the UM dial plan for the UM -enabled user. Click this
radio button and type the extension number in the Address/Extension box. Then click Browse and
select a dial plan for the user. (Note: Unified Messaging is not available in Exchange 2019.)
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box if you want the recipient's email addresses to be updated automatically when changes
are made to email address policies in your organization. This box is selected by default.
Mailbox Features
Use the Mailbox Features section to view or change the following mailbox features and settings:
Sharing policy: This box shows the sharing policy applied to the mailbox. A sharing policy controls how
users in your organization can share calendar and contact information with users outside your Exchange
organization. The Default Sharing Policy is assigned to mailboxes when they are created. To change the
sharing policy that's assigned to the user, select a different one from the drop-down list.
Role assignment policy: This box shows the role assignment policy assigned to the mailbox. The role
assignment policy specifies the role-based access control (RBAC ) roles that are assigned to the user and
controls which mailbox and distribution group configuration settings users can modify. To change the role
assignment policy that's assigned to the user, select a different one from the drop-down list.
Retention policy: This box shows the retention policy assigned to the mailbox. A retention policy is a group
of retention tags that are applied to the user's mailbox. The tags allow you to control how long to keep items
in users' mailboxes and define which action to take on items that have reached a certain age. A retention
policy isn't assigned to mailboxes when they are created. To assign a retention policy to the user, select one
from the drop-down list.
Address Book policy: This box shows the address book policy applied to the mailbox. An address book
policy allows you to segment users into specific groups to provide customized views of the address book. To
apply or change the address book policy that's applied to the mailbox, select one from the drop-down list.
Unified Messaging: This feature is disabled by default. When you enable Unified Messaging (UM ) in
Exchange 2016, the user will be able to use your organization's UM features and a default set of UM
properties are applied to the user. Click Enable to enable UM for the mailbox. For information about how to
enable UM, see Enable a User for Unified Messaging. (Note: Unified Messaging is not available in
Exchange 2019.)
NOTE
A UM dial plan and a UM mailbox policy must exist before you can enable UM.
Mobile Devices: Use this section to view and change the settings for Exchange ActiveSync, which is
enabled by default. Exchange ActiveSync enables access to an Exchange mailbox from a mobile device. Click
Disable Exchange ActiveSync to disable this feature for the mailbox.
Outlook Web App: This feature is enabled by default. Outlook on the web provides access to an Exchange
mailbox via a web browser. Click Disable to disable Outlook on the web for the mailbox. Click Edit details
to add or change an Outlook on the web mailbox policy for the mailbox.
IMAP: This feature is enabled by default. Click Disable to disable IMAP for the mailbox.
POP3: This feature is enabled by default. Click Disable to disable POP3 for the mailbox.
MAPI: This feature is enabled by default. MAPI enables access to an Exchange mailbox from a MAPI client
such as Outlook. Click Disable to disable MAPI for the mailbox.
Litigation hold: This feature is disabled by default. Litigation hold preserves deleted mailbox items and
records changes made to mailbox items. Deleted items and all instances of changed items are returned in a
discovery search. Click Enable to put the mailbox on litigation hold. If the mailbox is on litigation hold, click
Disable to remove the litigation hold. If the mailbox is on litigation hold, click Edit details to view and
change the following litigation hold settings:
Hold date: This read-only box indicates date and time when the mailbox was put on litigation hold.
Put on hold by: This read-only box indicates the user who put the mailbox on litigation hold.
Note: Use this box to notify the user about the litigation hold, explain why the mailbox is on litigation
hold, or provide additional guidance to the user, such as informing them that the litigation hold won't
affect their day-to-day use of email.
URL: Use this box to provide a URL to a website that provides information or guidance about the
litigation hold on the mailbox.
NOTE
The text from these boxes appears in the user's mailbox only if they're using Outlook 2010 or later versions. It
doesn't appear in Outlook on the web or other email clients. To view the text from the Note and URL boxes in
Outlook, click the File tab and, on the Info page, under Account Settings, you'll see the litigation hold
comment.
Archiving: If an archive mailbox doesn't exist for the user, this feature is disabled. To enable an archive
mailbox, click Enable. If the user has an archive mailbox, the size of the archive mailbox and usage statistics
are displayed. Click Edit details to view and change the following archive mailbox settings:
Status: This read-only box indicates whether an archive mailbox exists.
Database: This read-only box shows the name of the mailbox database that hosts the archive
mailbox.
Name: Type the name of the archive mailbox in this box. This name is displayed under the folder list
in Outlook or Outlook on the web.
Quota usage: This read-only area shows the total size of the archive mailbox and the percentage of
the total archive mailbox quota that has been used.
Quota value (GB ): This box shows the total size of the archive mailbox. To change the size, type a
new value in the box or select a value from the drop-down list.
Issue warning at (GB ): This box shows the maximum storage limit for the archive mailbox before a
warning is issued to the user. If the archive mailbox size reaches or exceeds the value specified,
Exchange sends a warning message to the user. To change this limit, type a new value in the box or
select a value from the drop-down list.
Delivery Options: Use Delivery Options to forward email messages sent to the user to another recipient
and to set the maximum number of recipients that the user can send a message to. Click Edit details to
view and change these settings.
Forwarding address: Select the Enable forwarding check box and then click Browse to display the
Select Mail User and Mailbox page. Use this page to select a recipient to whom you want to
forward all email messages that are sent to this mailbox. Messages will be delivered to both the
linked mailbox and the forwarding address.
Recipient limit: This setting controls the maximum number of recipients the user can send a
message to. Select the Maximum recipients check box to limit the number of recipients allowed on
the To:, Cc:, and Bcc: lines of an email message, and then specify the maximum number of recipients.
NOTE
For on-premises Exchange organizations, the recipient limit is unlimited. For Exchange Online organizations,
the limit is 500 recipients.
Message Size Restrictions: These settings control the size of messages that the user can send and receive.
Click Edit details to view and change the maximum size for sent and received messages.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be returned
to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this user. Click
Edit details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to this user.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search.
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
Reject messages from: Use this section to block people from sending messages to this user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders in
the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipient page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want to reject messages from, add them to the list, and then click OK. You can also
search for a specific recipient by typing the recipient's name in the search box and then clicking
Search.
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or more
dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed on this
page because their membership is calculated each time they're used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues if they send a message to this recipient.
A MailTip is text that's displayed in the InfoBar when a recipient is added to the To, Cc, or Bcc lines of a new email
message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Mailbox Delegation
Use the Mailbox Delegation section to assign permissions to other users (also called delegates) to allow them to
sign in to the user's mailbox or send messages on behalf of the user. You can assign the following permissions:
Send As: This permission allows users other than the mailbox owner to use the mailbox to send messages.
After this permission is assigned to a delegate, any message that a delegate sends from this mailbox will
appear as if it was sent by the mailbox owner. However, this permission doesn't allow a delegate to sign in to
the user's mailbox.
Send on Behalf Of: This permission also allows a delegate to use this mailbox to send messages. However,
after this permission is assigned to a delegate, the From: address in any message sent by the delegate
indicates that the message was sent by the delegate on behalf of the mailbox owner.
Full Access: This permission allows a delegate to sign in to the user's mailbox and view the contents of the
mailbox. However, after this permission is assigned to a delegate, the delegate can't send messages from the
mailbox. To allow a delegate to send email from the user's mailbox, you still have to assign the delegate the
Send As or the Send on Behalf Of permission.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want assign delegate permissions to, add them to the list, and then click OK. You can also
search for a specific recipient by typing the recipient's name in the search box and then clicking Search.
Use the Exchange management Shell to change linked mailbox properties
Use the Get-Mailbox and Set-Mailbox cmdlets to view and change properties for linked mailboxes. One
advantage of using the Exchange Management Shell is the ability to change the properties for multiple linked
mailboxes. For information about what parameters correspond to mailbox properties, see the following topics:
Get-Mailbox
Set-Mailbox
Here are some examples of using the Exchange Management Shell to change linked mailbox properties.
This example uses the Get-Mailbox command to find all the linked mailboxes in the organization.
This example uses the Set-Mailbox command to limit the number of recipients allowed on the To:, Cc:, and Bcc:
lines of an email message to 500. This limit applies to all linked mailboxes in the organization.
This example changes the linked master account in the fabrikam.com account forest that is associated with a linked
mailbox in an Exchange forest.
For the example above where the linked master account was changed, run the following command to verify
the new value.
Use the Exchange admin center (EAC ) or the Exchange Management Shell to create a new distribution group in
your Exchange organization or to mail-enable an existing group in Active Directory.
There are two types of groups that can be used to distribute messages:
Mail-enabled universal distribution groups (also called distribution groups) can be used only to distribute
messages.
Mail-enabled universal security groups (also called security groups) can be used to distribute messages as
well as to grant access permissions to resources in Active Directory. For more information, see Manage
mail-enabled security groups in Exchange Server.
It's important to note the terminology differences between Active Directory and Exchange. In Active Directory, a
distribution group refers to any group that doesn't have a security context, whether it's mail-enabled or not. In
contrast, in Exchange, all mail-enabled groups are referred to as distribution groups, whether they have a security
context or not.
NOTE
You can create or mail-enable only universal distribution groups. To convert a domain-local or a global group to a universal
group, you can use the Set-Group cmdlet using the Exchange Management Shell. You may have mail-enabled groups that
were migrated from previous versions of Exchange that are not universal groups. You can use the EAC or the Exchange
Management Shell to manage these groups
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Create a distribution group
Use the EAC to create a distribution group
1. In the EAC, navigate to Recipients > Groups.
2. Click New > Distribution group.
3. On the New distribution group page, complete the following boxes:
* Display name: Use this box to type the display name. This name appears in your organization's
address book, on the To: line when email is sent to this group, and in the Groups list in the EAC. The
display name is required and should be user-friendly so people recognize what it is. It also must be
unique in the forest.
* Alias: Use this box to type the name of the alias for the group. The alias can't exceed 64 characters
and must be unique in the forest. When a user types the alias in the To: line of an email message, it
resolves to the group's display name.
Description: Use this box to describe the group so people know what the purpose of the group is.
This description appears in the address book.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users
container in the Active Directory domain that contains the computer on which the EAC is running. If
the recipient scope is set to a specific domain, the Users container in that domain is selected by
default. If the recipient scope is set to a specific OU, that OU is selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within
the specified scope. Select the OU you want, and then click OK.
* Owners: By default, the person who creates a group is the owner. All groups must have at least one
owner. You can add owners by clicking Add .
Members: Use this section to add members and to specify whether approval is required for people
to join or leave the group.
Group owners don't have to be members of the group. Use Add group owners as members to add
or remove the owners as members.
To add members to the group, click Add . When you've finished adding members, click OK to
return to the New distribution group page.
Under Choose whether owner approval is required to join the group, specify whether approval
is required for people to join the group. Select one of the following settings:
Open: Anyone can join this group without being approved by the group owners: This
is the default setting.
Closed: Members can be added only by the group owners. All requests to join will be
rejected automatically
Owner Approval: All requests are manually approved or rejected by the group owners: If
you select this option, the group owner or owners will receive an email message requesting approval
to join the group.
Under Choose whether the group is open to leave, specify whether approval is required for
people to leave the group. Select one of the following settings:
Open: Anyone can leave this group without being approved by the group owners: This is the
default setting.
Closed: Members can be removed only by the group owners. All requests to leave will be
rejected automatically
4. When you've finished, click Save to create the distribution group.
NOTE
By default, new distribution groups require that all senders be authenticated. This prevents external senders from sending
messages to distribution groups. To configure a distribution group to accept messages from all senders, you must modify
the message delivery restriction settings for that distribution group.
For more information about using the Exchange Management Shell to create distribution groups, see New -
DistributionGroup.
How do you know this worked?
To verify that you've successfully created a distribution group, do one of the following:
In the EAC, navigate to Recipients > Groups. The new distribution group is displayed in the group list.
Under Group Type, the type is Distribution group.
In the Exchange Management Shell, run the following command to display information about the new
distribution group.
TIP
Consider hiding security groups because they're typically used to assign permissions to group members and not to
send email.
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the
distribution group. You have to use Active Directory Users and Computers to move the group to a different
OU.
Ownership
Use this section to assign group owners. The group owner can add members to the group, approve or reject
requests to join or leave the group, and approve or reject messages sent to the group. By default, the person who
creates a group is the owner. All groups must have at least one owner.
You can add owners by clicking Add . You can remove an owner by selecting the owner and then clicking
Remove .
Membership
Use this section to add or remove members. Group owners don't have to be members of the group. Under
Members, you can add members by clicking Add . You can remove a member by selecting a user in the
member list and then clicking Remove .
Membership approval
Use this section to specify whether approval is required for users to join or leave the group.
Choose whether owner approval is required to join the group: Select one of the following settings:
Open: Anyone can join this group without being approved by the group owners
Closed: Members can be added only by the group owners. All requests to join will be
rejected automatically
Owner Approval: All requests are approved or rejected by the group owners: If you select this
option, the group owner or owners receive an email requesting approval to join the group.
Choose whether the group is open to leave: Select one of the following settings:
Open: Anyone can leave this group without being approved by the group owners
Closed: Members can be removed only by the group owners. All requests to leave will be
rejected automatically
Delivery management
Use this section to manage who can send email to this group.
Only senders inside my organization: Select this option to allow only senders in your organization to
send messages to the group. This means that if someone outside of your organization sends an email
message to this group, it will be rejected. This is the default setting.
Senders inside and outside of my organization: Select this option to allow anyone to send messages to
the group.
You can further limit who can send messages to the group by allowing only specific senders to send
messages to this group. Click Add and then select one or more recipients. If you add senders to this list,
they are the only ones who can send mail to the group. Mail sent by anyone not in the list will be rejected.
To remove a person or a group from the list, select them in the list and then click Remove .
IMPORTANT
If you've configured the group to allow only senders inside your organization to send messages to the group, email sent
from a mail contact will be rejected, even if they are added to this list.
Message approval
Use this section to set options for moderating the group. Moderators approve or reject messages sent to the
group before they reach the group members.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, incoming messages are reviewed by the group moderators before
delivery. Group moderators can approve or reject incoming messages.
Group moderators: To add group moderators, click Add . To remove a moderator, select the moderator,
and then click Remove . If you've selected "Messages sent to this group have to be approved by a
moderator" and you don't select a moderator, messages to the group are sent to the group owners for
approval.
Senders who don't require message approval: To add people or groups that can bypass moderation for
this group, click Add . To remove a person or a group, select the item, and then click Remove .
Select moderation notifications: Use this section to set how users are notified about message approval.
Notify all senders when their messages aren't approved: This is the default setting. Notify all
senders, inside and outside your organization, when their message isn't approved.
Notify senders in your organization when their messages aren't approved: When you select
this option, only people or groups in your organization are notified when a message that they sent to
the group isn't approved by a moderator.
Don't notify anyone when a message isn't approved: When you select this option, notifications
aren't sent to message senders whose messages aren't approved by the group moderators.
Email options
Use this section to view or change the email addresses associated with the group. This includes the group's
primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also known as the
reply address) is displayed in bold text in the address list, with the uppercase SMTP value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for correct formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Edit: To change an email address associated with the group, select it in the list, and then click Edit .
Remove: To delete an email address associated with the group, select it in the list, and then click Remove
.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. This box is selected by default.
MailTip
Use this section to add a MailTip to alert users of potential issues if they send a message to this group. A MailTip
is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email message.
For example, you could add a MailTip to large groups to warn potential senders that their message will be sent to
lots of people.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group
or send messages on behalf of the group. You can assign the following permissions:
Send As: This permission allows the delegate to send messages as the group. After this permission is
assigned, the delegate has the option to add the group to the From line to indicate that the message was
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group. After
this permission is assigned, the delegate has the option to add the group in the From line. The message will
appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient
by typing the recipient's name in the search box and then clicking Search.
Use the Exchange Management Shell to change distribution group properties
Use the Get-DistributionGroup and Set-DistributionGroup cmdlets to view and change properties for
distribution groups. Advantages of using the Exchange Management Shell are the ability to change the properties
that aren't available in the EAC and to change properties for multiple groups. For information about which
parameters correspond to distribution group properties, see the following topics:
Get-DistributionGroup
Set-DistributionGroup
Here are some examples of using the Exchange Management Shell to change distribution group properties.
This example changes the primary SMTP address (also called the reply address) for the Seattle Employees
distribution group from employees@contoso.com to sea.employees@contoso.com. Also, the previous reply
address will be kept as a proxy address.
This example limits the maximum message size that can be sent to all distribution groups in the organization to 10
megabytes (MB ).
This example enables moderation for the distribution group Customer Support and sets the moderator to Amy. In
addition, this moderated distribution group will notify senders who send mail from within the organization if their
messages aren't approved.
This example changes the user-created distribution group Dog Lovers to require the group manager to approve
users' requests to join the group. In addition, by using the BypassSecurityGroupManagerCheck parameter, the
group manager will not be notified that a change was made to the distribution group's settings.
For the example above where the message limits were changed, run this command.
Get-Mailbox -OrganizationalUnit "Marketing" | Format-List
Name,IssueWarningQuota,ProhibitSendQuota,ProhibitSendReceiveQuota,UseDatabaseQuotaDefaults
Manage mail-enabled security groups in Exchange
Server
8/23/2019 • 23 minutes to read • Edit Online
You can use mail-enabled security groups to distribute messages as well as grant access permissions to resources
in Exchange and Active Directory. You can create, modify, and remove mail-enabled security groups in the
Exchange admin center (EAC ) or in the Exchange Management Shell. For more information about mail-enabled
security groups, see Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
3. On the New security group page that opens, configure these settings (values marked with an * are
required):
* Display name: This value should help users immediately recognize what the group is used for. This
name appears in the global address list, on the To: line when email is sent to this group, and in the
Groups list in the EAC. The maximum length in the EAC is 64 characters, and the value must be
unique.
NOTE
If a group naming policy is applied, you need to follow the naming constraints that are enforced for your
organization. For more information, see Create a Distribution Group Naming Policy. If you want to override
your organization's group naming policy, see Override a Distribution Group Naming Policy.
* Alias: This value is used to generate the primary email address ( <alias>@ <domain>). This value
can contain letters, numbers and the characters !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } and ~. Periods
(.) are allowed, but each period must be surrounded by other valid characters (for example,
help.desk). Unicode characters from U+00A1 to U+00FF are also allowed, but are mapped to best-fit
US -ASCII text characters in the primary email address (for example, U+00F6 (ö) is changed to oe).
The alias can't exceed 64 characters and must be unique in the forest. When a user types the alias on
the To: line of an email message, it resolves to the group's display name.
Notes: Use this box to describe the purpose of the group. This description appears in the global
address list and in the details pane in the EAC.
Organizational unit: The default location in Active Directory depends on the recipient scope that's
configured:
If the recipient scope is the Active Directory forest, the default location is the Users container
in the domain where the computer that's running the EAC is located.
If the recipient scope is a specific domain, the default location is the Users container in that
domain.
If the recipient scope is a specific organizational unit (OU ), the default location is that OU.
To select a different OU, click Browse. The Select an organizational unit dialog box that opens
shows all of the available OUs in the forest that are within the specified recipient scope. Select the
desired OU, and then click OK.
* Owners: By default, the person who creates the group is the owner. All groups must have at least
one owner. Group owners can:
Modify the properties of the group
Add or remove group members
Delete the group
Approve messages sent to the group (if moderation is enabled)
To add owners, click Add . In the Select Owners dialog that appears, select one or more owners,
click Add, and then click OK.
To remove owners, select the owner in the list, and then click Remove .
Members
To add members to the group, click Add . In the Select Members dialog that appears, select one
or more members, click Add, and then click OK.
To remove members, select the member in the list, and then click Remove .
Add group owners as members: When this check box is selected, you don't need to manually
include group owners in the list of members. If you don't want the group owners to be members of
the group, clear this check box.
Owner approval is required: For mail-enabled security groups, user requests to join the group
aren't sent to the group owners, regardless of the state of this check box (selected or not selected). A
group owner needs to manually add and remove group members from a mail-enabled security
group.
When you've finished, click Save.
Use the Exchange Management Shell to create a mail-enabled security group
To create a mail-enabled security group, use this syntax:
New-DistributionGroup -Type Security -Name <UniqueName> [-IgnoreNamingPolicy] [-Alias <Alias>] [-DisplayName "
<DisplayName>"] [-Notes "<Description>"] [-OrganizationalUnit <OU>] [-ManagedBy "<owner1>","<owner2>"...] [-
Members "<member1>","<member2>"...] [-CopyOwnerToMember] [-MemberJoinRestriction <Closed | ApprovalRequired>]
[-RequireSenderAuthenticationEnabled <$true | $false>]
New-DistributionGroup -Type Security -Name "File Server Managers" -Alias fsadmin -Members "Bishamon
Tamura","Valeria Barrios" -CopyOwnerToMember
In the Exchange Management Shell, replace <GroupIdentity> with the identity of the group (for example,
name, alias, or email address), and run this command to verify the property values:
Message approval
Use this tab to configure the moderation settings for messages that are sent to the group.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, messages that are sent to the group must be approved by the specified
moderators before they're delivered to the group members. When you select this option, you can configure
these additional settings:
Group moderators: For mail-enabled security groups, the group owners aren't automatically used
as moderators. You need to specify at least one moderator here when moderation is enabled.
To add moderators, click Add . In the Select Group Moderators dialog that appears, select one or
more moderators (which can include any of the group owners), click Add, and then click OK.
To remove moderators, select the moderator in the list, and then click Remove .
Senders who don't require message approval: To configure senders who can bypass moderation
for the group (send messages directly to the group members), click Add . In the Select Senders
dialog that appears, select one or more senders, click Add, and then click OK.
To remove senders, select the sender in the list, and then click Remove .
You don't need to include moderators in the list of senders who bypass moderation. Messages that
are sent to the group by a moderator aren't moderated.
Select moderation notifications: This setting configures how message senders are notified when
their messages aren't approved by a moderator:
Notify all senders when their messages aren't approved: Authenticated and unauthenticated
(internal and external) senders are notified when their messages aren't approved by a group
moderator. This is the default value.
Notify senders in your organization when their messages aren't approved: Only authenticated
(internal) senders are notified when their messages aren't approved by a group moderator.
Don't notify anyone when a message isn't approved: Senders aren't notified when their
messages aren't approved by a group moderator.
Email options
Use this tab to view or change the email addresses that are configured for the group.
Email address: By default, you use this setting to add additional email addresses for the group (also known
as proxy addresses).
By default, the primary email address (also known as the Reply To or reply address) is configured by the
email address policy that's applied to the group. For more information about email address policies, see
Email address policies in Exchange Server. The primary email address that's shown here is bold, and has the
uppercase SMTP value in the Type column.
To manually specify the group's primary email address here, you need to clear the check box
Automatically update email addresses based on the email address policy applied to this recipient.
Note that clearing this check box prevents automatic updates to the email addresses of the group by email
address policies.
To add a new email address for the group, click Add . In the New email address page that opens,
select one of these options:
Email address type: Select SMTP. In the Email address box, type the email address (for example,
helpdesk@contoso.com). The domain must be an accepted domain that's configured for your
organization. For more information, see Accepted domains in Exchange Server.
On the previous page, if you left Automatically update email addresses based on the email
address policy applied to this recipient check box selected, the email address is added to the
group as a proxy address (there's no Make this the reply address check box on this page).
On the previous page, if you cleared the Automatically update email addresses based on the
email address policy applied to this recipient check box, you can select Make this the reply
address. This setting adds the new email address as the primary email address, and the previous
primary email address is kept as a proxy address. If you don't select Make this the reply address,
the email address is added as a proxy address, and the primary email address is unaffected.
Email address type: Select Enter a custom address type. Type the custom email address type (for
example, X400). In the Email address box, type the custom email address.
Note: With the exception of X.400 addresses, Exchange doesn't validate custom email addresses for correct
formatting. You need to make sure that the custom email address complies with the format requirements
for that address type.
When you're finished, click OK.
To modify an existing email address for the group, select it in the list, and then click Edit . Note
that you can't change the email address type, just the email address.
To remove an existing email address from the group, select it in the list, and then click Remove .
Note that you can't remove the primary email address.
MailTip
Use this tab to add a custom MailTip for the group. MailTips alert users to potential issues before they send a
message to the group. For more information about MailTips, see Configure Custom MailTips for Recipients.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Group delegation
Use this tab to assign permissions to the group for a user (called a delegate).
Send As: The specified users can send messages that appear to be sent by the group. The actual sender isn't
revealed, and replies to these messages are delivered to the group.
Send on Behalf: The specified users can send on behalf of the group. Although messages send on behalf
of the group clearly show the sender in the From line (<Sender> on behalf of <Group>), replies to these
messages are delivered to the group, not the sender.
To add delegates, click Add for the appropriate permission. In the resulting dialog that appears, select one or
more delegates, click Add, and then click OK.
After you assign one of these permissions, the delegate can select the group for the From line in Outlook or
Outlook on the web (formerly known as Outlook Web App).
To remove delegates, select the delegate in the appropriate list, and then click Remove .
Use the Exchange Management Shell to modify a mail-enabled security group
You use the Set-DistributionGroup cmdlet to modify mail-enabled security groups. Here are some interesting
settings that you can configure using the Set-DistributionGroup cmdlet that aren't available in the EAC or on the
New-DistributionGroup cmdlet:
Configure values for the CustomAttribute1 through CustomAttribute15 properties (the
CustomAttribute1 through CustomAttribute15 parameters).
Configure MailTips in different languages (the MailTipTranslations parameter).
Configure the maximum message size that can be sent to or sent from the group (the MaxReceiveSize and
MaxSendSize parameters).
Instead of specifying the internal recipients who are allowed to send messages to the group, you can specify
the internal recipients who aren't allowed to send messages to the group (the
RejectMessagesFromSendersOrMembers parameter).
For detailed syntax and parameter information, see Set-DistributionGroup.
This example configures the value DoNotMigrate for the CustomAttribute5 property of the group named
Experimental Project.
This example adds the Spanish translation for the existing English MailTip, "Please allow 4 business days for a
response to messages sent to this group" that's configured on the mail-enabled security group
events@contoso.com.
This example returns detailed information for the mail-enabled security group named Help Desk.
Get-DistributionGroup -Identity "Help Desk" | Format-List
This example removes the mail-enabled security group that has the alias value contractors.
In the Exchange Management Shell, replace <GroupIdentity> with the identity of the group (for example,
name, alias, or email address), and run this command to verify that the group isn't returned:
In the Exchange Management Shell, run this command and verify that the group is listed:
This example mail-enables the existing universal security group named Help Desk with the following settings:
Alias: hdesk. If we didn't use the Alias parameter, the value of the Name parameter would be used, with
spaces removed (HelpDesk in this example).
Display name: Because we aren't using the DisplayName parameter, the group's existing Name property
value is used for the display name.
Primary email address: Because we're using the Alias parameter, the group's primary email address is
<alias>@ <domain>, where <domain> is specified by the email address policy that applies to the group. If
we specified a value for the PrimarySMTPAddress parameter, the EmailAddressPolicyEnabled property
would be set to the value $false , which means the email addresses of the group aren't automatically
updated by email address policies.
After you mail-enable the security group, the group will be visible to all other *-DistributionGroup cmdlets.
For detailed syntax and parameter information, see Enable-DistributionGroup.
How do you know this worked?
To verify that you've successfully mail-enabled an existing security group, do any of these steps:
In the EAC, go to Recipients > Groups. Verify that the group is listed, and the Group Type value is
Security group. Note that you might need to click Refresh if the EAC was already open.
In the Exchange Management Shell, run this command and verify that the group is listed:
In the Exchange Management Shell, replace <GroupIdentity> with the identity of the group (for example,
name, alias, or email address), and run this command to verify the property values:
Use the Exchange Management Shell to mail-disable an existing mail-enabled security group
To mail-disable an existing mail-enabled universal security group, use this syntax:
This example mail-disables the mail-enabled security group named Human Resources.
After you mail-disable the security group, the group will be invisible to all *-DistributionGroup cmdlets
except Enable-DistributionGroup.
For detailed syntax and parameter information, see Disable-DistributionGroup.
How do you know this worked?
To verify that you've successfully mail-disabled an existing mail-enabled universal security group, do any of these
steps:
In the EAC, go to Recipients > Groups, and verify that the group isn't listed. Note that you might need to
click Refresh if the EAC was already open.
In the Exchange Management Shell, run this command and verify that the group isn't listed:
In the Exchange Management Shell, replace <GroupIdentity> with the name of the group, and run this
command to verify that the group isn't returned:
In the Exchange Management Shell, run this command and verify that the group is listed:
Dynamic distribution groups are mail-enabled Active Directory group objects that are created to expedite the
mass sending of email messages and other information within a Microsoft Exchange organization.
Unlike regular distribution groups that contain a defined set of members, the membership list for dynamic
distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that
you define. When an email message is sent to a dynamic distribution group, it's delivered to all recipients in the
organization that match the criteria defined for that group.
IMPORTANT
A dynamic distribution group includes any recipient in Active Directory with attribute values that match its filter. If a
recipient's properties are modified to match the filter, the recipient could inadvertently become a group member and start
receiving messages that are sent to the group. Well-defined, consistent account provisioning processes will reduce the
chances of this issue occurring.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
Group naming policy isn't applied to dynamic distribution groups.
* Alias: Use this box to type the name of the alias for the group. The alias cannot exceed 64
characters and must be unique in the forest. When a user types the alias in the To: line of an email
message, it resolves to the group's display name.
Description: Use this box to describe the group so people know what the purpose of the group is.
This description appears in the shared address book.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users
container in the Active Directory domain that contains the computer on which the EAC is running. If
the recipient scope is set to a specific domain, the Users container in that domain is selected by
default. If the recipient scope is set to a specific OU, that OU is selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within
the specified scope. Select the OU you want, and then click OK.
Owner: An owner for a dynamic distribution group is optional. You can add owners by clicking
Browse and then selecting users from the list.
3. Use the Members section to specify the types of recipients for the group and set up rules that will
determine membership. Select one of the following boxes:
All recipient types: Choose this option to send messages that meet the criteria defined for this
group to all recipient types.
Only the following recipient types: Messages that meet the criteria defined for this group will be
sent to one or more of the following recipient types:
Users with Exchange mailboxes: Select this check box if you want to include users that have
Exchange mailboxes. Users that have Exchange mailboxes are those that have a user domain
account and a mailbox in the Exchange organization.
Users with external email addresses: Select this check box if you want to include users that have
external email addresses. Users that have external email accounts have user domain accounts in
Active Directory, but use email accounts that are external to the organization. This enables them to
be included in the global address list (GAL ) and added to distribution lists.
Resource mailboxes: Select this check box if you want to include Exchange resource mailboxes.
Resource mailboxes allow you to administer company resources through a mailbox, such as a
conference room or a company vehicle.
Contacts with external email addresses: Select this check box if you want to include contacts that
have external email addresses. Contacts that have external email addresses don't have user domain
accounts in Active Directory, but the external email address is available in the GAL.
Mail-enabled groups: Select this check box if you want to include security groups or distribution
groups that have been mail-enabled. Mail-enabled groups are similar to distribution groups. Email
messages that are sent to a mail-enabled group account will be delivered to several recipients.
4. Click Add a rule to define the criteria for membership in this group.
5. Select one of the following recipient attributes from the drop-down list and provide a value. If the value for
the selected attribute matches that value you define, the recipient receives a message sent to this group.
Recipient container The recipient object resides in the specified domain or OU.
ATTRIBUTE SEND MESSAGE TO A RECIPIENT IF...
Custom attributeN (where N is a number from 1 to 15) The specified value matches the recipient's
CustomAttributeN property.
IMPORTANT
The values that you enter for the selected attribute must exactly match those that appear in the recipient's
properties. For example, if you enter Washington for State or province, but the value for the recipient's property
is WA, the condition will not be met. Also, text-based values that you specify aren't case-sensitive. For example, if
you specify Contoso for the Company attribute, messages will be sent to a recipient if this value is contoso.
6. In the Specify words or phrases window, type the value in the text box. Click Add and then click OK.
7. To add another rule to define the criteria for membership, click Add a rule under the previous rule that you
created.
IMPORTANT
If you add multiple rules to define membership, a recipient must meet the criteria of each rule to receive a message
sent to the group. In other words, each rule is connected with the Boolean operator AND.
8. When you've finished, click Save to create the dynamic distribution group.
NOTE
If you want to specify rules for attributes other than the ones available in the EAC, you must use the Exchange
Management Shell to create a dynamic distribution group. Keep in mind that the filter and condition settings for
dynamic distribution groups that have custom recipient filters can be managed only by using the Exchange
Management Shell. For an example of how to create a dynamic distribution group with a custom query, see the next
section on using the Exchange Management Shell to create a dynamic distribution group.
NOTE
If you do not specify an OU in your cmdlets, the default OU scope will be the local OU (the OU in which the dynamic
distribution group is being created). With the New-DynamicDistributionGroup cmdlet, use the RecipientContainer
parameter to specify an OU.
This example creates the dynamic distribution group "Mailbox Users DDG" that contains only mailbox users.
New-DynamicDistributionGroup -IncludedRecipients MailboxUsers -Name "Mailbox Users DDG" -RecipientContainer
Users
This example creates a dynamic distribution group with a custom recipient filter. The dynamic distribution group
contains all mailbox users on a server called Server1.
This example creates a dynamic distribution group with a custom recipient filter. The dynamic distribution group
contains all mailbox users that have a value of "FullTimeEmployee" in the CustomAttribute10 property.
IMPORTANT
If you've configured the group to allow only senders inside your organization to send messages to the group, email
sent from a mail contact is rejected, even if they're added to this list.
Message approval
Use this section to set options for moderating the group. Moderators approve or reject messages sent to the
group before they reach the group members.
Messages sent to this group have to be approved by a moderator: This check box isn't selected by
default. If you select this check box, incoming messages are reviewed by the group moderators before
delivery. Group moderators can approve or reject incoming messages.
Group moderators: To add group moderators, click Add . To remove a moderator, select the moderator,
and then click Remove . If you've selected "Messages sent to this group have to be approved by a
moderator" and you don't select a moderator, messages to the group are sent to the group owners for
approval.
Senders who don't require message approval: To add people or groups that can bypass moderation for
this group, click Add . To remove a person or a group, select the item, and then click Remove .
Select moderation notifications: Use this section to set how users are notified about message approval.
Notify all senders when their messages aren't approved: This is the default setting. Notify all
senders, inside and outside your organization, when their message isn't approved.
Notify senders in your organization only when their messages aren't approved: When you
select this option, only people or groups in your organization are notified when a message that they
sent to the group isn't approved by a moderator.
Don't notify anyone when a message isn't approved: When you select this option, notifications
aren't sent to message senders whose messages aren't approved by the group moderators.
Email options
Use this section to view or change the email addresses associated with the group. This includes the group's
primary SMTP addresses and any associated proxy addresses. The primary SMTP address (also known as the
reply address) is displayed in bold text in the address list, with the uppercase SMTP value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in
the * Email address box.
NOTE
To make the new address the primary SMTP address for the group, select the Make this the reply address
check box.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
NOTE
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for proper formatting.
You must make sure that the custom address you specify complies with the format requirements for that
address type.
Edit: To change an email address associated with the group, select it from the list, and then click Edit .
NOTE
To make an existing address the primary SMTP address for the group, select the Make this the reply address
check box.
Remove: To delete an email address associated with the group, select it from the list, and then click
Remove .
Automatically update email addresses based on the email address policy applied to this
recipient: Select this check box to have the recipient's email addresses automatically updated based on
changes made to email address policies in your organization. This box is selected by default.
MailTip
Use this section to add a MailTip to alert users of potential issues before they send a message to this group. A
MailTip is text that's displayed in the InfoBar when this group is added to the To, Cc, or Bcc lines of a new email
message. For example, you could add a MailTip to large groups to warn potential senders that their message will
be sent to lots of people.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Group delegation
Use this section to assign permissions to a user (called a delegate) to allow them to send messages as the group
or send messages on behalf of the group. You can assign the following permissions:
Send As: This permission allows the delegate to send messages as the group. After this permission is
assigned, the delegate has the option to add the group to the From line to indicate that the message was
sent by the group.
Send on Behalf Of: This permission also allows a delegate to send messages on behalf of the group. After
this permission is assigned, the delegate has the option to add the group on the From line. The message
will appear to be sent by the group and will say that it was sent by the delegate on behalf of the group.
To assign permissions to delegates, click Add under the appropriate permission to display the Select Recipient
page, which displays a list of all recipients in your Exchange organization that can be assigned the permission.
Select the recipients you want, add them to the list, and then click OK. You can also search for a specific recipient
by typing the recipient's name in the search box and then clicking Search.
Use the Exchange Management Shell to change dynamic distribution group properties
Use the Get-DynamicDistributionGroup and Set-DynamicDistributionGroup cmdlets to view and change
properties for dynamic distribution groups. Advantages of using the Exchange Management Shell are the ability
to change the properties that aren't available in the EAC and change properties for multiple groups. For
information about what parameters correspond to distribution group properties, see the following topics:
Get-DynamicDistributionGroup
Set-DynamicDistributionGroup
Here are some examples of using the Exchange Management Shell to change dynamic distribution group
properties.
This example changes the following parameters for all dynamic distribution groups in the organization:
Hide all dynamic distribution groups from the address book
Set the maximum message size that can be sent to the group to 5MB
Enable moderation
Assign the administrator as the group moderator
For the example above where the message limits were changed, run this command.
Dynamic distribution groups are distribution groups whose membership is based on specific recipient filters rather
than a defined set of recipients. For more information, see Manage dynamic distribution groups.
You can't use the Exchange admin center (EAC ) to view the members of a dynamic distribution group. You can only
use the Exchange Management Shell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
For detailed syntax and parameter information, see Get-DynamicDistributionGroup and Get-Recipient.
Manage mail contacts
8/23/2019 • 9 minutes to read • Edit Online
Mail contacts are essentially contacts for people outside your Exchange or organization. Each mail contact has an
external email address. For more information about mail contacts, see Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example mail-enables an existing contact named Karen Toh in Exchange Server 2016.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Set-Contact "Kai Axford" -Title Consultant -Department "Public Relations" -Company Fabrikam -Manager "Karen
Toh"
This example sets the CustomAttribute1 property to a value of PartTime for all mail contacts and hides them from
the organization's address book.
This example sets the CustomAttribute15 property to a value of TemporaryEmployee for all mail contacts in the
Public Relations department.
In the example above where the CustomAttribute15 was set for all mail contacts in the Public Relations
department, run the following command to verify the changes.
TIP
You can select multiple adjacent mail contacts by holding down the Shift key and clicking the first mail contact, and
then clicking the last mail contact you want to edit. You can also select multiple mail contacts by holding down the
Ctrl key and clicking each one that you want to edit.
3. In the Details pane, under Bulk Edit, click Update under Contact Information or Organization.
4. Make the changes on the properties page and then save your changes.
How do you know this worked?
To verify that you've successfully bulk edited mail contacts, do one of the following:
In the EAC, select each of the mail contacts that you bulk edited, and then click Edit to view the
properties that you changed.
In the Exchange Management Shell, use the Get-Contact cmdlet to verify the changes. For example, say
you used the bulk edit feature in the EAC to change the manager and the office for all mail contacts from a
vendor company named A. Datum Corporation. To verify these changes, you could run the following
command in the Exchange Management Shell.
Mail users are similar to mail contacts. Both have external email addresses and both contain information about
people outside your Exchange organization that can be displayed in the shared address book and other address
lists. However, unlike a mail contact, a mail user has logon credentials in your Exchange organization and can
access resources. For more information, see Recipients.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
Exchange validates SMTP addresses for correct formatting. If your entry is inconsistent with the SMTP format, an
error message will be displayed when you click Save to create the mail user.
To specify a custom address type, click the option button and then type the custom address type. For
example, you can specify an X.500, GroupWise, or Lotus Notes address.
4. In the * External email address box, type the mail user's external email address. Email sent to this mail
user is forwarded to this email address. This is required.
5. Select one of the following options:
Existing user: Select to mail-enable an existing user.
Click Browse to open the Select User - Entire Forest dialog box. This dialog box displays a list of
user accounts in the organization that aren't mail-enabled or don't have mailboxes. Select the user
account you want to mail-enable, and then click OK. If you select this option, you don't have to
provide user account information because this information already exists in Active Directory.
New user: Select to create a new user account in Active Directory and mail-enable the user. If you
select this option, you'll have to provide the required user account information.
6. If you selected New User in Step 5, complete the following information on the New mail user page.
Otherwise skip to Step 7.
First name: Type the first name of the mail user.
Initials: Type the initials of the mail user.
Last name: Type the last name of the mail user.
* Display name: Use this box to type a display name for the user. This is the name that's listed in the
contacts list in the EAC and in your organization's address book. By default, this box is populated
with the names you enter in the First name, Initials, and Last name boxes. If you didn't use those
boxes, you must still type a name in this box because it's required. The name can't exceed 64
characters.
* Name: Use this box to type a name for the mail user. This is the name that's listed in the directory
service. This box is also populated with the names you enter in the First name, Initials, and Last
name boxes. If you didn't use those boxes, you must still type a name because this is required. This
name also can't exceed 64 characters.
Organizational unit: You can select an organizational unit (OU ) other than the default (which is the
recipient scope). If the recipient scope is set to the forest, the default value is set to the Users
container in the domain that contains the computer on which the EAC is running. If the recipient
scope is set to a specific domain, the Users container in that domain is selected by default. If the
recipient scope is set to a specific OU, that OU is selected by default.
To select a different OU, click Browse. The dialog box displays all OUs in the forest that are within
the specified scope. Select the OU you want, and then click OK.
* User logon name: Type the name that the mail user will use to log on to the domain. The user
logon name consists of a user name on the left side of the at (@) symbol and a suffix on the right
side. Typically, the suffix is the domain name the user account resides in.
* New Password: Type the password that the mail user must use to log on to the domain. Make
sure that the password you supply complies with the password length, complexity, and history
requirements of the domain you're creating the user account in.
* Confirm password: Use this box to confirm the password that you typed in the Password box.
Require password change on next logon: Select this check box if you want mail users to reset the
password when they first log on to the domain.
If you select this check box, at first logon, the new mail user will be prompted with a dialog box in
which to change the password. The mail user won't be allowed to perform any tasks until the
password is changed successfully.
7. When you've finished, click Save to create the mail user.
Use the Exchange Management Shell to create a mail user
This example creates a mail-enabled user account for Jeffrey Zeng in Exchange Server 2016 with the following
details:
The name and display name is Jeffrey Zeng.
The alias is jeffreyz.
The external email address is jzeng@tailspintoys.com.
The first name is Jeffrey and the last name is Zeng.
The logon name is jeffreyz@contoso.com.
The password is Pa$$word1.
The mail user will be created in the default OU. To specify a different OU, you can use the
OrganizationalUnit parameter.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies,
or address lists.
Organization
Use the Organization section to record detailed information about the user's role in the organization. This
information is displayed in the address book. Also, you can create a virtual organization chart that's accessible
from email clients such as Outlook.
Title: Use this box to view or change the recipient's title.
Department: Use this box to view or change the department in which the user works. You can use this box
to create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Company: Use this box to view or change the company for which the user works. You can use this box to
create recipient conditions for dynamic distribution groups, email address policies, or address lists.
Manager: To add a manager, click Browse. In Select Manager, select a person, and then click OK.
Direct reports: You can't modify this box. A direct report is a user who reports to a specific manager. If
you've specified a manager for the user, that user appears as a direct report in the details of the manager's
mailbox. For example, Kari manages Chris and Kate, so Kari is specified in the Manager box for Chris and
Kate, and Chris and Kate appear in the Direct reports box in the properties of Kari's account.
Email Addresses
Use the Email Addresses section to view or change the email addresses associated with the mail user. This
includes the mail user's primary SMTP address, their external email address, and any associated proxy addresses.
The primary SMTP address (also known as the default reply address) is displayed in bold text in the address list,
with the uppercase SMTP value in the Type column. By default, after the mail user is created, the primary SMTP
address and the external email address are the same.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
Note: With the exception of X.400 addresses, Exchange doesn't validate custom addresses for
correct formatting. You must make sure that the custom address you specify complies with the
format requirements for that address type.
Set the external email address: Use this box to change the mail user's external address. Email sent to this
mail user is forwarded to this email address.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization. This box is selected by default.
Mail Flow Settings
Use the Mail Flow Settings section to view or change the following settings:
Message Size Restrictions: These settings control the size of messages that the mail user can send and
receive. Click View details to view and change maximum size for sent and received messages.
Sent messages: To specify a maximum size for messages sent by this user, select the Maximum
message size (KB ) check box and type a value in the box. The message size must be between 0 and
2,097,151 KB. If the user sends a message larger than the specified size, the message will be
returned to the user with a descriptive error message.
Received messages: To specify a maximum size for messages received by this user, select the
Maximum message size (KB ) check box and type a value in the box. The message size must be
between 0 and 2,097,151 KB. If the user receives a message larger than the specified size, the
message will be returned to the sender with a descriptive error message.
Message Delivery Restrictions: These settings control who can send email messages to this mail user.
Click View details to view and change these restrictions.
Accept messages from: Use this section to specify who can send messages to this user.
All senders: Select this option to specify that the user can accept messages from all senders. This
includes both senders in your Exchange organization and external senders. This option is selected by
default. This option includes external users only if you clear the Require that all senders are
authenticated check box. If you select this check box, messages from external users will be rejected.
Only senders in the following list: Select this option to specify that the user can accept messages
only from a specified set of senders in your Exchange organization. Click Add to display the
Select Recipients page, which displays a list of all recipients in your Exchange organization. Select
the recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Require that all senders are authenticated: Select this option to prevent anonymous users from
sending messages to the user.
Reject messages from: Use this section to block people from sending messages to this user.
No senders: Select this option to specify that the mailbox won't reject messages from any senders in
the Exchange organization. This option is selected by default.
Senders in the following list: Select this option to specify that the mailbox will reject messages
from a specified set of senders in your Exchange organization. Click Add to display the Select
Recipients page, which displays a list of all recipients in your Exchange organization. Select the
recipients you want, add them to the list, and then click OK. You can also search for a specific
recipient by typing the recipient's name in the search box and then clicking Search .
Member Of
Use the Member Of section to view a list of the distribution groups or security groups to which this user belongs.
You can't change membership information on this page. Note that the user may match the criteria for one or more
dynamic distribution groups in your organization. However, dynamic distribution groups aren't displayed on this
page because their membership is calculated each time they're used.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a message to this
recipient. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc lines of a
new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
This example hides all mail users from the organization's address book.
Get-MailUser | Set-MailUser -HiddenFromAddressListsEnabled $true
This example sets the Company property for all mail users to Contoso.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser')} | Set-User -Company Contoso
This example sets the CustomAttribute1 property to a value of ContosoEmployee for all mail users that have a
value of Contoso in the Company property.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser') -and (Company -eq 'Contoso')}|
Set-MailUser -CustomAttribute1 ContosoEmployee
In the example above where the Company property was set to Contoso for all mail contacts, run the
following command to verify the changes:
In the example above where all mail users had the CustomAttribute1 property set to ContosoEmployee,
run the following command to verify the changes.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'mailuser') -and (Company -eq
'Adatum')} | Format-List Name,Office,Manager
Create and manage room mailboxes
8/23/2019 • 14 minutes to read • Edit Online
A room mailbox is a resource mailbox that's assigned to a physical location, such as a conference room, an
auditorium, or a training room. With room mailboxes, users can easily reserve these rooms by including room
mailboxes in their meeting requests. When they do this, the room mailbox uses options you can configure to
decide whether the invite should be accepted or denied.
To create a room mailbox, you need to be an administrator who's a member of either the Organization
Management or Recipient Management role groups.
If you want to grant someone access to a room mailbox so they can directly manage its calendar (for example, an
assistant who needs to make room for an executive meeting), you can do so using the instructions in Manage
permissions for recipients. After a user's been granted permissions to access a room mailbox, they can open the
mailbox using the instructions in Open and use a shared mailbox in Outlook 2016 and Outlook 2013.
IMPORTANT
Room mailboxes should never be set as the organizer of a meeting, nor should room mailboxes be accessed directly by users
in order to make changes to a meeting. Rooms should only be added to meetings in the Attendee or Location fields.
Otherwise you will override the Resource Booking Assistant (RBA), which manages and processes all calendar items sent to
the room mailbox, and unexpected errors may occur. If your organization has one or more users who need to manage a
room and its mailbox, then assign users to the room as resource delegates for the room mailbox, as described later in this
article. When a delegate is assigned, all items sent to the room's mailbox will be directed to the booking delegate, who can
then accept or decline from their own Inbox. If your organization wants to use a room mailbox like a team calendar, consider
using Exchange's shared calendar features.
If you want to learn about the types of recipients that are available in Exchange Server, check out Recipients. For
info about another type of resource mailbox, check out Manage equipment mailboxes.
TIP
Although there are other fields that describe the details of the room (for example, Location and Capacity) consider
summarizing the most important details in the room name using a consistent naming convention. Why? So users
can easily see the details when they select the room from the address book in the meeting request.
* Alias: A room mailbox has an email address so it can receive booking requests. The email address
consists of an alias on the left side of the @ symbol, which must be unique in the forest, and your
domain name on the right. The alias is required.
Location, Phone, Capacity: You can use these fields to enter details about the room. However, as
explained earlier, you can include some or all of this information in the room name so users can see
it.
4. When you're finished, click Save to create the room mailbox.
After you've created a room mailbox, you can Change how a room mailbox handles meeting requests (including
whether it responds automatically or someone needs to decide what to do). By default, it'll automatically accept or
decline requests depending on whether the requests conflict with any existing meetings on its calendar. It'll also
allow meetings that repeat, and allow meetings up to 180 days from the current date (and decline any requests
beyond that) that are up to 24 hours in duration. If you want to change other options, head down to Change other
room mailbox properties.
For information on how to create a room mailbox using the Exchange Management shell, see Examples 2 and 3 in
New -Mailbox.
Email Address
Use the Email Address section to view or change the email addresses associated with the room mailbox. This
includes the mailbox's primary SMTP address and any associated proxy addresses. The primary SMTP address
(also known as the reply address) is displayed in bold text in the address list, with the uppercase SMTP value in
the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An EUM (Exchange Unified Messaging) address is used by the Microsoft Exchange Unified
Messaging service in Exchange 2016 to locate UM -enabled recipients within an Exchange
organization. EUM addresses consist of the extension number and the UM dial plan for the UM -
enabled user. Click this button and type the extension number in the Address/Extension box. Then
click Browse and select a dial plan for the mailbox. (Note: Unified Messaging is not available in
Exchange 2019.)
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
Notes:
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for
correct formatting. You must make sure that the custom address you specify complies with
the format requirements for that address type.
When you add a new email address, you have the option to make it the primary SMTP
address.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a booking request to
the room mailbox. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc, or Bcc
lines of a new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
Set-Mailbox "Conf Room 123" -DisplayName "Conf Room 31/123 (12)" -EmailAddresses
SMTP:Rm33.123@contoso.com,smtp:rm123@contoso.com -ResourceCapacity 12
This example configures room mailboxes to allow booking requests to be scheduled only during working hours
and sets a maximum duration of 9 hours.
This example uses the Get-User cmdlet to find all room mailboxes that correspond to private conference rooms,
and then uses the Set-CalendarProcessing cmdlet to send booking requests to a delegate named Robin Wood
to accept or decline.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'RoomMailbox') -and (DisplayName -like
'Private*')} | Set-CalendarProcessing -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates
"Robin Wood"
Use the Exchange Management Shell to convert a distribution group to a room list
You may already have created distribution groups in the past that contain your conference rooms. You don't need
to recreate them; we can convert them quickly into a room list.
This example converts the distribution group, building 34 conference rooms, to a room list.
In Exchange Server, an equipment mailbox is a resource mailbox assigned to a resource that's not location specific,
such as a portable computer, projector, microphone, or a company car. After an administrator creates an equipment
mailbox, users can easily reserve the piece of equipment by including the corresponding equipment mailbox in a
meeting request. You can use the Exchange admin center (EAC ) and the Exchange Management Shell to create an
equipment mailbox or change equipment mailbox properties. For more information, see Recipients.
For information about another type of resource mailbox, a room mailbox, see Create and manage room mailboxes.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
TIP
Although there are other fields that describe the details of the room, for example, Capacity, consider summarizing the
most important details in the equipment name using a consistent naming convention. Why? So users can easily see
the details when they select the equipment from the address book in a meeting request.
* Email address: An equipment mailbox has an email address to receive booking requests. The email
address consists of an alias on the left side of the @ symbol, which must be unique in the forest, and
your domain name on the right. The email address is required.
4. When you're finished, click Save to create the equipment mailbox.
Once you've created your equipment mailbox, you can edit your equipment mailbox to update info about booking
options, MailTips and delegates. Check out the Change equipment mailbox properties section below to change
room mailbox properties.
Use the Exchange Management Shell to create an equipment mailbox
This example creates an equipment mailbox with the following configuration:
The equipment mailbox resides on Mailbox Database 1.
The equipment's name is MotorVehicle2 and the name will display in the GAL as Motor Vehicle 2.
The email address is MotorVehicle2@contoso.com.
The mailbox is in the Equipment organizational unit.
The Equipment parameter specifies that this mailbox will be created as an equipment mailbox.
New-Mailbox -Database "Mailbox Database 1" -Name MotorVehicle2 -OrganizationalUnit Equipment -DisplayName
"Motor Vehicle 2" -Equipment
Use the General section to view or change basic information about the resource.
* Equipment name: This name appears in the resource mailbox list in the EAC and in your organization's
address book. It can't exceed 64 characters if you change it.
* Email address: This read-only box displays the email address for the equipment mailbox. You can change
it in the Email Address section.
Capacity: Use this box to enter the maximum number of people who can use this resource, if applicable,
For example, if the equipment mailbox corresponds to a compact car, you could enter 4.
Click More options to view or change these additional properties:
Organizational unit: This read-only box displays the organizational unit (OU ) that contains the account for
the equipment mailbox. You have to use Active Directory Users and Computers to move the account to a
different OU.
Mailbox database: This read-only box displays the name of the mailbox database that hosts the
equipment mailbox. Use the Migration page in the EAC to move the mailbox to a different database.
* Alias Use this box to change the alias for the equipment mailbox.
Hide from address lists: Select this check box to prevent equipment mailbox from appearing in the
address book and other address lists that are defined in your Exchange organization. After you select this
check box, users can still send booking messages to the equipment mailbox by using the email address.
Department: Use this box to specify a department name that the resource is associated with. You can use
this property to create recipient conditions for dynamic distribution groups and address lists.
Company: Use this box to specify a company that the resource is associated with. Like the Department
property, you can use this property to create recipient conditions for dynamic distribution groups and
address lists.
Address book policy: Use this option to specify an address book policy (ABP ) for the resource. ABPs
contain a global address list (GAL ), an offline address book (OAB ), a room list, and a set of address lists. To
learn more, see Address book policies in Exchange Server.
In the drop-down list, select the policy that you want associated with this mailbox.
Custom attributes: This section displays the custom attributes defined for the equipment mailbox. To
specify custom attribute values, click Edit . You can specify up to 15 custom attributes for the recipient.
Delegates
Use this section to view or change how the equipment mailbox handles reservation requests and to define who
can accept or decline booking requests if it isn't done automatically.
Booking requests: Select one of the following options to handle booking requests.
Accept or decline booking requests automatically: A valid meeting request automatically
reserves the resource. If there's a scheduling conflict with an existing reservation, or if the booking
request violates the scheduling limits of the resource, for example, the reservation duration is too
long, the meeting request is automatically declined.
Select delegates who can accept or decline booking requests: Resource delegates are
responsible for accepting or declining meeting requests that are sent to the equipment mailbox. If
you assign more than one resource delegate, only one of them has to act on a specific meeting
request.
Delegates: If you selected the option requiring that booking requests be sent to delegates, the specified
delegates are listed. Click Add or Remove to add or remove delegates from this list.
Booking Options
Use the Booking Options section to view or change the settings for the booking policy that defines when the
resource can be scheduled, how long it can be reserved, and how far in advance it can be reserved.
Allow repeating meetings: This setting allows or prevents repeating meetings for the resource. By
default, this setting is enabled, so repeating meetings are allowed.
Allow scheduling only during working hours: This setting accepts or declines meeting requests that
aren't during the working hours defined for the resource. By default, this setting is disabled, so meeting
requests are allowed outside the working hours.By default, working hours are 8:00 AM to 5:00 PM Monday
through Friday. You can configure the working hours of the equipment mailbox in the Appearance section
on the Calendar page.
Always decline if the end date is beyond this limit: This setting controls the behavior of repeating
meetings that extend beyond the date specified by the maximum booking lead time setting.
If you enable this setting, a repeating booking request is automatically declined if the bookings start
on or before the date specified by the value in the Maximum booking lead time box, and they
extend beyond the specified date. This is the default setting.
If you disable this setting, a repeating booking request is automatically accepted if the booking
requests start on or before the date specified by the value in the Maximum booking lead time
box, and they extend beyond the specified date. However, the number of bookings is reduced so
bookings won't occur after the specified date.
Maximum booking lead time (days): This setting specifies the maximum number of days in advance that
the resource can be booked. Valid input is an integer between 0 and 1080. The default value is 180 days.
Maximum duration (hours): This setting specifies the maximum duration that the resource can be
reserved in a booking request. The default value is 24 hours.
For repeating booking requests, the maximum booking duration applies to the length of each instance of
the repeating booking request.
There is also a box on this page that you can use to write a message that will be sent to users who send meeting
requests to reserve the resource.
Contact Information
Use the Contact Information section to view or change the contact information for the resource. The information
on this page is displayed in the address book.
TIP
You can use the State/Province box to create recipient conditions for dynamic distribution groups, email address policies, or
address lists.
Email Address
Use the Email Address section to view or change the email addresses associated with the equipment mailbox.
This includes the mailbox's primary SMTP address and any associated proxy addresses. The primary SMTP
address (also known as the reply address) is displayed in bold text in the address list, with the uppercase SMTP
value in the Type column.
Add: Click Add to add a new email address for this mailbox. Select one of following address types:
SMTP: This is the default address type. Click this button and then type the new SMTP address in the
* Email address box.
EUM: An Exchange Unified Messaging (EUM ) address is used by the Exchange Unified Messaging
service in Exchange 2016 to locate UM -enabled recipients in an Exchange organization. EUM
addresses consist of the extension number and the UM dial plan for the UM -enabled user. Click this
button and type the extension number in the Address/Extension box. Then click Browse and select
a dial plan for the mailbox.(Note: Unified Messaging is not available in Exchange 2019.)
Custom address type: Click this button and type one of the supported non-SMTP email address
types in the * Email address box.
Notes:
With the exception of X.400 addresses, Exchange doesn't validate custom addresses for
correct formatting. You must make sure that the custom address you specify complies with the
format requirements for that address type.
When you add a new email address, you have the option to make it the primary SMTP
address.
Automatically update email addresses based on the email address policy applied to this recipient:
Select this check box to have the recipient's email addresses automatically updated based on changes made
to email address policies in your organization.
MailTip
Use the MailTip section to add a MailTip to alert users of potential issues before they send a booking request to
the equipment mailbox. A MailTip is text that's displayed in the InfoBar when this recipient is added to the To, Cc,
or Bcc lines of a new email message.
NOTE
MailTips can include HTML tags, but scripts aren't allowed. The length of a custom MailTip can't exceed 175 displayed
characters. HTML tags aren't counted in the limit.
This example configures equipment mailboxes to allow booking requests to be scheduled only during working
hours.
This example uses the Get-User cmdlet to find all equipment mailboxes in the Audio Visual department, and then
uses the Set-CalendarProcessing cmdlet to send booking requests to a delegate named Ann Beebe to accept or
decline.
Get-User -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'EquipmentMailbox') -and (Department -eq
'Audio Visual')} | Set-CalendarProcessing -AllBookInPolicy $false -AllRequestInPolicy $true -ResourceDelegates
"Ann Beebe"
Each Microsoft Exchange mailbox consists of an Active Directory user account and the mailbox data stored in the
Exchange mailbox database. All configuration data for a mailbox is stored in the Exchange attributes of the Active
Directory user object. The mailbox database contains the mail data that's in the mailbox associated with the user
account. The following figure shows the components of a mailbox.
Mailbox components
A disconnected mailbox is a mailbox object in the mailbox database that isn't associated with an Active Directory
user account. There are two types of disconnected mailboxes:
Disabled mailboxes: When a mailbox is disabled or deleted in the Exchange admin center (EAC ) or using
the Disable-Mailbox or Remove-Mailbox cmdlet in the Exchange Management Shell, Exchange retains
the deleted mailbox in the mailbox database, and switches the mailbox to a disabled state. This is why
mailboxes that are either disabled or deleted are referred to as disabled mailboxes. The difference is that
when you disable a mailbox, the Exchange attributes are removed from the corresponding Active Directory
user account, but the user account is retained. When you delete a mailbox, both the Exchange attributes and
the Active Directory user account are deleted.
Disabled and deleted mailboxes are retained in the mailbox database until the deleted mailbox retention
period expires, which is 30 days by default. After the retention period expires, the mailbox is permanently
deleted (also called purged). If a mailbox is deleted using the Remove-Mailbox cmdlet, it's also retained
for the duration of the retention period.
IMPORTANT
If a mailbox is deleted using the Remove-Mailbox cmdlet and either the Permanent or StoreMailboxIdentity
parameter, it will be immediately deleted from the mailbox database.
To identify the disabled mailboxes in your organization, run the following commands in the Exchange
Management Shell:
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisconnectReason -eq
"Disabled"} | Format-Table DisplayName,Database,DisconnectDate
Soft-deleted mailboxes: When a mailbox is moved to a different mailbox database, Exchange doesn't fully
delete the mailbox from the source mailbox database when the move is complete. Instead, the mailbox in
the source mailbox database is switched to a soft-deleted state. Like disabled mailboxes, soft-deleted
mailboxes are retained in the source database either until the deleted mailbox retention period expires or
until the Remove-StoreMailbox cmdlet is used to purge the mailbox.
Run the following commands to identify soft-deleted mailboxes in your organization.
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisconnectReason -eq
"SoftDeleted"} | Format-Table DisplayName,Database,DisconnectDate
NOTE
If you disable an archive mailbox for a user mailbox and then enable an archive mailbox for that same user, that user
mailbox will get a new archive mailbox. While you can use the Connect-Mailbox cmdlet to connect a primary
mailbox to a user, you must use the Enable-Mailbox cmdlet to connect a disabled archive mailbox to an existing
mailbox.
The EAC: Recipients Disabled Yes Connect to same user The EAC: Recipients
> Mailboxes > account > Mailboxes >
Disable Connect a Mailbox
TOPIC DESCRIPTION
Disable or delete a mailbox in Exchange Server Learn how to disable or delete mailboxes.
TOPIC DESCRIPTION
Connect a disabled mailbox Learn how to connect a disabled mailbox to an existing user
account.
Connect or restore a deleted mailbox Learn how to connect a deleted mailbox to a user account or
restore the contents of a deleted mailbox to an existing
mailbox.
Connect or Restore a Soft-Deleted Mailbox Learn how to connect a soft-deleted mailbox to a user
account or restore a soft-deleted mailbox to an existing
mailbox.
Manage Mailbox Restore Requests Learn how to manage mailbox restore requests using the
Exchange Management Shell.
In Exchange Server, you can use the Exchange admin center (EAC ) or the Exchange Management Shell to disable
or delete mailboxes. Disabled or deleted mailboxes are also known as disconnected mailboxes. For more
information about disconnected mailboxes, see Disconnected mailboxes.
Note: If you need to delete a mailbox in Office 365, see Delete or Restore User Mailboxes in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Disable mailboxes
When you disable a mailbox, all Exchange attributes are removed from the associated user account in Active
Directory. The disconnected mailbox is hidden and marked for removal. The disconnected mailbox is permanently
deleted (purged) based on the MailboxRetention property value for the mailbox database (the default value is
30 days). Before the mailbox is purged, you can reconnect it to a new or existing user account that doesn't already
have an associated mailbox. For more information, see Connect a disabled mailbox.
Note: Disabling a mailbox that has an associated archive marks both the primary and archive mailboxes for
removal. To only mark the archive mailbox for removal without affecting the primary mailbox, see Disable an
archive mailbox.
Use the EAC to disable a mailbox
1. In the EAC, go to Recipients, and click the tab for the type of mailbox that you want to disable:
Mailboxes for user mailboxes and linked mailboxes.
Shared for shared mailboxes.
2. Find and select the mailbox that you want to disable. For example:
Scroll through the list. You can also click the column headers to sort the mailboxes.
Click Search and enter the text to filter the list of mailboxes.
Select multiple mailboxes by selecting a mailbox, holding the Shift key, and selecting a mailbox
farther down in the list, or by holding down the CTRL key as you select each mailbox.
3. After you've selected the mailbox or mailboxes that you want to disable, click More , select Disable, and
then click Yes in the warning message that appears.
Use the Exchange Management Shell to disable a mailbox
To disable a mailbox, use this syntax:
This example disables the user mailbox that has the alias value danj.
Disable-Mailbox danj
This example disables the room mailbox named Conf Room 31/1234 (12).
This example disables the shared mailbox that has the email address sharedmbx@contoso.com.
Disable-Mailbox sharedmbx@contoso.com
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisplayName -eq "
<DisplayName>"} | Format-List DisconnectReason,DisconnectDate
Notes:
The DisconnectReason property doesn't distinguish between disabled and deleted mailboxes (the
value for both is Disabled ). The presence of the associated user account indicates whether the
mailbox was disabled.
When you delete a mailbox, the value of the DisconnectReason property is also Disabled , but the
corresponding Active Directory user account is also deleted.
If the command returns no results, replace <DatabaseName> with the name of the mailbox
database where the disconnected mailbox resides, and run this command to synchronize the mailbox
state for all disconnected mailboxes on the database:
Get-MailboxStatistics -Database "<DatabaseName>" | foreach {Update-StoreMailboxState -Database
$_.Database -Identity $_.MailboxGuid -Confirm:$false}
Then, run the previous command, which should now return results.
In the Exchange Management Shell, replace <UserIdentity> with the name or user principal name of the
user (for example, user@contoso.com), and run this command to verify that the RecipientType property
value is User , not UserMailbox .
Delete mailboxes
When you delete a mailbox, the mailbox is disconnected from the associated user account, and the account is
removed from Active Directory. The disconnected mailbox is hidden and marked for removal. The disconnected
mailbox is permanently deleted (purged) based on the MailboxRetention property value for the mailbox
database (the default value is 30 days). Before the mailbox is purged, you can reconnect it to a new or existing user
account that doesn't already have an associated mailbox. For more information, see Connect or restore a deleted
mailbox.
Note: Deleting a mailbox that has an associated archive marks both the primary and archive mailboxes for
removal. To only mark the archive mailbox for removal without affecting the primary mailbox, see Disable an
archive mailbox.
Use the EAC to delete a mailbox
1. In the EAC, go to the location for the type of mailbox that you want to delete:
Recipients > Mailboxes for user mailboxes and linked mailboxes.
Recipients > Resources for room and equipment mailboxes.
Recipients > Shared for shared mailboxes.
Public folders > Public folder mailboxes for public folder mailboxes.
2. Find and select the mailbox that you want to disable. For example:
Scroll through the list. You can also click the column headers to sort the mailboxes.
Click Search and enter the text to filter the list of mailboxes.
Select multiple mailboxes by selecting a mailbox, holding the Shift key, and selecting a mailbox
farther down in the list, or by holding down the CTRL key as you select each mailbox.
3. After you've selected the mailbox or mailboxes that you want to delete, click Delete , and then click Yes in
the warning message that appears.
Use the Exchange Management Shell to delete a mailbox
To delete a mailbox, use this syntax:
This example deletes the mailbox that has the email address pilarp@contoso.com.
Remove-Mailbox pilarp@contoso.com
This example deletes the equipment mailbox named Fleet Van (16).
This example deletes the mailbox that has the alias value corpprint.
Remove-Mailbox corpprint
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisplayName -eq "
<DisplayName>"} | Format-List DisconnectReason,DisconnectDate
Notes:
The DisconnectReason property doesn't distinguish between disabled and deleted mailboxes (the
value for both is Disabled ). The absence of the associated user account indicates whether the
mailbox was deleted.
If the command returns no results, replace <DatabaseName> with the name of the mailbox
database where the disconnected mailbox resides, and run the following command to synchronize
the mailbox state for all disconnected mailboxes on the database:
Then, run the previous command, which should now return results.
In the Exchange Management Shell, replace <UserIdentity> with the name or user principal name of the
user (for example, user@contoso.com), and run this command to verify that the user can't be found.
Get-User <UserIdentity>
More information
When you delete the Active Directory user account that's associated with a mailbox, Exchange will detect that the
mailbox is no longer connected to a user account, and will mark the mailbox for removal, even if the mailbox has
been placed on Litigation Hold or In-Place Hold. To retain the mailbox, do these steps:
Instead of deleting the user account, disable the user account.
Change the properties of the mailbox to restrict its use and who has access to the mailbox. For example, set
send and receive quotas equal to 1, block who can send messages to the mailbox, and restrict who has
access the mailbox.
Retain the mailbox until all data has been expunged, or until preserving the data is no longer required.
For more information, see In-Place Hold and Litigation Hold in Exchange Server.
Connect a disabled mailbox
8/23/2019 • 4 minutes to read • Edit Online
When you disable a mailbox, Exchange retains the mailbox in the mailbox database and switches the mailbox to a
disabled state. The Exchange attributes are also removed from the corresponding Active Directory user account,
but the user account is retained. The mailbox is retained until the deleted mailbox retention period expires, which
is 30 days by default, before it's then deleted permanently (or purged) from the mailbox database.
Until a disabled mailbox is permanently deleted from the Exchange mailbox database, you can use the EAC or the
Exchange Management Shell to reconnect it to the original Active Directory user account.
To learn more about disconnected mailboxes and perform other related management tasks, see the following
topics:
Disconnected mailboxes
Disable or delete a mailbox in Exchange Server
Connect or restore a deleted mailbox
Permanently delete a mailbox
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisplayName -eq "
<DisplayName>"} | Format-List DisplayName,Database,DisconnectReason
To be able to connect a disabled mailbox, the mailbox has to exist in the mailbox database and the value for
the DisconnectReason property has to be Disabled . If the mailbox has been purged from the database, the
command won't return any results.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Recipient Provisioning Permissions" section in the Recipients Permissions
topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
This list of disconnected mailboxes includes disabled mailboxes, deleted mailboxes, and soft-deleted mailboxes.
3. Click the disabled mailbox that you want to reconnect, and then click Connect.
4. In the window that asks if you're sure that you want to reconnect the mailbox, click Yes.
Exchange will reconnect the disabled mailbox to the corresponding user account.
This example connects a linked mailbox. The Identity parameter specifies the disconnected mailbox in the
Exchange database. The LinkedMasterAccount parameter specifies the Active Directory user account in the
account forest that you want to reconnect the mailbox to. The Alias parameter specifies the alias, which is the
portion of the email address on the left side of the at (@) symbol, for the reconnected mailbox.
Connect-Mailbox -Identity "Corporate Shared Mailbox" -Database "Mailbox Database 03" -User "Corporate Shared
Mailbox" -Alias corpshared -Shared
NOTE
If you don't include the Alias parameter when you run the Connect-Mailbox cmdlet, the value specified in the User or
LinkedMasterAccount parameter is used to create the email address alias for the reconnected mailbox.
Get-User "<Identity>"
The UserMailbox value for the RecipientType property indicates that the user account and the mailbox are
connected. You can also run the Get-Mailbox cmdlet to verify that the mailbox exists.
Connect or restore a deleted mailbox
8/23/2019 • 7 minutes to read • Edit Online
When you delete a mailbox, Exchange retains the mailbox in the mailbox database and switches the mailbox to a
disabled state. The associated Active Directory user account is also deleted. The mailbox is retained until the
deleted mailbox retention period expires, which is 30 days by default, and then it's permanently deleted (or
purged) from the mailbox database.
Until a deleted mailbox is permanently deleted from the Exchange mailbox database, you can use the EAC or the
Exchange Management Shell to connect it to an Active Directory user account. You can also use the Exchange
Management Shell to restore the contents of the deleted mailbox to an existing mailbox.
To learn more about disconnected mailboxes and perform other related management tasks, see the following
topics:
Disconnected mailboxes
Disable or delete a mailbox in Exchange Server
Connect a disabled mailbox
Permanently delete a mailbox
IMPORTANT
When you connect deleted linked mailboxes, resource mailboxes, or shared mailboxes, the Active Directory user
account that you're connecting the mailbox to must be disabled.
To verify that the deleted mailbox that you want to connect a user account to exists in the mailbox database
and isn't a soft-deleted mailbox, run the following command:
The deleted mailbox has to exist in the mailbox database and the value for the DisconnectReason property
has to be Disabled . If the mailbox has been purged from the database, the command won't return any
results.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Recipient Provisioning Permissions" section in the Recipients Permissions
topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange
Online, or Exchange Online Protection..
NOTE
This list of disconnected mailboxes includes disabled mailboxes, deleted mailboxes, and soft-deleted mailboxes.
3. Click the deleted mailbox that you want to connect a user to, and then click Connect.
4. In the window that asks if you're sure that you want to connect the mailbox, click Yes.
A list of user accounts that aren't mail-enabled is displayed.
5. Click the user that you want to connect the deleted mailbox to, and then click OK.
Exchange will connect the deleted mailbox to the user account that you selected.
Use the Exchange Management Shell to connect a deleted mailbox
Use the Connect-Mailbox cmdlet in the Exchange Management Shell to connect a deleted mailbox to a user
account that isn't mail enabled. You have to specify the type of mailbox that you're connecting. The following
examples show the syntax for reconnecting user, linked, room, equipment, and shared mailboxes. In all examples,
the optional Alias parameter is used to specify the email alias, which is the portion of the email address on the left
side of the at (@) symbol. If you don't include the Alias parameter, the value specified in the User or
LinkedMasterAccount parameter is used to create the alias for the email address for the reconnected mailbox.
NOTE
As previously stated, when you connect linked, resource, or shared mailboxes, the Active Directory user account that you're
linking the mailbox to must be disabled.
This example connects a deleted user mailbox to a user account that isn't mail enabled. The Identity parameter
specifies the display name of the deleted mailbox retained in the mailbox database named MBXDB01. The User
parameter specifies the Active Directory user account to connect the mailbox to.
Connect-Mailbox -Identity "Paul Cannon" -Database MBXDB01 -User "Robin Wood" -Alias robinw
NOTE
You can also use the values for the LegacyDN or MailboxGuid properties to identify the deleted mailbox.
This example connects a linked mailbox. The Identity parameter specifies the deleted mailbox on the mailbox
database named MBXDB02. The LinkedMasterAccount parameter specifies the Active Directory user account in
the account forest that you want to connect the mailbox to. The LinkedDomainController parameter specifies a
domain controller in the account forest.
Connect-Mailbox -Identity "rm2121" -Database "MBXResourceDB" -User "Conference Room 2121" -Alias ConfRm2121 -
Room
Connect-Mailbox -Identity "MotorPool01" -Database "MBXResourceDB" -User "Van01 (12 passengers)" -Alias van01 -
Equipment
Connect-Mailbox -Identity "Printer Support" -Database MBXDB01 -User "Corp Printer Support" -Alias corpprint -
Shared
NOTE
You can also use the LegacyDN or MailboxGuid values to identify the deleted mailbox.
The UserMailbox value for the RecipientType property indicates that the user account and the mailbox are
connected. You can also run the Get-Mailbox <identity> command to verify that the mailbox was
connected.
NOTE
You can't use the EAC to restore a deleted mailbox.
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisconnectReason -eq
"Disabled"} | Format-Table DisplayName,MailboxGuid,Database,DisconnectDate
This example restores the deleted mailbox, which is identified by the SourceStoreMailbox parameter and is
located on the MBXDB01 mailbox database, to the target mailbox Debra Garcia. The AllowLegacyDNMismatch
parameter is used so the source mailbox can be restored to a different mailbox, one that doesn't have the same
legacy DN value.
This example restores Pilar Pinilla's deleted archive mailbox to her current archive mailbox. The
AllowLegacyDNMismatch parameter isn't necessary because a primary mailbox and its corresponding archive
mailbox have the same legacy DN.
When you permanently delete active mailboxes and disconnected mailboxes, all mailbox contents are purged
from the Exchange mailbox database, and the data loss is permanent. When you permanently delete an active
mailbox, the associated Active Directory user account is also deleted.
An alternative to permanently deleting a mailbox is to disconnect it. After you disconnect a mailbox, by default,
Exchange retains the data in the mailbox database for 30 days. This gives you the opportunity to reconnect or
restore a mailbox before it's purged from the database.
To learn more about disconnected mailboxes and perform other related management tasks in Exchange, see the
following topics:
Disconnected mailboxes
Disable or delete a mailbox in Exchange Server
Connect a disabled mailbox
Connect or restore a deleted mailbox
NOTE
You can't use the Exchange admin center (EAC) to permanently delete an active mailbox or a disconnected mailbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisplayName -eq "
<DisplayName>"}
If you successfully purged the mailbox, the command won't return any results. If the mailbox wasn't
purged, the command will return information about the mailbox.
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisplayName -eq "
<DisplayName>"} | Format-List DisplayName,MailboxGuid,Database,DisconnectReason
The value for the DisconnectReason property will be either Disabled or SoftDeleted .
You can run the following commands to display the type for all disconnected mailboxes in your organization:
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisconnectReason -ne $null}
| Format-List DisplayName,MailboxGuid,Database,DisconnectReason
When you use the Remove-StoreMailbox cmdlet to permanently delete a disconnected mailbox, all its contents
are purged from the mailbox database and the data loss is permanent.
This example permanently deletes the disabled mailbox with the GUID 2ab32ce3-fae1-4402-9489-
c67e3ae173d3 from mailbox database named MBD01.
Remove-StoreMailbox -Database MBD01 -Identity "2ab32ce3-fae1-4402-9489-c67e3ae173d3" -MailboxState Disabled
This example permanently deletes the soft-deleted mailbox for Dan Jump from mailbox database named
MBD01.
This example permanently deletes all soft-deleted mailboxes from mailbox database named MBD01.
For detailed syntax and parameter information, see Remove-StoreMailbox and Get-MailboxStatistics.
How do you know this worked?
To verify that you've permanently deleted a disconnected mailbox and that it was successfully purged from the
mailbox database, replace <DisplayName> with the display name of the mailbox and run the following
command:
$dbs = Get-MailboxDatabase
$dbs | foreach {Get-MailboxStatistics -Database $_.DistinguishedName} | where {$_.DisplayName -eq "
<DisplayName>"}
If you successfully purged the mailbox, the command won't return any results. If the mailbox wasn't purged, the
command will return information about the mailbox.
Custom attributes
8/23/2019 • 3 minutes to read • Edit Online
Exchange Server includes 15 extension attributes that you can use to add information about a recipient, such as an
employee ID, organizational unit (OU ), or some other custom value for which there isn't an existing attribute.
In earlier versions of Exchange, if you wanted to store this information in Active Directory, you had to create an
attribute by extending the Active Directory schema. Schema extension requires planning, procuring object
identifiers (OIDs) for new attributes, and testing the extension process in a test environment before you implement
it in a production environment. Exchange Server doesn't let you use schema extensions in recipient filters that are
used by address lists, e-mail address policies, and dynamic distribution groups.
The custom attributes available to Exchange Server are labeled in Active Directory as ms-Exch-Extension-
Attribute1 through ms-Exch-Extension-Attribute15. In the Exchange Management Shell, the corresponding
parameters are CustomAttribute1 through CustomAttribute15. These attributes aren't used by any Exchange
components. They can be used to store Active Directory data without having to extend the Active Directory
schema.
NOTE
ms-Exch-Extension-Attribute-16 to ms-Exch-Extension-Attribute-45 are present in Active Directory, but aren't available
in the Exchange admin center (EAC) or the Exchange Management Shell. Don't use non-Exchange tools to edit these
attributes because they might be used for future Exchange features.
NOTE
Dynamic distribution groups have an additional parameter that you can use to restrict it to recipients in a particular OU or
container.
If the recipients in a particular OU don't share any common properties that you can filter by, such as department
or location, you can populate one of the custom attributes with a common value, as shown in this example.
With that done, now you can create an e-mail address policy for all recipients that have the CustomAttribute1
property that equals SalesOU, as shown in this example.
NOTE
You need to use the IncludedRecipients parameter if you use a Conditional parameter. In addition, you can't use Conditional
parameters if you use the RecipientFilter parameter. If you want to include additional filters to create your dynamic
distribution group, email address policies, or address lists, you should use the RecipientFilter parameter.
Next, a dynamic distribution group for all students enrolled MATH307 is created by using the RecipientFilter
parameter where ExtensionCustomAttribute1 is equal to MATH307. When using the ExtentionCustomAttributes
parameters, you can use the -eq operator instead of the -like operator.
In this example, Kweku's ExtensionCustomAttribute1 values are updated to reflect that he's added the class
ENGL210 and removed the class ECON202.
In Exchange Server, you can use the Exchange admin center (EAC ) or the Exchange Management Shell to assign
permissions to a mailbox or group so that other users can access the mailbox (the Full Access permission), or send
email messages that appear to come from the mailbox or group (the Send As or Send on Behalf permissions). The
users that are assigned these permissions on other mailboxes or groups are called delegates.
The permissions that you can assign to delegates for mailboxes and groups in Exchange Server are described in
the following table:
Note: Although you can use the Exchange Management Shell to assign some or all of these permissions to other
delegate types on other kinds of recipient objects, this topic focuses on the delegate and recipient object types that
produce useful results.
ADDITIONAL
ADDITIONAL DELEGATE TYPES
RECIPIENT TYPES RECIPIENT TYPES DELEGATE TYPES IN THE
PERMISSION DESCRIPTION IN THE EAC IN POWERSHELL IN THE EAC POWERSHELL
Full Access Allows the User mailboxes Arbitration Mailboxes with User accounts
delegate to open mailboxes user accounts that aren't mail-
the mailbox, and Linked mailboxes enabled.
view, add and Discovery Mail users with
remove the Resource mailboxes accounts Universal, global,
contents of the mailboxes and domain local
mailbox. Doesn't Mail-enabled security groups
allow the Shared mailboxes security groups that aren't mail-
delegate to send enabled.
messages from
the mailbox.
By default, the
mailbox auto-
mapping feature
uses
Autodiscover to
automatically
open the mailbox
in the delegate's
Outlook profile
(in addition to
their own
their own
mailbox). If you ADDITIONAL
don't want this to ADDITIONAL DELEGATE TYPES
happen, you RECIPIENT TYPES RECIPIENT TYPES DELEGATE TYPES IN THE
PERMISSION DESCRIPTION IN THE EAC IN POWERSHELL IN THE EAC POWERSHELL
need to take one
of the following
actions:
Send on Behalf Allows the User mailboxes Shared mailboxes Mailboxes with n/a
delegate to send user accounts
messages from Linked mailboxes
the mailbox or Mail users with
group. The From Resource accounts
address of these mailboxes
messages clearly Mail-enabled
shows that the Distribution security groups
message was groups
sent by the Distribution
delegate (" Dynamic groups
<Delegate> on distribution
behalf of groups
<MailboxOrGrou
p>"). However, Mail-enabled
replies to these security groups
messages are
sent to the
mailbox or group,
not to the
delegate.
NOTE
If a user has both Send As and Send on Behalf permissions to a mailbox or group, the Send As permission is always
used.|User mailboxes
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Add-MailboxPermission -Identity "Terry Adams" -User raymonds -AccessRights FullAccess -InheritanceType All
This example assigns Esther Valle the Full Access permission to the organization's default discovery search
mailbox, and prevents the mailbox from automatically opening in Esther Valle's Outlook.
This example assigns members of the Helpdesk mail-enabled security group the Full Access permission to the
shared mailbox named Helpdesk Tickets.
This example removes Full Access permission for Jim Hance from Ayla Kol's mailbox.
Remove-MailboxPermission -Identity ayla -User "Jim Hance" -AccessRights FullAccess -InheritanceType All
The commands work with or without -AccessRights ExtendedRight , which is why it's shown as optional in
the syntax.
This example assigns the Send As permission to the Helpdesk mail-enabled security group on the shared mailbox
named Helpdesk Support Team.
Add-ADPermission -Identity "Helpdesk Support Team" -User Helpdesk -ExtendedRights "Send As"
This example removes the Send As permission for the user Pilar Pinilla on the mailbox of James Alvord.
The GrantSendOnBehalfTo parameter has the following options for delegate values:
Replace existing delegates: <DelegateIdentity> or "<DelegateIdentity1>","<DelegateIdentity2>",...
This example assigns the delegate Holly Holt the Send on Behalf permission to the mailbox of Sean Chai.
This example adds the group tempassistants@contoso.com to the list of delegates that have Send on Behalf
permission to the Contoso Executives shared mailbox.
This example assigns the delegate Sara Davis the Send on Behalf permission to the Printer Support distribution
group.
This example removes the Send on Behalf permission that was assigned to the administrator on the All
Employees dynamic distribution group.
Group:
Next steps
For more information about how delegates can use the permissions that are assigned to them on mailboxes and
groups, see the following topics:
Access another person's mailbox
Open and use a shared mailbox in Outlook
Open and use a shared mailbox in Outlook on the Web
Send email from another person or group in Outlook on the Web
Mailbox moves in Exchange Server
8/23/2019 • 4 minutes to read • Edit Online
You use mailbox moves to move mailboxes to, from, and within your Exchange organization. These are the basic
types of mailbox moves that are available:
Local mailbox moves: You move mailboxes from one mailbox database to another on Exchange servers
within a single Active Directory forest. For instructions, see Manage on-premises mailbox moves in
Exchange Server.
Cross-forest mailbox moves: You move mailboxes to Exchange servers in a different Active Directory
forest. You can initiate the move from the target forest where you want to move the mailboxes (known as a
pull move type), or from the source forest that currently hosts the mailboxes (known as a push move type).
For more information, see Prepare mailboxes for cross-forest move requests.
Remote mailbox moves in hybrid deployments: In hybrid deployments between on-premises
Exchange and Microsoft Office 365, you can move mailboxes from Exchange to Office 365 (known as
onboarding remote move migrations) and from Office 365 to Exchange (know as offboarding remote
move migrations). For more information, see Move Mailboxes Between On-Premises and Exchange Online
Organizations in 2013 Hybrid Deployments.
Note: For more information about migrating on-premises Exchange organizations to Office 365, see Ways
to migrate multiple email accounts to Office 365.
Mailbox moves in Exchange 2016 and Exchange 2019 use the batch move architecture that was introduced in
Exchange 2013. The batch move architecture gives you the ability to move mailboxes in large batches. The
enhanced management capabilities in the batch move architecture includes:
Email notification during move with reporting.
Automatic retry and automatic prioritization of moves.
Move primary and personal archive mailboxes together or separately.
Option for manual move request finalization to let you review your move before completion.
Periodic incremental syncs to update migration changes.
You can move mailboxes in the Exchange admin center (EAC ), or by using the New -MoveRequest or New -
MigrationBatch cmdlets in the Exchange Management Shell.
Exchange Server uses the Microsoft Exchange Mailbox Replication service (MRS ) to import .pst files to mailboxes,
and export mailboxes to .pst files. The advantages of using MRS instead of Outlook to import and export
mailboxes are:
Import and export requests are asynchronous (you can import and export multiple .pst files at the same
time).
Imports and exports take advantage of the queuing and throttling that's provided by the MRS.
You can import a .pst file directly to a user's archive mailbox.
The source or destination .pst files can reside on any network share that's accessible by your Exchange
servers.
This feature was introduced in Exchange 2010 Service Pack 1 (SP1). In Exchange 2010, the MRS runs on Client
Access servers. In Exchange 2013 or later, the MRS runs in the backend services on Mailbox servers (not in the
frontend Client Access services).
NOTE
Mailbox imports and exports are available only in the Mailbox Import Export role, and by default, that role isn't assigned to a
role group. To use these features, you need to add the Mailbox Import Export role to a role group that you belong to (for
example, the Organization Management role group). For more information, see Add a role to a role group.
Considerations
Before you import .pst files to mailboxes, or export mailboxes to .pst files, consider these issues:
You need to use a UNC network share (\ <Server>\ <Share>\ or \ <LocalServerName>\c$). The Exchange
Trusted Subsystem security group requires permissions to the network share (Read for imports,
Read/Write for exports). If the share doesn't have these permissions, you'll get errors when you try to
import or export .pst files.
We recommend that you don't try to import or export .pst files that are larger than 50 gigabytes (GB ),
because 50 GB is the maximum .pst file size that's supported by current versions of Outlook. You can export
mailboxes that are larger than 50 GB to .pst files by using multiple export requests that include or exclude
specific folders, or by using a content filter.
The operations may take several hours depending on the size of the .pst files or mailboxes, the available
network bandwidth, and MRS throttling.
You can't import .pst files to public folders.
Mailbox import requests use the Microsoft Exchange Mailbox Replication service (MRS ) to import the contents of
.pst files into mailboxes. For more information, see Mailbox imports and exports in Exchange Server .
This topic shows you how to:
Create mailbox import requests
View mailbox import requests.
Modify mailbox import requests that haven't completed.
Suspend mailbox import requests that haven't completed or failed.
Resume suspended or failed mailbox import requests
Remove mailbox import requests.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
2. The Import from a .pst wizard opens. On the first page, enter the UNC path and filename of the source .pst
file.
This example creates a new mailbox import request with these settings:
Mailbox import request name: The default value MailboxImport is used, because we aren't using the
Name parameter. The unique identity of the mailbox import request is <MailboxIdentity>\MailboxImportX (X
is either not present, or has the value 0 to 9).
Source .pst file: \\SERVER01\PSTFiles\Archives\Vbarrios.pst
Target mailbox: Valeria Barrios
Content and folders: Content in all folder paths in the .pst file is replicated in the target mailbox. Content is
merged under existing folders and new folders are created if they don't already exist.
Priority: Normal , because we aren't using the Priority parameter.
This example creates a new mailbox import request with these settings:
Mailbox import request name: The custom name Kathleen Reiter Import is specified by the Name
parameter. Specifying a custom name allows more than 10 mailbox import requests for the mailbox. The
unique identity value of the mailbox import request is <MailboxIdentity>\<MailboxImportRequestName> (for
example, kreiter\Kathleen Reiter Import ).
Source .pst file: \\SERVER01\PSTFiles\Archives\Recovered.pst
Target mailbox: The archive mailbox for Kathleen Reiter (Kathleen's primary mailbox alias is kreiter).
Content and folders: Only content in the Inbox folder of the .pst file is imported (regardless of the
localized name of the folder), and it's imported to the Recovered Files folder in the target mailbox.
Priority: High
New-MailboxImportRequest -Name "Kathleen Reiter Import" -FilePath \\SERVER01\PSTFiles\Recovered.pst -Mailbox
kreiter -IsArchive -IncludeFolders "#Inbox#" -TargetRootFolder "Recovered Files" -Priority High
Replace <MailboxIdentity> and <MailboxImportRequestName> with the appropriate values, and run this
command in the Exchange Management Shell to verify the details:
Get-MailboxImportRequest
This example returns additional information for mailbox import requests to the mailbox Akia Al-Zuhairi.
This example returns the summary list of completed mailbox import requests in the batch named Import DB01
PSTs.
Where <MailboxImportRequestIdentity> is the identity value of the mailbox import request ( <MailboxIdentity>\
<MailboxImportRequestName> or <RequestGUID>).
This example returns detailed information for the mailbox import request named MailboxImport for Akia Al-
Zuhairi's mailbox, including the log of actions in the Report property.
This example modifies the failed mailbox import request for the mailbox of Valeria Barrios to accept up to five
corrupted mailbox items.
This example suspends the mailbox import request to Kathleen Reiter's mailbox that's named Kathleen Reiter
Import.
This example suspends all in-progress mailbox import requests with the comment "OK to resume after 10 P.M. on
Monday 6/19"
Run this command in the Exchange Management Shell, and verify that the suspended mailbox import
request is listed:
This example resumes the failed mailbox import request for Valeria Barrios' mailbox.
Mailbox export requests use the Microsoft Exchange Mailbox Replication service (MRS ) to export the contents of
mailboxes to .pst files. For more information, see Mailbox imports and exports in Exchange Server .
This topic shows you how to:
Create mailbox export requests.
View mailbox export requests.
Modify mailbox export requests that haven't completed.
Suspend mailbox export requests that haven't completed or failed.
Resume suspended or failed mailbox export requests
Remove mailbox export requests.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
2. The Export to a .pst file wizard opens. On the first page, select the source mailbox, and then select one of
these options:
Export only the contents of this mailbox
Export only the contents of this mailbox's archive
This example creates a new mailbox export request with these settings:
Mailbox export request name: The default value MailboxExport is used, because we aren't using the
Name parameter. The unique identity of the mailbox export request is <MailboxIdentity>\MailboxExportX (X
is either not present, or has the value 0 to 9).
Source mailbox: Valeria Barrios
Target .pst file: \SERVER01\PSTFiles\Vbarrios.pst
Content and folders: Content in all folder paths in the source mailbox is replicated in the target .pst file.
Priority: Normal , because we aren't using the Priority parameter.
This example creates a new mailbox export request with these settings:
Mailbox export request name: The custom name Kathleen Reiter Export is specified by the Name
parameter. Specifying a custom name allows more than 10 mailbox export requests for the mailbox. The
unique identity value of the mailbox export request is <MailboxIdentity>\<MailboxExportRequestName> (for
example, kreiter\Kathleen Reiter Export ).
Source mailbox: The archive mailbox for Kathleen Reiter (Kathleen's primary mailbox alias is kreiter).
Target .pst file: \SERVER01\PSTFiles\Archives\Kathleen Reiter.pst
Content and folders: Only content in the Inbox folder of the mailbox is exported (regardless of the
localized name of the folder).
Priority: High
New-MailboxExportRequest -Name "Kathleen Reiter Export" -Mailbox kreiter -FilePath
"\\SERVER01\PSTFiles\Kathleen Reiter.pst" -IsArchive -IncludeFolders "#Inbox#" -Priority Hight
Replace <MailboxIdentity> and <MailboxExportRequestName> with the appropriate values, and run this
command in the Exchange Management Shell to verify the details:
Get-MailboxExportRequest
This example returns additional information for mailbox export requests from the mailbox Akia Al-Zuhairi.
This example returns the summary list of completed mailbox export requests in the batch named Export DB01
PSTs.
Where <MailboxExportRequestIdentity> is the identity value of the mailbox export request ( <MailboxIdentity>\
<MailboxExportRequestName> or <RequestGUID>).
This example returns detailed information for the mailbox export request named MailboxExport for Akia Al-
Zuhairi's mailbox, including the log of actions in the Report property.
This example modifies the failed mailbox export request for the mailbox of Valeria Barrios to accept up to five
corrupted mailbox items.
This example suspends the mailbox export request from Kathleen Reiter's mailbox that's named Kathleen Reiter
Export.
This example suspends all in-progress mailbox export requests with the comment "OK to resume after 10 P.M. on
Monday 6/19"
Run this command in the Exchange Management Shell, and verify that the suspended mailbox export
request is listed:
This example resumes the failed mailbox export request for Valeria Barrios' mailbox.
There are many different clients that you can use to access information in an Exchange mailbox. These clients
include desktop programs such as Outlook, Outlook on the web (formerly known as Outlook Web App), and
mobile clients such as mobile phones, tablets, and other mobile devices. Each of these clients offers a variety of
features.
The following table contains links to topics that will help you learn about and manage some of the clients and
client access methods that you can use to access your Exchange mailbox.
TOPIC DESCRIPTION
Outlook Anywhere Learn about the client access method that provides
connectivity to Outlook 2010. (This feature was formerly
known as RPC/HTTP.)
Exchange ActiveSync Learn about the protocol that provides connectivity to a wide
variety of mobile phones and tablets. Using Exchange
ActiveSync, users can access email, calendar, contact, and task
information.
POP3 and IMAP4 in Exchange Server Learn about how users can access their Exchange mailbox by
using email programs that use POP3 or IMAP4.
Using Basic authentication with Outlook for iOS and Android Learn about the Outlook for iOS and Android app and how it
allows your users to securely access their mailbox data
remotely with their iOS and Android devices.
Install Office Online Server in an Exchange organization Learn about how the integration of Office Online Server helps
provide rich attachment preview functionality in Outlook on
the web.
Outlook on the web in Exchange Server Learn about Outlook on the web, which provides users access
to their Exchange mailbox through a web browser.
Messaging Application Programming Interface (MAPI) over HTTP is a transport protocol that improves the
reliability and stability of the Outlook and Exchange connections by moving the transport layer to the industry-
standard HTTP model. This allows a higher level of visibility of transport errors and enhanced recoverability.
Additional functionality includes support for an explicit pause-and-resume function. This enables supported
clients to change networks or resume from hibernation while maintaining the same server context.
Implementing MAPI over HTTP does not mean that it is the only protocol that can be used for Outlook to access
Exchange. Outlook clients that are not MAPI over HTTP capable can still use Outlook Anywhere (RPC over
HTTP ) to access Exchange through a MAPI-enabled Client Access server.
In Exchange 2016 and Exchange 2019, MAPI over HTTP can be applied across your entire organization, or at the
individual mailbox level.
Upgrading from an Exchange 2016 MAPI over HTTP is enabled by default n/a
environment
Upgrading from an environment MAPI over HTTP is disabled by default MAPI over HTTP is disabled by default
that contains any Exchange 2013
servers
Upgrading from an Exchange 2010 n/a MAPI over HTTP is enabled by default
environment
During the upgrade from an organization that contains Exchange 2013 servers, administrators will receive the
MAPI over HTTP isn't enabled [WarnMapiHttpNotEnabled] readiness check warning, and enabling MAPI over
HTTP post-installation is recommended. In any organization that contains Exchange 2013 servers, MAPI over
HTTP won't be enabled by default, and administrators will need to follow the steps in Configure MAPI over
HTTP to enable it.
Outlook 2013 MAPI over HTTP MAPI over HTTP MAPI over HTTP Outlook RPC
SP1 and all later Outlook Outlook Outlook Anywhere Outlook
versions of Anywhere Anywhere Anywhere Anywhere
Outlook
Outlook 2010 MAPI over HTTP MAPI over HTTP MAPI over HTTP Outlook RPC
SP2 with updates Outlook Outlook Outlook Anywhere Outlook
KB2956191 and Anywhere Anywhere Anywhere Anywhere
KB2965295
(April 14, 2015)
Prerequisites
The following conditions are required for clients and servers to support MAPI over HTTP with Exchange Server.
Once the following prerequisites are in place, see Configure MAPI over HTTP to enable it in your organization.
Supported Outlook clients (see the table in the previous section).
.NET Framework 4.5.2 or later. Note that this is no longer an issue for Exchange 2016 CU5 or later. For
more information about the .NET Framework requirements for Exchange 2016, see Supported .NET
Framework versions for Exchange 2016.
Configure MAPI over HTTP in Exchange Server
8/23/2019 • 5 minutes to read • Edit Online
In Exchange 2016 and Exchange 2019, you can configure MAPI over HTTP at the organization level or at the
individual mailbox level. Mailbox-level settings always take precedence over organization-wide settings.
The scenarios where MAPI over HTTP is enabled or disabled by default at the organization level are described in
the following table:
Upgrading from an Exchange 2016 MAPI over HTTP is enabled by default n/a
environment
Upgrading from an environment MAPI over HTTP is disabled by default MAPI over HTTP is disabled by default
that contains any Exchange 2013
servers
Upgrading from an Exchange 2010 n/a MAPI over HTTP is enabled by default
environment
NOTE
When MAPI over HTTP is enabled at the organization level, the MapiHttpEnabled property value that's returned by the Get-
OrganizationConfig cmdlet is True .
This topic describes how to configure and then enable MAPI over HTTP for Exchange organizations that contain
Exchange 2013 servers, or for any topology where MAPI over HTTP has been previously disabled. You can also
use the procedures in this article to disable MAPI over HTTP at the organization level.
This topic also describes how to enable or disable MAPI over HTTP for an individual mailbox. At the mailbox level,
you have the ability to allow or block MAPI over HTTP connections internally, externally, or both. In all cases, when
MAPI over HTTP is disabled, connections will be made with Outlook Anywhere.
2. Certificate configuration: The digital certificate used by your Exchange environment must include the
same InternalURL and ExternalURL values that are defined on the MAPI virtual directory. For more
information on Exchange certificate management, see Digital certificates and encryption in Exchange
Server. Make sure the Exchange certificate is trusted on the Outlook client workstation and that there are
no certificate errors, especially when you access the URLs configured on the MAPI virtual directory.
3. Update server rules: Verify that your load balancers, reverse proxies, and firewalls are configured to allow
access to the MAPI over HTTP virtual directory.
4. Use the following steps to enable MAPI over HTTP in your entire Exchange organization, or enable MAPI
over HTTP for one or more individual mailboxes.
NOTE
After you run the commands below, Outlook clients with MAPI over HTTP enabled will see a message to restart
Outlook to use MAPI over HTTP.
MAPIBLOCKOUTLOOKEX TERN
MAPIHTTPENABLED VALUE ON MAPIHTTPENABLED VALUE ON ALCONNECTIVITY VALUE ON
SET-ORGANIZATIONCONFIG SET-CASMAILBOX SET-CASMAILBOX AUTODISCOVER RESULT
MAPI is a client protocol that lets users access their mailbox by using Outlook or other MAPI email clients. By
default, MAPI access to a user mailbox is enabled. Disabling MAPI access to a mailbox prevents the user from
using Outlook to access their mailbox in Exchange mode. It doesn't prevent the user from using Outlook on the
web or Outlook using other protocols (for example, POP3, IMAP4, or Exchange ActiveSync) to access their
mailbox.
Administrators can use the Exchange admin center (EAC ) or the Exchange Management Shell to enable or disable
MAPI access to user mailbox.
For additional management tasks related to user access to mailboxes, see these topics:
Enable or disable Outlook on the web access to mailboxes in Exchange Server
Enable or disable Exchange ActiveSync access to mailboxes in Exchange Server
Enable or disable POP3 or IMAP4 access to mailboxes in Exchange Server
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example disables MAPI access to the mailbox named Ken Sanchez.
This example enables MAPI access to the mailbox named Esther Valle.
Use the Exchange Management Shell to enable or disable MAPI access to multiple mailboxes
You can use the Get-Mailbox, Get-User or Get-Content cmdlets to identify the mailboxes that you want to
modify. For example:
Use the OrganizationalUnit parameter to filter the mailboxes by organizational unit (OU ).
Use the Filter parameter to create OPATH filters that identify the mailboxes. For more information, see
Filterable Properties for the -Filter Parameter.
Use a text file to specify the mailboxes. The text file contains one mailbox (email address, name, or other
unique identifier) on each line like this:
ebrunner@tailspintoys.com
fapodaca@tailspintoys.com
glaureano@tailspintoys.com
hrim@tailspintoys.com
This example disables MAPI access to all user mailboxes in the North America\Finance OU.
This example disables MAPI access to all user mailboxes in the Engineering department in Washington state.
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and StateOrProvince -
eq 'WA'} | Set-CasMailbox -MAPIEnabled $false
This example uses the text file C:\My Documents\Accounts.txt to disable MAPI access to the specified mailboxes.
For detailed syntax and parameter information, see Get-Mailbox and Get-User.
In the Exchange Management Shell, replace <MailboxIdentity> with the identity of the mailbox (for
example, name, alias, or email address), and run this command:
Use the same filter that you used to identify the mailboxes, but use the Get-CasMailbox cmdlet instead of
Set-CasMailbox. For example:
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and
StateOrProvince -eq 'WA'} | Get-CasMailbox
In the Exchange Management Shell, run this command to show all mailboxes where Outlook on the web
access is disabled:
Exchange ActiveSync is an Exchange synchronization protocol that's optimized to work together with high-latency
and low -bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization's
information on a server that's running Microsoft Exchange.
The iOS fingerprint reader technology cannot be used as a device password. If you choose to use the iOS
fingerprint reader, you'll still need to create and enter a device password if the mobile device mailbox policy
for your organization requires a device password.
The device password options include the following:
Minimum password length (characters): This option specifies the length of the password for the
mobile device. The default length is 4 characters, but as many as 18 can be included.
Minimum number of character sets: Use this text box to specify the complexity of the
alphanumeric password and force users to use a number of different sets of characters from among
the following: lowercase letters, uppercase letters, symbols, and numbers.
Require alphanumeric password: This option determines password strength. You can enforce the
usage of a character or symbol in the password in addition to numbers.
Inactivity time (seconds): This option determines how long the mobile device must be inactive
before the user is prompted for a password to unlock the mobile device.
Enforce password history: Select this check box to force the mobile phone to prevent the user
from reusing their previous passwords. The number that you set determines the number of past
passwords that the user won't be allowed to reuse.
Enable password recovery: Select this check box to enable password recovery for the mobile
device. Administrators can use the Get-ActiveSyncDeviceStatistics cmdlet to look up the user's
recovery password.
Wipe device after failed (attempts): This option lets you specify whether you want the phone's
memory to be wiped after multiple failed password attempts.
Device encryption policies: There are a number of mobile device encryption policies that you can
enforce for a group of users. These policies include the following:
Require encryption on device: Select this check box to require encryption on the mobile device.
This increases security by encrypting all information on the mobile device.
Require encryption on storage cards: Select this check box to require encryption on the mobile
device's removable storage card. This increases security by encrypting all information on the storage
cards for the mobile device.
Enable or disable Exchange ActiveSync access to
mailboxes in Exchange Server
8/23/2019 • 5 minutes to read • Edit Online
ActiveSync is a client protocol that lets users synchronize their Exchange mailbox with a mobile device. By default,
ActiveSync is enabled on new user mailboxes. Disabling ActiveSync on a mailbox prevents the user from
synchronizing their mailbox with a mobile device (by using ActiveSync).
Administrators can use the Exchange admin center (EAC ) or the Exchange Management Shell to enable or disable
Exchange ActiveSync access to a mailbox.
For more information about ActiveSync, see Exchange ActiveSync.
For information about setting up email on your mobile device, see these topics:
Set up Office apps and email on iOS devices
Set up Office apps and email on Android
Set up Office apps and email on Windows Phone
For additional management tasks related to user access to mailboxes, see these topics:
Enable or disable Outlook on the web access to mailboxes in Exchange Server
Enable or disable POP3 or IMAP4 access to mailboxes in Exchange Server
Enable or disable MAPI access to mailboxes in Exchange Server
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example disables ActiveSync access to the mailbox named Yan Li.
This example enables ActiveSync access to the mailbox named Elly Nkya.
ebrunner@tailspintoys.com
fapodaca@tailspintoys.com
glaureano@tailspintoys.com
hrim@tailspintoys.com
This example disables ActiveSync access to all user mailboxes in the North America\Finance OU.
This example disables ActiveSync access to all user mailboxes in the Engineering department in Washington state.
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and StateOrProvince -
eq 'WA'} | Set-CasMailbox -ActiveSyncEnabled $false
This example uses the text file C:\My Documents\Accounts.txt to disable ActiveSync access to the specified
mailboxes.
Get-Content "C:\My Documents\Accounts.txt" | foreach {Set-CasMailbox $_ -ActiveSyncEnabled $false}
For detailed syntax and parameter information, see Get-Mailbox and Get-User.
In the Exchange Management Shell, replace <MailboxIdentity> with the identity of the mailbox (for
example, name, alias, or email address), and run this command:
Use the same filter that you used to identify the mailboxes, but use the Get-CasMailbox cmdlet instead of
Set-CasMailbox. For example:
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and
StateOrProvince -eq 'WA'} | Get-CasMailbox
In the Exchange Management Shell, run this command to show all mailboxes where ActiveSync access is
disabled:
In Exchange Server, you can create mobile device mailbox policies to apply a common set of policies or security
settings to a collection of users. After you deploy Exchange ActiveSync in your Exchange Server organization, you
can create new mobile device mailbox policies or modify existing policies. When you install Exchange Server, a
default mobile device mailbox policy is created. All users are automatically assigned this default mobile device
mailbox policy.
Cau t i on
The iOS fingerprint reader is not supported as a device password. If you enable the fingerprint reader to secure
your iOS device, you will still need to create and enter a password if your mobile device mailbox policies require a
password.
IMPORTANT
Most Windows mobile phones support a subset of all Exchange ActiveSync mailbox policy settings. For a complete list, see
the next section in this topic..
You can create mobile device mailbox policies in the Exchange admin center (EAC ) or the Exchange Management
Shell. If you create a policy in the EAC, you can configure only a subset of the available settings. You can configure
the rest of the settings using the Exchange Management Shell.
SETTING DESCRIPTION
Allow Bluetooth This setting specifies whether a mobile device allows Bluetooth
connections. The available options are Disable, HandsFree
Only, and Allow. The default value is Allow.
Allow Camera This setting specifies whether the mobile device camera can be
used. The default value is $true .
Allow Consumer EMail This setting specifies whether the mobile device user can
configure a personal email account (either POP3 or IMAP4) on
the mobile device. The default value is $true . This setting
doesn't control access to email accounts that are using third-
party mobile device email programs.
Allow Desktop Sync This setting specifies whether the mobile device can
synchronize with a computer through a cable, Bluetooth, or
IrDA connection. The default value is $true .
Allow External Device Management This setting specifies whether an external device management
program is allowed to manage the mobile device.
Allow HTML Email This setting specifies whether email synchronized to the
mobile device can be in HTML format. If this setting is set to
$false , all email is converted to plain text.
SETTING DESCRIPTION
Allow Internet Sharing This setting specifies whether the mobile device can be used
as a modem for a desktop or a portable computer. The default
value is $true .
Allow Mobile OTA Update This setting specifies whether the mobile device mailbox policy
settings can be sent to the mobile device over a cellular data
connection. The default value is $true .
Allow non-provisionable devices This setting specifies whether mobile devices that may not
support application of all policy settings are allowed to
connect to Exchange Server by using Exchange ActiveSync.
Allowing non-provisionable mobile devices has security
implications. For example, some non-provisionable devices
may not be able to implement an organization's password
requirements.
Allow POPIMAPEmail This setting specifies whether the user can configure a POP3
or an IMAP4 email account on the mobile device. The default
value is $true . This setting doesn't control access by third-
party email programs.
Allow Remote Desktop This setting specifies whether the mobile device can initiate a
remote desktop connection. The default value is true .
Allow simple password This setting enables or disables the ability to use a simple
password such as 1111 or 1234. The default value is $true .
Allow S/MIME encryption algorithm negotiation This setting specifies whether the messaging application on
the mobile device can negotiate the encryption algorithm if a
recipient's certificate doesn't support the specified encryption
algorithm.
Allow S/MIME software certificates This setting specifies whether S/MIME software certificates are
allowed on the mobile device.
Allow storage card This setting specifies whether the mobile device can access
information that's stored on a storage card.
Allow text messaging This setting specifies whether text messaging is allowed from
the mobile device. The default value is $true .
Allow unsigned applications This setting specifies whether unsigned applications can be
installed on the mobile device. The default value is $true .
Allow unsigned installation packages This setting specifies whether an unsigned installation package
can be run on the mobile device. The default value is $true .
Alphanumeric password required This setting requires that a password contains numeric and
non-numeric characters. The default value is $true .
Approved Application List This setting stores a list of approved applications that can be
run on the mobile device.
Device encryption enabled This setting enables encryption on the mobile device. Not all
mobile devices can enforce encryption. For more information,
see the device and mobile operating system documentation.
Device policy refresh interval This setting specifies how often the mobile device mailbox
policy is sent from the server to the mobile device.
Max attachment size This setting controls the maximum size of attachments that
can be downloaded to the mobile device. The default value is
Unlimited.
Max calendar age filter This setting specifies the maximum range of calendar days
that can be synchronized to the mobile device. The following
values are accepted:
1: All
2: OneDay
3: ThreeDays
4: OneWeek
5: TwoWeeks
6: OneMonth
Max email age filter This setting specifies the maximum number of days of email
items to synchronize to the mobile device. The following
values are accepted:
1: All
2: OneDay
3: ThreeDays
4: OneWeek
5: TwoWeeks
6: OneMonth
Max email body truncation size This setting specifies the maximum size at which email
messages are truncated when synchronized to the mobile
device. The value is in kilobytes (KB).
Max email HTML body truncation size This setting specifies the maximum size at which HTML email
messages are truncated when synchronized to the mobile
device. The value is in kilobytes (KB).
Max inactivity time lock This value specifies the length of time that the mobile device
can be inactive before a password is required to reactivate it.
You can enter any interval between 30 seconds and 1 hour.
The default value is 15 minutes.
SETTING DESCRIPTION
Max password failed attempts This setting specifies the number of attempts a user can make
to enter the correct password for the mobile device. You can
enter any number from 4 through 16. The default value is 8.
Min password complex characters This setting specifies the number of character sets that are
required in the password of the mobile device. The character
sets are:
• Lower case letters.
• Upper case letters.
• Digits 0 through 9.
• Special characters (for example, exclamation marks).
You can enter any number from 1 through 4. The default
value is 1.
For Windows Phone 8 devices, this setting specifies the
number of character sets that are required in the password.
For example, the value 3 requires at least one character from
any three of the character sets.
For Windows Phone 10 devices, this setting specifies the
following password complexity requirements:
1: Digits only.
2: Digits and lower case letters.
3: Digits, lower case letters, and upper case letters.
4: Digits, lower case letters, upper case letters, and special
characters.
Min password length This setting specifies the minimum number of characters in
the mobile device password. You can enter any number from
1 through 16. The default value is 4.
Password history This setting specifies the number of past passwords that can
be stored in a user's mailbox. A user can't reuse a stored
password.
Password recovery enabled When this setting is enabled, the mobile device generates a
recovery password that's sent to the server. If the user forgets
their mobile device password, the recovery password can be
used to unlock the mobile device and enable the user to
create a new mobile device password.
Require device encryption This setting specifies whether device encryption is required. If
set to $true , the mobile device must be able to support and
implement encryption to synchronize with the server.
Require encrypted S/MIME messages This setting specifies whether S/MIME messages must be
encrypted. The default value is $false .
Require encryption S/MIME algorithm This setting specifies what required algorithm must be used
when encrypting S/MIME messages.
SETTING DESCRIPTION
Require manual synchronization while roaming This setting specifies whether the mobile device must
synchronize manually while roaming. Allowing automatic
synchronization while roaming will frequently lead to larger-
than-expected data costs for the mobile device data plan.
Require signed S/MIME algorithm This setting specifies what required algorithm must be used
when signing a message.
Require signed S/MIME messages This setting specifies whether the mobile device must send
signed S/MIME messages.
Require storage card encryption This setting specifies whether the storage card must be
encrypted. Not all mobile device operating systems support
storage card encryption. For more information, see your
mobile device and mobile operating system documentation.
Unapproved InROM application list This setting specifies a list of applications that cannot be run in
ROM.
Mobile devices
8/23/2019 • 2 minutes to read • Edit Online
There are many different mobile phones and devices enabled for Exchange ActiveSync. These include Windows
Phones, Nokia mobile phones, Android phones and tablets, and the Apple iPhone, iPod, and iPad.
Both phone and non-phone mobile devices support Exchange ActiveSync, and in most Exchange ActiveSync
documentation, we use the term mobile device. Unless the feature or features we're discussing require a cellular
telephone signal, such as SMS message notification, the term mobile device applies to both mobile phones and
other mobile devices such as tablets.
This article is about enabling users in your organization to access their Exchange 2016 or Exchange 2019
mailboxes with their mobile devices using Exchange ActiveSync.
Prerequisites
You've reviewed the manufacturer's documentation for the mobile phone you want to configure.
Exchange ActiveSync is enabled in your organization.
NOTE
For device-specific information about setting up Exchange-based email on a phone or tablet, see Set up a mobile device using
Office 365 for business.
Your users carry sensitive corporate information in their pockets every day. If one of them loses their mobile
phone, your data can end up in the hands of another person. If one of your users loses their mobile phone, you can
use the Exchange admin center (EAC ) or the Exchange Management Shell to wipe their phone clean of all
corporate and user information.
NOTE
This topic also provides instructions for how to use Outlook on the web to perform a remote wipe on a phone. The user must
be signed in to Outlook on the web to perform a remote wipe.
NOTE
If you are using Intune, you should be using Intune to trigger data removal, not Exchange. Depending on the scenario, it
could be accomplished via App Protection Policy selective wipe, or Device enrollment retire/wipe commands.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Although users typically access their Exchange mailboxes by using Outlook (MAPI), Outlook on the web
(formerly known as Outlook Web App), and Exchange ActiveSync, POP3 and IMAP4 are available in Exchange
Server 2016 and Exchange Server 2019. To support clients that still rely on these protocols, you need to start the
services, and configure the settings for POP3 and IMAP4. For detailed instructions, see the following topics:
Enable and configure POP3 on an Exchange server
Enable and configure IMAP4 on an Exchange server
Configure authenticated SMTP settings for POP3 and IMAP4 clients in Exchange Server
After you enable and configure POP3 or IMAP4 on the Exchange server, you can enable or disable POP3 or
IMAP4 access to specific mailboxes. For more information, see Enable or disable POP3 or IMAP4 access to
mailboxes in Exchange Server.
Note: Clients connect to the POP3 and IMAP4 services in the Client Access (frontend) services on the Mailbox
server. They never connect directly to the POP3 and IMAP4 backend services. For more information, see Client
access protocol architecture.
By default, POP3 client connectivity isn't enabled in Exchange. To enable POP3 client connectivity, you need to
perform the following steps:
1. Start the POP3 services, and configure the services to start automatically:
Microsoft Exchange POP3: This is the Client Access (frontend) service that POP3 clients connect
to.
Microsoft Exchange POP3 Backend: POP3 client connections from the Client Access service are
proxied to the backend service on the server that hold the active copy of the user's mailbox. For
more information, see Client Access protocol architecture.
2. Configure the POP3 settings for external clients.
By default, Exchange uses the following settings for internal POP3 connections:
POP3 server FQDN: <ServerFQDN> . For example, mailbox01.contoso.com .
TCP port and encryption method: 995 for always TLS encrypted connections, and 110 for
unencrypted connections, or for opportunistic TLS (STARTTLS ) that results in an encrypted
connection after the initial plain text protocol handshake.
To allow external POP3 clients to connect to mailboxes, you need to configure the POP3 server FQDN,
TCP port, and encryption method for external connections. This step causes the external POP3 settings to
be displayed in Outlook on the web (formerly known as Outlook Web App) at Settings > Options > Mail
> Accounts > POP and IMAP.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Step 1: Start the POP3 services, and configure the services to start
automatically
You can perform this step by using the Windows Services console, or the Exchange Management Shell.
Use the Windows Services console to start the POP3 services, and configure the services to start automatically
1. On the Exchange server, open the Windows Services console. For example:
Run the command services.msc from the Run dialog, a Command Prompt window, or the
Exchange Management Shell.
Open Server Manager, and then click Tools > Services.
2. In the list of services, select Microsoft Exchange POP3, and then click Action > Properties.
3. The Microsoft Exchange POP3 Properties window opens. On the General tab, configure the following
settings:
Startup type: Select Automatic.
Service status: Click Start.
When you're finished, click OK.
4. In the list of services, select Microsoft Exchange POP3 Backend, and then click Action > Properties.
5. The Microsoft Exchange POP3 Backend Properties window opens. On the General tab, configure the
following settings:
Startup type: Select Automatic.
Service status: Click Start.
When you're finished, click OK.
Use the Exchange Management Shell to start the POP3 services, and configure the services to start
automatically
1. Run the following command to start the POP3 services:
2. Run the following command to configure the POP3 services to start automatically:
For more information about these cmdlets, see Start-Service and Set-Service.
How do you know this step worked?
To verify that you've successfully started the POP3 services, use either of the following procedures:
On the Exchange server, open Windows Task Manager. On the Services tab, verify that the Status value
for the MSExchangePOP3 and MSExchangePOP3BE services is Running.
In the Exchange Management Shell, run the following command to verify that the POP3 services are
running:
This example allows configures the following settings for external POP3 connections:
POP3 server FQDN: mail.contoso.com
TCP port: 995 for always TLS encrypted connections, and 110 for unencrypted connections or
opportunistic TLS (STARTTLS ) encrypted connections.
Internal Exchange server IP address and TCP port for always TLS encrypted connections: All
available IPv4 and IPv6 addresses on the server on port 995 (we aren't using the SSLBindings parameter,
and the default value is [::]:995,0.0.0.0:995 ).
Internal Exchange server IP address and TCP port for unencrypted or opportunistic TLS
(STARTTLS ) encrypted connections: All available IPv4 and IPv6 addresses on the server on port 110
(we aren't using the UnencryptedOrTLSBindings parameter, and the default value is [::]:110,0.0.0.0:110 ).
FQDN used for encryption: mail.contoso.com. This value identifies the certificate that matches or
contains the POP3 server FQDN.
Notes:
For detailed syntax and parameter information, see Set-PopSettings.
The external POP3 server FQDN that you configure needs to have a corresponding record in your public
DNS, and the TCP port (110 or 995) needs to be allowed through your firewall to the Exchange server.
The combination of encryption methods and TCP ports that you use for the ExternalConnectionSettings
parameter need to match the corresponding TCP ports and encryption methods that you use for the
SSLBindings or UnencryptedOrTLSBindings parameters.
Although you can use a separate certificate for POP3, we recommend that you use the same certificate as
the other Exchange IIS (HTTP ) services, which is likely a wildcard certificate or a subject alternative name
(SAN ) certificate from a commercial certification authority that's automatically trusted by all clients. For
more information, see Certificate requirements for Exchange services.
If you use a single subject certificate, or a SAN certificate, you also need to assign the certificate to the
Exchange POP service. You don't need to assign a wildcard certificate to the Exchange POP service. For
more information, see Assign certificates to Exchange Server services .
How you do know this step worked?
To verify that you've successfully configured the POP3 settings for external clients, run the following command in
the Exchange Management Shell and verify the settings:
2. Click Mail > Accounts > POP and IMAP and verify the correct POP3 settings are displayed.
Note: If you configured 995/SSL and 110/TLS values for the ExternalConnectionSettings parameter on
the Set-PopSettings cmdlet, only the 995/SSL value is displayed in Outlook on the web. Also, if the
external POP3 settings that you configured don't appear as expected in Outlook on the web after you
restart the POP3 services, run the commands net stop was /y and net start w3svc to restart Internet
Information Services (IIS ).
3. You can test POP3 client connectivity to the Exchange server by using the following methods:
Internal clients: Use the Test-PopConnectivity cmdlet. For example,
Test-PopConnectivity -ClientAccessServer <ServerName> -Lightmode -MailboxCredential (Get-
Credential)
. For more information, see Test-PopConnectivity.
Note: The Lightmode switch tells the command test POP3 logons to the server. To test sending
(SMTP ) and receiving (POP3) a message, you need to configure the authenticated SMTP settings as
described in POP3 and IMAP4 in Exchange Server.
External clients: Use the Exchange Server > POP Email test in the Microsoft Remote
Connectivity Analyzer at https://go.microsoft.com/fwlink/p/?LinkID=313839.
Note: You can't use POP3 to connect to the Administrator mailbox. This limitation was intentionally
included in Exchange 2016 and Exchange 2019 to enhance the security of the Administrator mailbox.
Next steps
To enabled or disable POP3 access to individual mailboxes, see Enable or disable POP3 or IMAP4 access to
mailboxes in Exchange Server.
Enable and configure IMAP4 on an Exchange server
8/23/2019 • 8 minutes to read • Edit Online
By default, IMAP4 client connectivity isn't enabled in Exchange. To enable IMAP4 client connectivity, you need to
perform the following steps:
1. Start the IMAP4 services, and configure the services to start automatically:
Microsoft Exchange IMAP4: This is the Client Access (frontend) service that IMAP4 clients
connect to.
Microsoft Exchange IMAP4 Backend: IMAP4 client connections from the Client Access service
are proxied to the backend service on the server that hold the active copy of the user's mailbox. For
more information, see Exchange architecture.
2. Configure the IMAP4 settings for external clients.
By default, Exchange uses the following settings for internal IMAP4 connections:
IMAP4 server FQDN: <ServerFQDN> . For example, mailbox01.contoso.com .
TCP port and encryption method: 993 for always TLS encrypted connections, and 143 for
unencrypted connections, or for opportunistic TLS (STARTTLS ) that results in an encrypted
connection after the initial plain text protocol handshake.
To allow external IMAP4 clients to connect to mailboxes, you need to configure the IMAP4 server FQDN,
TCP port, and encryption method for external connections. This step causes the external IMAP4 settings to
be displayed in Outlook on the web (formerly known as Outlook Web App) at Settings > Options > Mail
> Accounts > POP and IMAP.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Step 1: Start the IMAP4 services, and configure the services to start
automatically
You can perform this step by using the Windows Services console, or the Exchange Management Shell.
Use the Windows Services console to start the IMAP4 services, and configure the services to start
automatically
1. On the Exchange server, open the Windows Services console. For example:
Run the command services.msc from the Run dialog, a Command Prompt window, or the
Exchange Management Shell.
Open Server Manager, and then click Tools > Services.
2. In the list of services, select Microsoft Exchange IMAP4, and then click Action > Properties.
3. The Microsoft Exchange IMAP4 Properties window opens. On the General tab, configure the following
settings:
Startup type: Select Automatic.
Service status: Click Start.
When you're finished, click OK.
4. In the list of services, select Microsoft Exchange IMAP4 Backend, and then click Action > Properties.
5. The Microsoft Exchange IMAP4 Backend Properties window opens. On the General tab, configure the
following settings:
Startup type: Select Automatic.
Service status: Click Start.
When you're finished, click OK.
Use the Exchange Management Shell to start the IMAP4 services, and configure the services to start
automatically
1. Run the following command to start the IMAP4 services:
2. Run the following command to configure the IMAP4 services to start automatically:
For more information about these cmdlets, see Start-Service and Set-Service.
How do you know this step worked?
To verify that you've successfully started the IMAP4 services, use either of the following procedures:
On the Exchange server, open Windows Task Manager. On the Services tab, verify that the Status value
for the MSExchangeIMAP4 and MSExchangeIMAP4BE services is Running.
In the Exchange Management Shell, run the following command to verify that the IMAP4 services are
running:
This example allows configures the following settings for external IMAP4 connections:
IMAP4 server FQDN: mail.contoso.com
TCP port: 993 for always TLS encrypted connections, and 143 for unencrypted connections or
opportunistic TLS (STARTTLS ) encrypted connections.
Internal Exchange server IP address and TCP port for always TLS encrypted connections: All
available IPv4 and IPv6 addresses on the server on port 993 (we aren't using the SSLBindings parameter,
and the default value is [::]:993,0.0.0.0:993 ).
Internal Exchange server IP address and TCP port for unencrypted or opportunistic TLS
(STARTTLS ) encrypted connections: All available IPv4 and IPv6 addresses on the server on port 143
(we aren't using the UnencryptedOrTLSBindings parameter, and the default value is [::]:143,0.0.0.0:143 ).
FQDN used for encryption: mail.contoso.com. This value identifies the certificate that matches or
contains the IMAP4 server FQDN.
2. Click Mail > Accounts > POP and IMAP and verify the correct IMAP4 settings are displayed.
Note: If you configured 993/SSL and 143/TLS values for the ExternalConnectionSettings parameter on
the Set-ImapSettings cmdlet, only the 993/SSL value is displayed in Outlook on the web. Also, if the
external IMAP4 settings that you configured don't appear as expected in Outlook on the web after you
restart the IMAP4 services, run the commands net stop was /y and net start w3svc to restart Internet
Information Services (IIS ).
3. You can test IMAP4 client connectivity to the Exchange server by using the following methods:
Internal clients: Use the Test-ImapConnectivity cmdlet. For example,
Test-ImapConnectivity -ClientAccessServer <ServerName> -Lightmode -MailboxCredential (Get-Credential) .
For more information, see Test-ImapConnectivity.
Note: The Lightmode switch tells the command test IMAP4 logons to the server. To test sending (SMTP )
and receiving (IMAP4) a message, you need to configure the authenticated SMTP settings as described in
Configure authenticated SMTP settings for POP3 and IMAP4 clients in Exchange Server.
External clients: Use the Exchange Server > Imap Email test in the Microsoft Remote Connectivity
Analyzer at https://go.microsoft.com/fwlink/p/?LinkID=313840.
Note: You can't use IMAP4 to connect to the Administrator mailbox. This limitation was intentionally
included in Exchange 2016 and Exchange 2019 to enhance the security of the Administrator mailbox.
Next steps
To enabled or disable IMAP4 access to individual mailboxes, see Enable or disable POP3 or IMAP4 access to
mailboxes in Exchange Server.
Enable or disable POP3 or IMAP4 access to
mailboxes in Exchange Server
8/23/2019 • 6 minutes to read • Edit Online
After you enable and configure POP3 or IMAP4 on an Exchange server as described in Enable and configure
POP3 on an Exchange server and Enable and configure IMAP4 on an Exchange server, all user mailboxes (with
the exception of the Administrator mailbox) can be accessed by using POP3 or IMAP4. You can use the
procedures in this topic to disable POP3 and IMAP4 access to specific mailboxes.
For more information about POP3 and IMAP4, see POP3 and IMAP4 in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
This example disables POP3 and IMAP4 access to the mailbox named Rand Zaher.
This example enables POP3 and IMAP4 access to the mailbox named Rand Zaher.
Use the Exchange Management Shell to enable or disable POP3 or IMAP4 access to multiple mailboxes
You can use the Get-Mailbox, Get-User, or Get-Content cmdlets to identify the mailboxes that you want to
modify. For example:
Use the OrganizationalUnit parameter to filter the mailboxes by organizational unit (OU ).
Use the Filter parameter to create OPATH filters that identify the mailboxes. For more information, see
Filterable Properties for the -Filter Parameter.
Use a text file to specify the mailboxes. The text file contains one mailbox (email address, name, or other
unique identifier) on each line like this:
ebrunner@tailspintoys.com
fapodaca@tailspintoys.com
glaureano@tailspintoys.com
hrim@tailspintoys.com
This example disables POP3 and IMAP4 access to all user mailboxes in the North America\Finance OU.
This example disables POP3 and IMAP4 access to all mailboxes in the Engineering department in Washington
state.
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and StateOrProvince -
eq 'WA'} | Set-CasMailbox -PopEnabled $false -ImapEnabled $false
This example uses the text file C:\My Documents\Accounts.txt to disable POP3 or IMAP4 access to the specified
mailboxes.
Get-Content "C:\My Documents\Accounts.txt" | foreach {Set-CASMailbox $_ -PopEnabled $false -ImapEnabled
$false}
In the Exchange Management Shell, replace <MailboxIdentity> with the identity of the mailbox (for
example, name, alias, or email address), and run the following command:
Use the same filter that you used to identify the mailboxes, but use the Get-CasMailbox cmdlet instead of
Set-CasMailbox. For example:
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and
StateOrProvince -eq 'WA'} | Get-CasMailbox
In the Exchange Management Shell, run this command to show all mailboxes where POP3 and IMAP4
access is disabled:
Get-CasMailbox -ResultSize unlimited -Filter {PopEnabled -eq $false -and ImapEnabled -eq $false}
Configure authenticated SMTP settings for POP3
and IMAP4 clients in Exchange Server
8/23/2019 • 6 minutes to read • Edit Online
After you enable and configure POP3 or IMAP4 on an Exchange server as described in Enable and configure
POP3 on an Exchange server and Enable and configure IMAP4 on an Exchange server, you need to configure the
authenticated SMTP settings for POP3 and IMAP4 clients so they can send email messages.
The default Receive connector named "Client Frontend <Server name>" in the Client Access services on the
Mailbox server listens for authenticated SMTP client submissions on port 587. By default, this connector uses the
following settings for internal and external client (authenticated) SMTP connections:
SMTP server: <ServerFQDN> . For example, mailbox01.contoso.com .
TCP port: 587
Encryption method: TLS. Note that this is opportunistic TLS ( STARTTLS ) that results in an encrypted
connection after the initial plain text protocol handshake.
For more information, see Default Receive connectors created during setup and Client access protocol
architecture.
To configure the authenticated SMTP settings that are used by POP3 and IMAP4 clients, perform the following
steps:
1. Configure the FQDN on the "Client Frontend <Server name>" Receive connector.
2. Specify the certificate that's used to encrypt authenticated SMTP client connections.
3. Configure Outlook on the web (formerly known as Outlook Web App) to display the SMTP settings for
authenticated SMTP clients at Settings > Options > Mail > Accounts > POP and IMAP.
For more information about POP3 and IMAP4, see POP3 and IMAP4 in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"
This example uses the certificate that has the thumbprint value
434AC224C8459924B26521298CE8834C514856AB.
$TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"
3. Verify the Subject or CertificateDomains field of the certificate that you specified on the Receive
connector contains the Fqdn value of the Receive connector (exact match or wildcard match).
Note: To prevent the SMTP settings from being displayed in Outlook on the web, change the value from $true
to $false .
How do you know this step worked?
To verify that you've configured Outlook on the web to display the SMTP settings for authenticated SMTP clients,
perform the following steps:
1. Open a mailbox in Outlook on the web, and then click Settings > Options.
2. Click Mail > Accounts > POP and IMAP and verify the correct SMTP settings are displayed.
Note: If the SMTP settings that you configured don't appear as expected in Outlook on the web, run the
commands net stop was /y and net start w3svc to restart Internet Information Services (IIS ).
Outlook for iOS and Android supports two authentication types in Exchange on-premises environments: Basic
authentication and hybrid Modern Authentication.
Outlook for iOS and Android uses Basic authentication with Exchange ActiveSync in the following environments:
In Exchange Server 2010 environments
When a hybrid relationship with Office 365 has not been configured
When hybrid Modern Authentication has not been enabled
For more information see Using Basic authentication with Outlook for iOS and Android.
For customers running Exchange Server 2013, Exchange Server 2016, or Exchange Server 2019 in a hybrid
relationship with Office 365, Outlook for iOS and Android can be configured to leverage hybrid Modern
Authentication. For more information, see Using hybrid Modern Authentication with Outlook for iOS and Android.
NOTE
The Outlook for iOS and Android Help Center is available for users, including help for using the app on specific devices and
troubleshooting information.
Using hybrid Modern Authentication with Outlook
for iOS and Android
8/23/2019 • 23 minutes to read • Edit Online
The Outlook app for iOS and Android is designed as the best way to experience Office 365 on your mobile device
by leveraging Microsoft services to help find, plan, and prioritize your daily life and work. Outlook provides the
security, privacy, and support you need while protecting corporate data via capabilities such as Azure Active
Directory conditional access and Intune app protection policies. The following sections provide an overview of the
hybrid Modern Authentication architecture, the required pre-requisites for its deployment, and how to securely
deploy Outlook for iOS and Android for Exchange on-premises mailboxes.
Data passing from Exchange Online to the Outlook app is passed via a TLS -secured connection. The protocol
translator running on Azure serves to route data, commands and notifications, but has no ability to read the data
itself.
The Exchange ActiveSync (EAS ) connection between Exchange Online and the on-premises environment enables
synchronization of the users' on-premises data and includes four weeks of email, all calendar data, all contact data,
and out-of-office status in your Exchange Online tenant. This data will be removed automatically from Exchange
Online after 30 days when the account is deleted in Azure Active Directory.
Data synchronization between the on-premises environment and Exchange Online happens independent of user
behavior. This ensures that we can send new messages to the devices very quickly.
Processing information in the Microsoft Cloud enables advanced features and capabilities, such as the
categorization of email for the Focused Inbox, customized experience for travel and calendar, and improved search
speed. Relying on the cloud for intensive processing and minimizing the resources required from users' devices
enhances the app's performance and stability. Lastly, it allows Outlook to build features that work across all email
accounts, regardless of the technological capabilities of the underlying servers (such as different versions of
Exchange Server, or Office 365).
Specifically, this new architecture has the following improvements:
1. Enterprise Mobility + Security support: Customers can take advantage of Microsoft Enterprise Mobility
+ Security (EMS ) including Microsoft Intune and Azure Active Directory Premium, to enable conditional
access and Intune app protection policies, which control and secure corporate messaging data on the
mobile device.
2. Fully powered by Microsoft Cloud: The on-premises mailbox data is synchronized into Exchange Online,
which provides the benefits of security, privacy, compliance and transparent operations that Microsoft
commits to in the Microsoft Trust Center.
3. OAuth protects users' passwords: Outlook leverages hybrid Modern Authentication (OAuth) to protect
users' credentials. Hybrid Modern Authentication provides Outlook with a secure mechanism to access the
Exchange data without ever touching or storing a user's credentials. At sign in, the user authenticates
directly against an identity platform (either Azure Active Directory or an on-premises identity provider like
ADFS ) and receives an access token in return, which grants Outlook access to the user's mailbox or files. At
no time does the service have access to the user's password.
4. Provides Unique Device IDs: Each Outlook connection is uniquely registered in Microsoft Intune and can
therefore be managed as a unique connection.
5. Unlocks new features on iOS and Android: This update enables the Outlook app to take advantage of
native Office 365 features that are not supported in Exchange on-premises today, such as leveraging full
Exchange Online search and Focused Inbox. These features will only be available when using Outlook for
iOS and Android.
NOTE
Device management through the on-premises Exchange admin center (EAC) is not possible. Intune is required to manage
mobile devices.
Connection flow
When Outlook for iOS and Android is enabled with hybrid Modern Authentication, the connection flow is as
follows.
1. After the user enters their email address, Outlook for iOS and Android connects to the AutoDetect service.
AutoDetect determines the mailbox type by initiating an AutoDiscover query to Exchange Online. Exchange
Online determines that the user's mailbox is on-premises and returns a 302-redirect to AutoDetect with the
on-premises Autodiscover URL. AutoDetect initiates a query against the on-premises AutoDiscover service
to determine the ActiveSync endpoint for the email address. The URL attempted on-premises is similar to
this example: https://autodiscover.contoso.com/autodiscover/autodiscover.json?
Email=test%40contoso.com&Protocol=activesync&RedirectCount=3.
2. AutoDetect initiates a connection to the on-premises ActiveSync URL returned in Step 1 above with an
empty bearer challenge. The empty bearer challenge tells the on-premises ActiveSync that the client
supports Modern Authentication. On-premises ActiveSync responds with a 401-challenge response and
includes the WWW -Authenticate: Bearer header. Within the WWW -Authenticate: Bearer header is the
authorization_uri value that identifies the Azure Active Directory (AAD ) endpoint that should be used to
obtain an OAuth token.
3. AutoDetect returns the AAD endpoint to the client. The client begins the log-in flow and the user is
presented with a Web form (or redirected to the Microsoft Authenticator app) and can enter credentials.
Depending on the identity configuration, this may or may not involve a federated endpoint redirect to an
on-premises identity provider. Ultimately, the client obtains an access-and-refresh token pair, which is
named AT1/RT1. This access token is scoped to the Outlook for iOS and Android client with an audience of
the Exchange Online endpoint.
4. Outlook for iOS and Android establishes a connection to the Stateless Protocol Translator where the client's
proprietary device protocol is translated into a protocol that Exchange Online understands.
5. A provisioning request is passed to Exchange Online which includes the user's access token (AT1) and the
on-premises ActiveSync endpoint.
6. The MRS provisioning API within Exchange Online utilizes AT1 as input and obtains a second access-and-
refresh token pair (named AT2/RT2) to access the on-premises mailbox via an on-behalf-of call to Azure
Active Directory. This second access token is scoped with the client being Exchange Online and an audience
of the on-premises ActiveSync namespace endpoint.
7. If the mailbox is not provisioned, then the provisioning API creates a mailbox.
8. The MRS provisioning API establishes a secure connection to the on-premises ActiveSync endpoint and
synchronizes the user's messaging data using the AT2 access token as the authentication mechanism. RT2 is
used periodically to generate a new AT2 so that data can be synchronized in the background without user
intervention.
NOTE
On-premises accounts leveraging hybrid Modern Authentication with Outlook mobile are not supported with Office 365 US
Government Community and Defense tenants, Office 365 Germany tenants, and Office 365 China operated by 21Vianet
tenants.
NOTE
Hybrid Modern Authentication is not supported with the Hybrid Agent.
Requires an Office 365 Enterprise, Business, or Education tenant.
The on-premises mailbox data is synchronized in the same datacenter region where that Office 365
tenant is setup. For more about where Office 365 data is located, visit the Microsoft Trust Center.
The external URL host names for Exchange ActiveSync and AutoDiscover must be published as
service principals to Azure Active Directory through the Hybrid Configuration Wizard.
AutoDiscover and Exchange ActiveSync namespaces must be accessible from the Internet and
cannot be fronted by a pre-authentication solution.
Ensure SSL or TLS offloading is not being used between the load balancer and your Exchange
servers, as this will affect the use of the OAuth token. SSL and TLS bridging (termination and re-
encryption) is supported.
4. Intune setup: Both cloud-only and hybrid deployments of Intune are supported (MDM for Office 365 is
not supported).
5. Office 365 licensing:
Outlook for iOS and Android requires an Office 365 subscription that includes the Office desktop
applications: Business, Business Premium, Enterprise E3, E5, and ProPlus, or the corresponding
versions of those plans for Government or Education. Commercial users with the following
subscriptions are allowed to use Outlook for iOS and Android on devices with integrated screens
10.1" diagonally or less: Office 365 Enterprise E1, Office 365 F1, Office 365 Business Essentials,
Office 365 A1, and if you only have an Exchange Online license (without Office). If you only have an
Exchange on-premises (Exchange Server) license, your users are not licensed to use the app.
Use of advanced Exchange Online features (e.g., Service Encryption with Customer Key or Multi-Geo
Capabilities) require the on-premises user to be assigned the applicable Office 365 subscription
license within the Microsoft 365 Admin Center.
For more information on how to assign a license, see Assign licenses to users in Office 365 for business.
6. EMS licensing: Each on-premises user must have one of the following licenses:
Intune standalone + Azure Active Directory Premium 1 or Azure Active Directory Premium 2
Enterprise Mobility + Security E3, Enterprise Mobility + Security E5
Implementation steps
Enabling support for hybrid Modern Authentication in your organization requires each of the following steps,
which are detailed in the following sections:
1. Create a conditional access policy
2. Create an Intune app protection policy
3. Enable hybrid Modern Authentication
Create a conditional access policy
When an organization decides to standardize how users access Exchange data, using Outlook for iOS and Android
as the only email app for end users, they can configure a conditional access policy that blocks other mobile access
methods. Outlook for iOS and Android authenticates via the Azure Active Directory identity object and then
connects to Exchange Online. Therefore, you will need to create Azure Active Directory conditional access policies
to restrict mobile device connectivity to Exchange Online. To do this, you will need two conditional access policies,
with each policy targeting all potential users. Details on creating these polices can be found in Azure Active
Directory app-based conditional access.
1. The first policy allows Outlook for iOS and Android, and it blocks OAuth capable Exchange ActiveSync
clients from connecting to Exchange Online. For more information, see Step 1 - Configure an Azure AD
conditional access policy for Exchange Online" in Azure Active Directory app-based conditional access.
2. The second policy prevents Exchange ActiveSync clients leveraging basic authentication from connecting to
Exchange Online. For more information, see "Step 2 - Configure an Azure AD conditional access policy for
Exchange Online with Active Sync (EAS )" in Azure Active Directory app-based conditional access.
The policies leverage the grant control Require approved client app, which ensures only Microsoft apps that have
integrated the Intune SDK are granted access.
IMPORTANT
To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For
Android devices, the Intune Company Portal app is leveraged. For more information, see App-based conditional access with
Intune.
In order to block other mobile device clients (such as the native mail client included in the mobile operating
system) from connecting to your on-premises environment (which authenticate via basic authentication against
on-premises Active Directory), you have two options:
1. You can leverage the built-in Exchange mobile device access rules and block all mobile devices from
connecting by setting the following in the Exchange Management Shell:
2. You can leverage an on-premises conditional access policy within Intune after installing the on-premises
Exchange connector. For more information, see Create a conditional access policy for Exchange on-premises
and legacy Exchange Online Dedicated.
NOTE
When implementing either of the above on-premises options, be aware that it may impact users connecting to Exchange on
their mobile devices.
IMPORTANT
To apply Intune app protection policies against apps on Android devices that are not enrolled in Intune, the user must also
install the Intune Company Portal. For more information, see What to expect when your Android app is managed by app
protection policies.
NOTE
Device management through the on-premises Exchange admin center is not possible. Intune is required to manage mobile
devices.
3. Create an Exchange on-premises device access rule that prevents users from connecting to the on-premises
environment with Outlook for iOS and Android with basic authentication over the Exchange ActiveSync
protocol:
NOTE
Once this rule is created, Outlook for iOS and Android with Basic authentication users will be blocked.
3. Ensure your on-premises Exchange ActiveSync maxRequestLength is configured to match your transport
configuration's MaxSendSize/MaxReceiveSize:
Path: %ExchangeInstallPath%FrontEnd\HttpProxy\Sync\web.config
Property: maxRequestLength
NOTE
Because your company will be adding the Exchange ActiveSync namespace to the advertised prefixes in the ExpressRoute
circuit, the only way to reach the Exchange ActiveSync endpoint will be via the ExpressRoute. In other words, the only mobile
device that will be able to connect to on-premises via the ActiveSync namespace will be Outlook for iOS and Android. All
other ActiveSync clients (such as mobile devices' native mail clients) will be unable to connect to the on-premises
environment as the connection will not be established from the Microsoft Cloud. This is because there can't be any overlaps
of the public IP space advertised to Microsoft on the ExpressRoute circuit and the public IP space advertised on your
Internet circuit(s).
Q: Given only four weeks of message data is synchronized to Exchange Online, does this mean that search queries
executed in Outlook for iOS and Android cannot return information beyond the data available on the local device?
A: When a search query is performed in Outlook for iOS and Android, items that match the search query are
returned if they are located on the device. In addition, the search query is passed to Exchange on-premises via
Exchange Online. Exchange on-premises executes the search query against the on-premises mailbox and returns
the results to Exchange Online, which relays the results to the client. The on-premises query results are stored in
Exchange Online for one day before being deleted.
Q: How do I know that the email account is added correctly in Outlook for iOS and Android?
A: On-premises mailboxes that are added via hybrid Modern Authentication are labelled as Exchange (Hybrid)
in the account settings in Outlook for iOS and Android, similar to the following example:
Authentication FAQ
Q: What identity configurations are supported with hybrid Modern Authentication and Outlook for iOS and
Android?
A: The following identity configurations with Azure Active Directory are supported with hybrid Modern
Authentication:
Federated Identity with any on-premises identity provider that is supported by Azure Active Directory
Password Hash Synchronization via Azure Active Directory Connect
Pass-through Authentication via Azure Active Directory Connect
Q: What authentication mechanism is used for Outlook for iOS and Android? Are credentials stored in Office 365?
A: See Account setup with modern authentication in Exchange Online.
Q: Do Outlook for iOS and Android and other Microsoft Office mobile apps support single sign-on?
A: See Account setup with modern authentication in Exchange Online.
Q: What is the lifetime of the tokens generated and used by the Active Directory Authentication Library (ADAL ) in
Outlook for iOS and Android?
A: See Account setup with modern authentication in Exchange Online.
Q: What happens to the access token when a user's password is changed?
A: See Account setup with modern authentication in Exchange Online.
Q: Is there a way for a user to bypass AutoDetect when adding their account to Outlook for iOS and Android?
A: Yes, a user can bypass AutoDetect at any time and manually configure the connection using Basic
authentication over the Exchange ActiveSync protocol. To ensure that the user does not establish a connection to
your on-premises environment via a mechanism that does not support Azure Active Directory Conditional Access
or Intune app protection policies, the on-premises Exchange Administrator needs to configure an Exchange device
access rule that blocks the ActiveSync connection. To do this, type the following command in the Exchange
Management Shell:
Troubleshooting
Below are the most common issues or errors with on-premises mailboxes using hybrid Modern Authentication
with Outlook for iOS and Android.
AutoDiscover and ActiveSync
During profile creation, the user should be presented a Modern Authentication dialog similar to this:
If, instead, the user is presented with one of the following dialogs, then there is an issue with either the
Autodiscover or ActiveSync on-premises endpoints.
Here is an example of a user being presented with the legacy Basic authentication Exchange ActiveSync
experience:
And here's an example of what users see when AutoDetect isn't able to discover the configuration for users' on-
premises mailboxes.
In either scenario, verify that your on-premises environment is correctly configured. To do this: from the TechNet
Gallery, download and execute the script for Validating Hybrid Modern Authentication setup for Outlook for iOS
and Android.
When you review the output from the script, you should be seeing the following from AutoDiscover:
{
"Protocol": "activesync",
"Url": "https://mail.contoso.com/Microsoft-Server-ActiveSync"
}
The on-premises ActiveSync endpoint should return the following response, where the WWW -Authenticate
header includes an authorization_uri:
Content-Length →0
Date →Mon, 29 Jan 2018 19:51:46 GMT
Server →Microsoft-IIS/10.0 Microsoft-HTTPAPI/2.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-
0000-c000-000000000000@5de110f8-2e0f-4d45-891d-bcf2218e253d,00000004-0000-0ff1-ce00-000000000000@contoso.com",
token_types="app_asserted_user_v1 service_asserted_app_v1",
authorization_uri="https://login.windows.net/common/oauth2/authorize"
Www-Authenticate →Basic realm="mail.contoso.com"
X-Powered-By →ASP.NET
request-id →5ca2c827-5147-474c-8457-63c4e5099c6e
If the AutoDiscover or ActiveSync responses are not similar to the above examples, you can investigate the
following as possible causes:
1. If the AutoDiscover endpoint cannot be reached, then it's likely there's a firewall or load balancer
configuration issue (for example, IP restrictions are configured and the required IP ranges are not present).
Also, there may be a device in front of Exchange requiring pre-authentication to access the AutoDiscover
endpoint.
2. If the AutoDiscover endpoint does not return the correct URL, then there is a configuration issue with the
ActiveSync virtual directory's ExternalURL value.
3. If the ActiveSync endpoint cannot be reached, then there is a firewall or load balancer configuration issue.
Again, one example is IP restrictions are configured and the required IP ranges are not present. Also, there
may be a device in front of Exchange requiring pre-authentication to access the ActiveSync endpoint.
4. If the ActiveSync endpoint does not contain an authorization_uri value, verify that the EvoSTS
authentication server is configured as the default endpoint using Exchange Management Shell:
5. If the ActiveSync endpoint does not contain a WWW -Authenticate header, then a device in front of
Exchange may be responding to the query.
Client synchronization issues
There are a few scenarios that can result in data being stale in Outlook for iOS and Android. Typically, this is due
to an issue with the second access token (the token used by MRS in Exchange Online to synchronize the data with
the on-premises environment). The two most common reasons for this issue are:
1. SSL/TLS offloading on-premises.
2. EvoSTS certificate metadata issues.
With SSL/TLS offloading, tokens are issued for a specific uri and that value includes the protocol value ("https://").
When the load balancer offloads SSL/TLS, the request Exchange receives comes in via HTTP, resulting in a claim
mismatch due to the protocol value being http://. The following is an example of a response header from a Fiddler
trace:
Content-Length →0
Date →Mon, 29 Jan 2018 19:51:46 GMT
Server →Microsoft-IIS/10.0 Microsoft-HTTPAPI/2.0
WWW-Authenticate →Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-
0000-c000-000000000000@00c118a9-2de9-41d3-b39a-81648a7a5e4d",
authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token"
WWW-Authenticate →Basic realm="mail.contoso.com"
X-Powered-By →ASP.NET
request-id →2323088f-8838-4f97-a88d-559bfcf92866
x-ms-diagnostics →2000003;reason="The hostname component of the audience claim value is invalid. Expected
'https://mail.contoso.com'. Actual 'http://mail.contoso.com'.";error_category="invalid_resource"
As specified above in the section Technical and licensing requirements, SSL/TLS offloading is not supported for
OAuth flows.
For EvoSTS Certificate Metadata, the certificate metadata leveraged by EvoSTS is occasionally updated in Office
365. The Exchange on-premises arbitration mailbox that has the organization capability of
"OrganizationCapabilityManagement" is responsible for detecting the changes and for updating the
corresponding metadata on-premises; this process executes every eight hours.
Exchange Administrators can find this mailbox by executing the following cmdlet using Exchange Management
Shell:
$x=Get-mailbox -arbitration | ? {$_.PersistedCapabilities -like "OrganizationCapabilityManagement"};Get-
MailboxDatabaseCopyStatus $x.database.name
On the server hosting the database for the OrganizationCapabilityManagement arbitration mailbox, review the
application event logs for events with a source of MSExchange AuthAdmin. The events should tell you if
Exchange was able to refresh the metadata. If the metadata is out of date, you can manually refresh it with this
ccmdlet:
You can also create a scheduled task that executes the above command every 24 hours.
Other issues
There are other issues that may prevent hybrid Modern Authentication from functioning correctly. For more
information, see the troubleshooting section in Announcing Hybrid Modern Authentication for Exchange On-
Premises.
Using Basic authentication with Outlook for iOS and
Android
8/23/2019 • 3 minutes to read • Edit Online
The Outlook app for iOS and Android is designed to bring together email, calendar, contacts, and other files,
enabling users in your organization to do more from their mobile devices. This article provides an overview of the
architecture and the storage design of the app, so that Exchange administrators can deploy and maintain Outlook
for iOS and Android in their Exchange organizations.
NOTE
This article is about using the app in an Exchange 2010, Exchange 2013, Exchange 2016 or Exchange 2019 environment
where hybrid modern authentication is not enabled. For more information about using hybrid Modern Authentication for
on-premises mailboxes with the app, see Using hybrid Modern Authentication with Outlook for iOS and Android. For
information about using the app with Exchange Online, see Outlook for iOS and Android in Exchange Online.
Outlook for iOS and Android offers Exchange administrators the ability to "push" account configurations to their
on-premises users who use Basic authentication with the ActiveSync protocol. This capability works with any
Mobile Device Management (MDM ) provider who uses the Managed App Configuration channel for iOS or the
Android in the Enterprise channel for Android.
For on-premises users enrolled in Microsoft Intune, you can deploy the account configuration settings using Intune
in the Azure Portal.
Once an account configuration has been created and the user enrolls their device, Outlook for iOS and Android will
detect that an account is "Found" and will then prompt the user to add the account. The only information the user
needs to enter to complete the setup process is their password. Then, the user's mailbox content will load and the
user can begin using the app.
The following images show an example of the end-user setup process after Outlook for iOS and Android has been
configured in Intune in the Azure Portal.
Create an app configuration policy for Outlook for iOS and Android
using Microsoft Intune
If you're using Microsoft Intune as your mobile device management provider, the following steps will allow you to
deploy account configuration settings for your on-premises mailboxes that leverage basic authentication with the
ActiveSync protocol. Once the configuration is created, you can assign the settings to groups of users, as detailed in
the next section, Assign configuration settings.
NOTE
If users in your organization use both iOS and Android for Work devices, you'll need to create a separate app configuration
policy for each platform.
NOTE
If Outlook is not listed as an available app, then you must add it by following the instructions in Add Android store
apps to Microsoft Intune and How to add iOS store apps to Microsoft Intune.
NOTE
To enter the key value pairs, you have a choice between using the configuration designer or entering an XML
property list.
KEY VALUES
com.microsoft.outlook.EmailProfile.EmailAccountName This value specifies the display name email account as it will
appear to users on their devices.
Value type: String
Accepted values: Display Name
Default if not specified: <blank>
Required: Yes
Example: user
Intune Token* : {{username}}
com.microsoft.outlook.EmailProfile.EmailAddress This value specifies the email address to be used for sending
and receiving mail.
Value type: String
Accepted values: Email address
Default if not specified: <blank>
Required: Yes
Example: user@companyname.com
Intune Token* : {{mail}}
com.microsoft.outlook.EmailProfile.EmailUPN This value specifies the User Principal Name or username for
the email profile that will be used to authenticate the account.
Value type: String
Accepted values: UPN Address or username
Default if not specified: <blank>
Required: Yes
Example: userupn@companyname.com
Intune Token* : {{userprincipalname}}
com.microsoft.outlook.EmailProfile.ServerAuthentication This value specifies the authentication method for the user.
Value type: String
Accepted values: 'Username and Password'
Default if not specified: 'Username and Password'
Required: No
Example: 'Username and Password'
com.microsoft.outlook.EmailProfile.ServerHostName This value specifies the host name of your Exchange server.
Value type: String
Accepted values: ActiveSync FQDN
Default if not specified: <blank>
Required: Yes
Example: mail.companyname.com
com.microsoft.outlook.EmailProfile.AccountType This value specifies the account type being configured based
on the authentication model.
Value type: String
Accepted values: BasicAuth
Default if not specified: BasicAuth
Required: No
Example: BasicAuth
*Microsoft Intune users can use tokens that will expand to the correct value according to the MDM enrolled user.
See Add app configuration policies for managed iOS devices for more information.
Passwords and security in Outlook for iOS and
Android for Exchange Server
8/23/2019 • 7 minutes to read • Edit Online
This article describes how passwords and security work in Outlook for iOS and Android with Exchange Server
when using Basic authentication with the Exchange ActiveSync protocol.
IMPORTANT
Outlook for iOS and Android supports hybrid Modern Authentication for on-premises mailboxes which eliminates the need
to leverage basic authentication. The information contained in this article only pertains to basic authentication. For more
information, please see Using hybrid Modern Authentication with Outlook for iOS and Android.
NOTE
Outlook will not become inactive simply because the user does not open the app for some time, such as over a weekend or
while on vacation. As long as background app refresh is enabled (which is the default setting for Outlook for iOS and
Android), functions like push notifications and background synchronization of email will count as activity.
Microsoft recommends Exchange ActiveSync for managing the mobile devices that are used to access Exchange
mailboxes in your on-premises environment. Exchange ActiveSync is a Microsoft Exchange synchronization
protocol that lets mobile phones access an organization's information on a server that's running Microsoft
Exchange.
This article focuses on specific Exchange ActiveSync features and scenarios for mobile devices running Outlook for
Android and iOS when authenticating with Basic authentication. Complete information about the Microsoft
Exchange synchronization protocol is available in Exchange ActiveSync. In addition, there is information on the
Office Blog detailing password enforcement and other benefits of using Exchange ActiveSync with devices running
Outlook for iOS and Android.
NOTE
Because device IDs are not governed by any physical device ID, they can change without notice. When this happens, it can
cause unintended consequences when device IDs are used for managing user devices, as existing 'allowed' devices may be
unexpectedly blocked or quarantined by Exchange. Therefore, we recommend administrators only set mobile device policies
that allow/block devices based on device type or device model.
Exchange users in your organization can continue using Outlook on the web for iPhone/iPad/Android apps, or the
built-in mail apps on iOS and Android, to access their Exchange mailboxes.
The following is an example of what a device rule looks like in PowerShell after it's created in the Exchange admin
center.
Device management with Exchange ActiveSync FAQ
The following are frequently asked questions about passwords, PINs, and encryption policies for devices running
Outlook for iOS and Android.
The native Mail application on iOS enforces Exchange ActiveSync policies for password length and complexity
requirements. Why doesn't Outlook?
Outlook takes advantage of the third-party application developer controls that are available to Microsoft. We will
continue to improve this capability as Apple makes more controls available to developers.
Why does Outlook for iOS and Android enforce PINs at the device level, rather than the app level?
After evaluating the capabilities available in iOS and Android, Microsoft believes a device-level PIN delivers the
best experience for customers, in terms of both convenience and security. An app-level PIN means users have to
enter two different PINs in order to access email, which may not be desirable. Further, a device- level PIN means
we can take advantage of features like native device encryption, TouchID on iOS, and Smart Lock on Android.
Remote wipe is still implemented at the app level, which means users' personal applications and data will not be
affected when Outlook is wiped.
Does Outlook for Android support device encryption?
Yes, Outlook for Android supports device encryption via Exchange mobile device mailbox policies. However, prior
to Android 7.0, the availability and implementation of this process varies by Android OS version and device
manufacturer, which allow the user to cancel out during the encryption process. With changes that Google
introduced to Android 7.0, Outlook for Android is now able to enforce encryption on devices running Android 7.0
or later. Users with devices running those operating systems will not be able to cancel out of the encryption
process.
Even if the Android device is unencrypted and an attacker is in possession of the device, as long as a device PIN is
enabled, the Outlook database remains inaccessible. This is true even with USB debugging enabled and the
Android SDK installed. If an attacker attempts to root the device to bypass the PIN to gain access to this
information, the rooting process wipes all device storage and removes all Outlook data. If the device is
unencrypted and rooted by the user prior to being stolen, it is possible for an attacker to gain access to the Outlook
database by enabling USB debugging on the device and plugging the device into a computer with the Android
SDK installed.
Default settings for Exchange virtual directories
8/23/2019 • 2 minutes to read • Edit Online
Exchange Server 2016 and Exchange Server 2019 automatically configure multiple Internet Information Services
(IIS ) virtual directories during the server installation. The tables in the following sections show the settings for the
Client Access (frontend) services on Mailbox servers and the default IIS authentication and Secure Sockets Layer
(SSL ) settings.
Exchange Back End Anonymous authentication SSL required This virtual directory should
Requires 128-bit encryption not be configured by the
user.
See also
Virtual directory management
Outlook on the web in Exchange Server
8/23/2019 • 2 minutes to read • Edit Online
The user interface in Outlook on the web (formerly known as Outlook Web App) for Exchange Server has been
optimized and simplified for use with phones and tablets. Supported web browsers give users access to more
Outlook features. Unsupported web browsers give users the light version of Outlook on the web that has less
features. For more information about features and supported web browsers, see Outlook on the web (formerly
Outlook Web App) and Outlook on the web (formerly Outlook Web App).
When you install Exchange Server, Outlook on the web is automatically available for internal users at
https://<ServerName>/owa (for example, https://mailbox01.contoso.com/owa ). But, you'll likely want to configure
Outlook on the web for external access (for example, https://mail.contoso.com/owa ). For more information, see
Step 4: Configure external URLs in Configure mail flow and client access on Exchange servers.
In an Outlook 2010 or later installation that's connected to an Exchange mailbox, you can typically see the Outlook
on the web URL at File > Info > Account Information in the Account Settings section.
Outlook on the web is provided by the Client Access (frontend) services on Mailbox servers. In Exchange Server,
Client Access services are part of the Mailbox server, so you can't configure a standalone Client Access server like
you could in previous versions of Exchange. For more information, see Client access protocol architecture.
If you're looking for information about Outlook on the web in Office 365, see Welcome to Outlook on the web.
TOPIC DESCRIPTION
View or configure Outlook on the web virtual directories in View and configure the properties of Outlook on the web for
Exchange Server all users that connect to the server.
Configure http to https redirection for Outlook on the web in Redirect Outlook on the web unencrypted http requests to
Exchange Server https.
Create a theme for Outlook on the web in Exchange Server Outlook on the web comes with built-in themes that define
the colors and icons that are used in Outlook on the web, but
you can also create your own themes.
TOPIC DESCRIPTION
Customize the Outlook on the web sign-in, language Customize key pages in Outlook on the web.
selection, and error pages in Exchange Server
Use AD FS claims-based authentication with Outlook on the Centralize Outlook on the web authentication by using Active
web Directory Federation Services.
Enable or disable Outlook on the web access to
mailboxes in Exchange Server
8/23/2019 • 5 minutes to read • Edit Online
Administrators can use the Exchange admin center (EAC ) or the Exchange Management Shell to enable or disable
Outlook on the web access to a mailbox. By default, users can access their mailboxes by using Outlook on the web.
When you disable Outlook on the web access to mailboxes, users can still access their mailboxes by using Outlook
or other email clients.
For additional management tasks related to user access to mailboxes, see these topics:
Enable or disable Exchange ActiveSync access to mailboxes in Exchange Server
Enable or disable POP3 or IMAP4 access to mailboxes in Exchange Server
Enable or disable MAPI access to mailboxes in Exchange Server
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example disables Outlook on the web access to the mailbox named Yan Li.
This example enables Outlook on the web access to the mailbox named Elly Nkya.
Use the Exchange Management Shell to enable or disable Outlook on the web access to multiple mailboxes
You can use the Get-Mailbox, Get-User or Get-Content cmdlets to identify the mailboxes that you want to
modify. For example:
Use the OrganizationalUnit parameter to filter the mailboxes by organizational unit (OU ).
Use the Filter parameter to create OPATH filters that identify the mailboxes. For more information, see
Filterable Properties for the -Filter Parameter.
Use a text file to specify the mailboxes. The text file contains one mailbox (email address, name, or other
unique identifier) on each line like this:
ebrunner@tailspintoys.com
fapodaca@tailspintoys.com
glaureano@tailspintoys.com
hrim@tailspintoys.com
This example disables Outlook on the web access to all user mailboxes in the North America\Finance OU.
This example disables Outlook on the web access to all user mailboxes in the Engineering department in
Washington state.
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and StateOrProvince -
eq 'WA'} | Set-CasMailbox -OWAEnabled $false
This example uses the text file C:\My Documents\Accounts.txt to disable Outlook on the web access to the
specified mailboxes.
For detailed syntax and parameter information, see Get-Mailbox and Get-User.
In the Exchange Management Shell, replace <MailboxIdentity> with the identity of the mailbox (for
example, name, alias, or email address), and run this command:
Use the same filter that you used to identify the mailboxes, but use the Get-CasMailbox cmdlet instead of
Set-CasMailbox. For example:
Get-User -Filter {RecipientType -eq 'UserMailbox' -and Department -like 'Engineering*' -and
StateOrProvince -eq 'WA'} | Get-CasMailbox
In the Exchange Management Shell, run this command to show all mailboxes where Outlook on the web
access is disabled:
You can use the Exchange admin center (EAC ) or the Exchange Management Shell to view or modify the
properties of an Outlook on the web (formerly known as Outlook Web App) virtual directory. Although the name
has changed to Outlook on the web, the name of the virtual directory is still "owa".
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Use the EAC to view or configure Outlook on the web virtual directory
properties
1. In the EAC, go to Servers > Virtual directories.
2. Select the Outlook on the web virtual directory you want to view or configure.
You can use the Select server drop down list to filter the Exchange servers by name.
To only display Outlook on the web virtual directories, select OWA in the Select type drop down
list.
After you select the virtual directory, you can see the following properties and values in the feature pane:
Website (read-only): The default web site is named Default Web Site.
Authentication: The default authentication methods are Basic and FBA (forms-based
authentication).
Outlook on the web version: The default version is Exchange2013 .
External URL: The default value is blank (not configured).
3. To see more properties, or to modify the settings that aren't read only, click Edit ( ). The following tabs
and settings are available:
General tab:
Internal URL: The URL that's used to access Outlook on the web from the internal network.
This value is configured automatically during Exchange Server setup, and the default value is
https:// <Server FQDN>/owa (for example, https://mailbox01.contoso.com/owa).
External URL: The URL that's used to access Outlook on the web from the Internet. The
default value is blank.
For Internet-facing Exchange servers, this is the value that clients use to access Outlook on the
web. To configure this setting, see the Use the EAC to configure the external URL for Outlook
on the web section in this topic.
For Exchange servers that don't have an Internet presence, the leave the External URL value
blank.
Authentication tab:
Use one or more standard authentication methods: Select this option to use one or more
of the following authentication methods:
Integrated Windows authentication: This method requires that users have a valid Active
Directory user account, and the client computer is a member of the same domain as the
Exchange server (or a domain that's trusted by the Exchange server's domain). Users aren't
prompted for their account names and passwords. Instead, the server negotiates with the
Windows security packages that are installed on the client computer. No unencrypted
information is transmitted over the network.
Digest authentication for Windows domain servers: This method requires that users
have a valid Active Directory user account. Passwords are transmitted over the network as a
hash value for additional security.
Basic authentication (password is sent in clear text): This is the default value. When you
use basic authentication, you should require TLS encrypted connections between client
computers and the Exchange server.
Use forms-based authentication: Forms-based authentication provides enhanced security
and allows you to configure the type of prompt that's used to sign-in. However, forms-based
authentication won't provide a secure channel unless TLS is enabled.
Select one of the following logon formats to use with forms-based authentication. The
examples use the account for the user named Valeria Barrios in the contoso.com domain.
Domain\user name For example, CONTOSO\VBarrios. This is the default value.
User principal name (UPN ) For example, vbarrios@contoso.com. Note that if the
UPN doesn't match the email address, users can't access Outlook on the web by using
this method.
User name only For example, VBarrios. This setting requires you to configure the
default domain that's used with all user names. Click Browse in the Logon Domain
property to select the default Active Directory domain. If the user isn't a member of the
specified domain, they're required to enter the domain and user name when they sign
in.
Features tab:
These settings affect all users who connect to the Outlook on the web virtual directory. You can
configure custom Outlook on the web settings for specific users or groups of users by using Outlook
on the web mailbox policies. For more information, see Outlook Web App Mailbox Policies.
Communication management
Instant messaging
Text messaging
Unified Messaging: (In Exchange 2016 only; not available in Exchange 2019)
Exchange ActiveSync
Contacts
All address lists*
Information management
Journaling
Inbox rules*
Recover deleted items*: Disabling this setting doesn't affect the deleted item retention for
mailboxes; it prevents users from viewing or recovering deleted items in Outlook on the web.
Security
Change password
Junk email-filtering: This setting doesn't enable or disable the junk email rule in mailboxes;
it controls the availability of the junk email settings for users in Outlook on the web. For more
information about the junk email rule and junk email filtering in mailboxes, see Configure
Exchange antispam settings on mailboxes.
User experience
Themes
Premium client: If you uncheck this setting, The standard version of Outlook on the web
(formerly known as the premium version of Outlook Web App) is disabled, and all clients are
forced to use the light version of Outlook on the web.
*
Email signature*
Time management*
Calendar*
Tasks*
Reminders and notifications*
* These settings are available after you click More options.
Use the EAC to configure the external URL for Outlook on the web
1. In the EAC, go to Servers > Virtual directories, select the Outlook on the web virtual directory you want
to view or configure, and then click Configure ( ).
You can use the Select server drop down list to filter the Exchange servers by name.
To only display Outlook on the web virtual directories, select OWA in the Select type drop down
list.
2. In the Configure external access domain page that opens, configure the following settings:
Select the servers to use with the external URL: Click Add ( ) and select one or more Exchange
servers that external clients will use to connect to Outlook on the web (don't select internal only
servers).
Enter the domain name you will use with your external servers: Enter the FQDN that external
clients will use to connect to Outlook on the web (for example, mail.contoso.com). Note that this
value needs to be configured and resolvable in your organization's public DNS.
When you're finished, click Save.
Reset an Outlook on the web virtual directory
If an Outlook on the web virtual directory isn't working the way you expect, you can reset it. The virtual directory is
deleted and recreated with the default settings. Although any customized settings are lost, you're forced to select a
location for a text document to backup the current settings.
1. In the EAC, go to Servers > Virtual directories, select the Outlook on the web virtual directory you want
to view or configure, and then click Reset ( ).
You can use the Select server drop down list to filter the Exchange servers by name.
To only display Outlook on the web virtual directories, select OWA in the Select type drop down
list.
2. In the Warning page that opens, specify the UNC path of the file to save the current virtual directory
settings (for example, \ <Server>\ <Share>\owavdir.txt or \ <LocalServerName>\c$\owavdir.txt).
When you're finished, click Reset.
3. Restart IIS by using either of the following methods:
IIS Manager:
a. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or
later is to press Windows key + Q, type inetmgr, and select Internet Information Services
(IIS ) Manager in the results.
b. In IIS Manager, select the server.
c. In the Actions pane, click Restart.
Command prompt:
Open an elevated command prompt on the Exchange server (a Command Prompt window you open by
selecting Run as administrator) and run the following commands:
This example returns a summary list of all Outlook on the web virtual directories on all Exchange servers in the
organization.
Get-OWAVirtualDirectory
This example returns detailed information for the Outlook on the web virtual directory in the default website on
the Exchange server named Mailbox01.
Get-OWAVirtualDirectory -Identity "Mailbox01\owa (Default Web Site)" | Format-List
This example returns the authentication methods and settings for the same virtual directory:
Note: Not every setting is applicable to Exchange 2016 or Exchange 2019 (for example, SpellCheckerEnabled).
For detailed syntax and parameter information, see Get-OWAVirtualDirectory.
PARAMETER FUNCTION
AllowedFileTypes Defines the file types for direct file access (traditional file
BlockedFileTypes attachments an embedded MIME files) in Outlook on the web
ForceSaveFileTypes (not in other email clients).
AllowedMimeTypes
BlockedMimeTypes
ForceSaveMimeTypes
ActionForUnknownFileAndMIMETypes
DefaultTheme Specifies the default theme that's used in Outlook on the web.
Note: Not all of the available parameters apply to Exchange 2016 or Exchange 2019 (for example,
SpellCheckerEnabled).
To use the Exchange Management Shell to configure the properties of Outlook on the web virtual directories, use
the following syntax:
This example enables configures direct file access in Outlook on the web to block file types that aren't specifically
defined in the Allow list (the default action is allow ).
By default in Exchange Server, the URL https://<ServerName> redirects users to https://<ServerName>/owa. But,
if anyone tries to access Outlook on the web (formerly known as Outlook Web App) by using
http://<ServerName> or http://<ServerName>/owa, they'll get an error.
You can configure http redirection for Outlook on the web so that requests for http://<ServerName> or
http://<ServerName>/owa are automatically redirected to https://<ServerName>/owa. This requires the
following configuration steps in Internet Information Services (IIS ):
1. Remove the Require SSL setting from the default website.
2. Restore the Require SSL setting on other virtual directories in the default website that had it enabled by
default (except for /owa).
3. Configure the default website to redirect http requests to the /owa virtual directory.
4. Remove http redirection from all virtual directories in the default website (including /owa).
5. Reset IIS for the changes to take effect.
For the default SSL and http redirect settings on all virtual directories in the default website, see the Default
Require SSL and HTTP Redirect settings in the default website on an Exchange server section at the end of this
topic.
Step 1: Use IIS Manager to remove the Require SSL setting from the
default website
1. Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to
press Windows key + Q, type inetmgr, and select Internet Information Services (IIS ) Manager in the
results.
2. Expand the server, and expand Sites.
3. Select Default Web Site. and verify Features View is selected at the bottom of the page.
4. In the IIS section, double-click SSL Settings.
5. On the SSL Settings page, clear the Require SSL check box, and in the Actions pane, click Apply.
Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange
server (a Command Prompt window you open by selecting Run as administrator) and run the following
command:
Step 2: Use IIS Manager to restore the Require SSL setting on other
virtual directories in the default website
When you change the Require SSL setting on a website in IIS, the setting is automatically inherited by all virtual
directories in the website. Because we're only interested in configuring Outlook on the web, you need to restore the
Require SSL setting for other virtual directories that had it enabled by default.
Based on the information in the Default Require SSL and HTTP Redirect settings in the default website on an
Exchange server section, use the following procedure to restore the setting on the other virtual directories where
Require SSL was enabled by default:
1. In IIS Manager, expand the server, expand Sites, and expand Default Web Site.
2. Select the virtual directory, and verify Features View is selected at the bottom of the page.
3. In the IIS section, double-click SSL Settings.
4. On the SSL Settings page, select the Require SSL check box, and in the Actions pane, click Apply.
5. Repeat the previous steps on each virtual directory in the default website that had Require SSL enabled by
default (except for /owa). The only virtual directories that don't have Require SSL enabled by default are
/PowerShell and /Rpc.
Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual
directory, and run the following command in an elevated command prompt:
Note: To perform this procedure on the command line, open an elevated command prompt and run the following
command:
Step 4: Use IIS Manager to remove http redirection from all virtual
directories in the default website
When you enable redirection on a website in IIS, the setting is automatically inherited by all virtual directories in
the website. Because we're only interested in configuring redirection for the default website, you need to remove
the redirect setting from all virtual directories. By default, no directories or virtual directories in the default website
are enabled for redirection. For more information, see the Default Require SSL and HTTP Redirect settings in the
default website on an Exchange server section.
Use the following procedure to remove the redirect setting from all virtual directories in the default website
(including /owa):
1. In IIS Manager, expand the server, expand Sites, and expand Default Web Site.
2. Select the virtual directory, and verify Features View is selected at the bottom of the page.
3. In the IIS section, double-click HTTP Redirect.
8. Repeat the previous steps on each virtual directory in the default website.
Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual
directory, and run the following command in an elevated command prompt:
Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange
server and run the following commands:
Default Require SSL and HTTP Redirect settings in the default website
on an Exchange server
The default Require SSL and HTTP Redirect settings for the default website and all virtual directories in the
default website on an Exchange server are described in the following table.
Subdirectories:
• auth: yes
• Calendar: no
• Integrated: yes
• oma: yes
You can configure mailbox policies in Exchange Server for Outlook on the web through the Exchange admin center
(EAC ) or Exchange Management Shell. After you create an Outlook on the web mailbox policy, you can then
configure a variety of options to control the features available to users in Outlook on the web. For example, you can
enable or disable Inbox rules or create a list of allowed file types for attachments.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Use the EAC to view or configure Outlook on the web mailbox policies
1. In the EAC, click Permissions > Outlook Web App policies.
2. In the result pane, click to select the mailbox policy you want to view or configure.
3. Click Edit.
4. On the General tab, you can view and edit the name of the policy.
5. On the Features tab, use the check boxes to enable or disable features. By default, the most common
features are displayed. To see all features that can be enabled or disabled, click More options.
Notes:
Features settings for Outlook on the web mailbox policies override Outlook on the web virtual
directory settings. You can change segmentation settings for individual users by using the Set-
CASMailbox cmdlet in the Exchange Management Shell.
The option to enable or disable the standard version of Outlook on the web by using the Premium
client check box has been deprecated and will be removed from the settings. The standard version of
Outlook on the web is always enabled.
6. On the File Access tab, use the check boxes to configure the file access and viewing options for users. File
access lets a user open or view the contents of files attached to an email message.
File access can be controlled based on whether a user has signed in on a public or private computer. The
option for users to select private computer access or public computer access is available only when you're
using forms-based authentication. All other forms of authentication default to private computer access.
Direct file access: Select this check box if you want to enable direct file access. Direct file access lets
users open files attached to email messages.
WebReady Document Viewing: Select this check box if you want to enable supported documents
to be converted to HTML and displayed in a web browser.
Force WebReady Document Viewing when a converter is available: Select this check box if you
want to force documents to be converted to HTML and displayed in a web browser before users can
open them in the viewing application. Documents can be opened in the viewing application only if
direct file access has been enabled.
7. On the Offline access tab, use the option buttons to configure offline access availability.
8. Click Save to update the policy.
See also
Outlook on the web mailbox policies procedures
Create a theme for Outlook on the web in Exchange
Server
8/23/2019 • 11 minutes to read • Edit Online
A theme defines the colors, fonts, and images that are displayed to users in Outlook on the web (formerly known
as Outlook Web App) in Exchange Server. Each theme is a collection of files that are stored on the Exchange server.
The built-in themes are described in the Default Outlook on the web themes in Exchange Server section at the end
of this topic.
The basic steps to create a new theme for Outlook on the web are:
1. Copy the folders and files of an existing theme, and rename the copied folders and files.
2. Configure the display name and sort order of the new theme.
3. Customize the new theme.
4. (Optional) Set the new theme as the default, and prevent users from selecting themes.
5. (Optional) Allow users to see and select the new theme
6. Restart IIS for the changes to take affect.
If you use multiple Exchange servers for Outlook on the web client connections, you need to copy the new theme
to each server. You should also create a backup copy of the new theme so you can copy the files back after you
reinstall or upgrade the Exchange server.
After you create a theme, you may also want to customize elements that are common to all themes. For more
information, see Customize the Outlook on the web sign-in, language selection, and error pages in Exchange
Server.
Step 1: Use File Explorer to copy the folders and files of an existing
theme, and rename the copied folders and files
You can inspect the built-in themes by opening a mailbox in Outlook on the web, selecting Settings, and then
selecting Change theme.
You can use the information in the Default Outlook on the web themes in Exchange Server section at the end of
this topic to match the display name of the theme in Outlook on the web to the name of the theme folder on the
Exchange server.
The theme files and folders are stored in the following locations:
%ExchangeInstallPath%ClientAccess\OWA\prem\<ExchangeVersion>\resources\themes\ contains the theme folder
that holds the header image, theme preview image, and theme description text.
%ExchangeInstallPath%ClientAccess\OWA\prem\<ExchangeVersion>\resources\styles\ contains the
_fabric.color.variables.theme.<ThemeFolderName>.less and fabric.color.theme.<ThemeFolderName>.css files
that define the colors that are used in the theme.
Note: The <ExchangeVersion> subfolder uses the syntax 15.1. nnn. nn, and indicates the Exchange
Cumulative Update (CU ) that's installed.
After you've identified the theme that's closest to what you want (for example, with or without a header image),
you need to copy the theme folder and the corresponding files, and then rename the copied folders and files
1. In File Explorer, browse to %ExchangeInstallPath%ClientAccess\OWA\prem\<ExchangeVersion>\resources\themes .
2. Select an existing theme folder in the \themes folder, copy it, and then paste it back into the \themes folder.
This results in a new folder named <ThemeFolderName> - Copy .
Note: An easy way to copy and paste the theme folder is to select the folder, press the Control key + C, and
then press the Control key + V.
3. Rename the new theme folder that you created in the previous step. For example, fourthcoffee .
Note: An easy way to rename the folder is to select it, and then press the F2 key.
4. In File Explorer, browse to %ExchangeInstallPath%ClientAccess\OWA\prem\<ExchangeVersion>\resources\styles\ .
5. Locate the files named _fabric.color.variables.theme.<ThemeFolderName>.less and
fabric.color.theme.<ThemeFolderName>.css that correspond to the theme folder you copied in step 2. Select
each file, copy it, and paste it back into the \styles folder. This results in new files named
_fabric.color.variables.theme.<ThemeFolderName> - Copy.less and
fabric.color.theme.<ThemeFolderName> - Copy.css .
6. Rename the new files that you created in the previous step. The <ThemeFolderName> value must match
the folder name from step 3. For example, _fabric.color.variables.theme.fourthcoffee.less and
fabric.color.theme.fourthcoffee.css .
Step 2: Use Notepad to configure the display name and sort order of
the new theme
You need to configure a unique display name and sort order for the new theme, because the new theme has the
same display name and sort order as the theme you copied. The theme's display name appears in the Change
theme panel in Outlook on the web. The sort order determines where the theme appears in the list of themes.
1. Use Notepad to open the file named themeinfo.xml in the new theme folder
%ExchangeInstallPath%ClientAccess\OWA\prem\<ExchangeVersion>\resources\themes\<NewThemeFolder> that you
created in Step 1. The contents of the file look like this:
<theme displayname="__<CopiedThemeName>__" sortorder="<CopiedThemeSortOrder>"/>
2. Change the displayname="__<CopiedThemeName>__" value to the value you want. For example
displayname = "Fourth Coffee Corporate Theme" .
Note: The theme display name value "__<ThemeName>__" is a code string that's localized into different
languages. The text value that you specify for the new theme isn't localized into different languages.
3. Change the sortorder="<CopiedThemeSortOrder>" integer value to the unique value you want. A lower value
appears earlier in the list of themes. You can use the information in the Default Outlook on the web themes
in Exchange Server section at the end of this topic to find the sort order values for the built-in themes. The
Default theme has sortorder="0" , and appears first in the list.
If you want to insert your new theme among the list of built-in themes, change the number to a
unique value that isn't already in use. For example, if you want your new theme to appear second in
the list, you can use the value sortorder="5" .
If you want to replace the position of a built-in theme in the list, set the number to the same value as
built-in theme, and then change the sort order for the built-in theme. For example, if you want your
new theme to appear first in the list, you need to set your new theme to sortorder="0" . But, you also
need to open the themeinfo.xml file in the \base folder (the Default theme) to change the value
sortorder="0" to something else (for example, sortorder="5") .
You can edit the existing image file, or replace the file with a new file that has the same name and dimensions.
Colors
Theme colors are defined in the following files in the
%ExchangeInstallPath%ClientAccess\OWA\prem\<ExchangeVersion>\resources\styles folder:
fabric.color.theme.<ThemeFolderName>.css
_fabric.color.variables.<ThemeFolderName>.less
If you change a color value, you need to change all references to the color in both files.
Step 4: (Optional) Set the default theme and prevent users from
selecting a theme
Setting a new default theme only affects users who haven't manually selected their theme. To force all users to use
the default theme, you also need to disable theme selection in Outlook on the web. These settings affect all users
who connect to Outlook on the web through the Exchange server.
To set the default theme and prevent users from changing their theme in Outlook on the web, use the following
syntax:
Notes:
By default, the value of the DefaultTheme parameter is blank ( $null ). This value indicates that no default
theme is specified, and the theme named Default is used if the user hasn't manually selected a theme.
Exchange doesn't validate the value that you specify for the DefaultTheme parameter. Make sure that the
theme exists.
To specify a default theme for specific users that overrides the default theme setting on the Outlook on the
web virtual directory, use the DefaultTheme parameter on the Set-OwaMailboxPolicy cmdlet.
This example adds a new line in the stylemanifest.xml file for the new fourthcoffee theme.
<themeVariables themeName="fourthcoffee" fileName="_fabric.color.variables.theme.fourthcoffee.less" />
Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange
server (a Command Prompt window you open by selecting Run as administrator) and run the following
command:
The Outlook on the web (formerly known as Outlook Web App) sign-in, language selection, and error pages are
based on image and content style sheet (CSS ) files in the themes resources folder in the Client Access (front end)
services on an Exchange Server 2016 or Exchange 2019 server. Outlook on the web uses only one set of sign-in,
language selection, and error pages for all themes. Any modifications to those pages will be seen by all users who
connect to the Exchange server for Outlook on the web.
Notes:
Backup the default Outlook on the web files before you make any changes.
Create a back-up copy of your customized files so you can reapply them after a reinstallation or upgrade of
the Exchange server.
If you use multiple Exchange servers for Outlook on the web connections, you need to copy the modified
files to each server.
For more information about Outlook on the web, see Outlook on the web in Exchange Server. For information
about creating a custom theme, see Create a theme for Outlook on the web in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Notepad.exe
%ExchangeInstallPath%ClientAccess\Owa\Current2\version\resources\styles\languageselection.css
2. In the languageselection.css file, replace the default blue color value #0072c6 with the HTML RGB value
that you want to use.
3. When you're finished, save and close the file.
DIMENSIONS (WIDTH X
IMAGE FILE NAME LOCATION HEIGHT IN PIXELS) BIT DEPTH
1 favicon.ico 16 x 16 32
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\
<ExchangeVersion>\themes\resources
3 owa_text_blue.png 300 x 76 32
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\
<ExchangeVersion>\themes\resources
DIMENSIONS (WIDTH X
IMAGE FILE NAME LOCATION HEIGHT IN PIXELS) BIT DEPTH
4 Sign_in_arrow.png 22 x 22 32
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\
(for left-to-right <ExchangeVersion>\themes\resources
languages)
Sign_in_arrow_rtl.png
(for right-to-left
languages)
6 office_logo_white_sma 81 x 26
%ExchangeInstallPath%ClientAccess\Owa\prem\ 8
ll.png <ExchangeVersion>\resources\images\0
(for left-to-right
languages)
%ExchangeInstallPath%ClientAccess\Owa\prem\
<ExchangeVersion>\resources\images\rtl
(for right-to-left
languages)
Installing and configuring Active Directory Federation Services (AD FS ) in Exchange Server organizations allows
clients to use AD FS claims-based authentication to connect to Outlook on the web (formerly known as Outlook
Web App) and the Exchange admin center (EAC ). Claims-based identity is another approach to authentication that
removes authentication management from the application, and makes it easier for you to manage accounts by
centralizing authentication. When claims-based authentication is enabled, Outlook on the web and the EAC aren't
responsible for authenticating users, storing user accounts and passwords, looking up user identity details, or
integrating with other identity systems. Centralizing authentication helps make it easier to upgrade authentication
methods in the future.
AD FS claims-based authentication replaces the traditional authentication methods that are available for Outlook
on the web and the EAC. For example:
Active Directory client certificate authentication
Basic authentication
Digest authentication
Forms authentication
Windows authentication
Setting up AD FS claims-based authentication for Outlook on the web and the EAC in Exchange Server involves
the following additional servers:
A Windows Server 2012 or later domain controller (Active Directory Domain Services server role).
A Windows Server 2012 or later AD FS server (Active Directory Federation Services server role). Windows
Server 2012 uses AD FS 2.1, and Windows Server 2012 R2 uses AD FS 3.0. You need to be a member of
the Domain Admins, Enterprise Admins, or local Administrators security group to install AD FS, and to
create the required relying party trusts and claim rules on the AD FS server.
Optionally, a Windows Server 2012 R2 or later Web Application Proxy server (Remote Access server role,
Web Application Proxy role service).
Web Application Proxy is a reverse proxy server for web applications that are inside the corporate
network. Web Application Proxy allows users on many devices to access published web applications
from outside the corporate network. For more information, see Installing and Configuring Web
Application Proxy for Publishing Internal Applications.
Although Web Application Proxy is typically recommended when AD FS is accessible to external
clients, offline access in Outlook on the web isn't supported when using AD FS authentication
through Web Application Proxy.
Installing Web Application Proxy on a Windows Server 2012 R2 server requires local administrator
permissions.
You need to deploy and configure the AD FS server before you configure the Web Application Proxy
server, and you can't install Web Application Proxy on the same server where AD FS is installed.
What do you need to know before you begin?
Estimated time to complete this procedure: 45 minutes.
The procedures in this topic are based on Windows Server 2012 R2.
Outlook on the web for devices doesn't support AD FS claims-based authentication.
For the procedures in the Exchange organization, you need to have Organization Management permissions.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
For more information, see the "Certificate requirements" section in Review the requirements for deploying AD FS.
NOTE
Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent
between computer systems. They're so closely related that the terms "SSL" and "TLS" (without versions) are often used
interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center, and the
Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to
the actual SSL protocol only when a version is also provided (for example, SSL 3.0). To find out why you should disable the
SSL protocol and switch to TLS, check out Protecting you against the SSL 3.0 vulnerability.
2. The Add Roles and Features Wizard opens. You'll start on the Before you begin page unless you
previously selected Skip this page by default. Click Next.
3. On the Select installation type page, verify that Role-based or feature-based installation is selected,
and then click Next.
4. On the Select destination server page, verify the server selection, and then click Next.
5. On the Select server roles page, select Active Directory Federation Services from the list, and then
click Next.
6. On the Select features page, click Next (accept the default feature selections).
7. On the Active Directory Federation Services (AD FS ) page, click Next.
8. Windows Server 2012 only: On the Select role services page, click Next (accept the default role service
selections).
9. On the Confirm installation selections page, click Install.
10. On the Installation progress page, you can watch the progress bar to verify that the installation was
successful. When the installation is finished, leave the wizard open so you can click Configure the
federation service on this server in Step 3b: Configure the AD FS server.
To use Windows PowerShell to install AD FS, run the following command:
Guid
----
2570034b-ab50-461d-eb80-04e73ecf142b
2. To create a new gMSA account for the AD FS server, use the following syntax:
This example creates a new gMSA account named FSgMSA for the Federation Service named
adfs.contoso.com. The Federation Service name is the value that's visible to clients.
If you closed the Add Roles and Features Wizard or you used Windows PowerShell to install AD FS, you
can get to the same place in Server Manager by clicking Notifications, and then clicking Configure the
federation service on this server in the Post-deployment Configuration warning.
2. The Active Directory Federation Services Wizard opens. On the Welcome page, verify Create the first
federation server in a federation server farm is selected, and then click Next.
3. On the Connect to Active Directory Federation Services page, select a domain administrator account in
the domain where the AD FS server resides (your current credentials are selected by default). If you need to
select a different user, click Change. When you're finished, click Next.
4. On the Specify Service Properties page, configure the following settings:
SSL Certificate: Import or select the SSL certificate that contains the federation service name that
you configured in Step 3a: Create a gMSA on a domain controller (for example adfs.contoso.com ).
When you import a certificate that isn't already installed on the server, you need to import a .pfx file
(likely, a password-protected file that contains the certificate's private key). The common name (CN )
value in the certificate's Subject field is displayed here.
Federation Service Name: This field is automatically populated based on the type of SSL certificate
that you select or import:
Single subject certificate: The CN value of the certificate's Subject field is displayed, and you
can't change it (for example, adfs.contoso.com ).
SAN certificate: If the certificate contains the required federation service name, that value is
displayed (for example, adfs.contoso.com ). You can use the drop down list to see other CN
values in the certificate.
Wildcard certificate: The CN value of the certificate's Subject field is displayed (for example,
*.contoso.com ), but you need to change it to the required federation service name (for
example, adfs.contoso.com ).
Note: If the certificate you select doesn't contain the required federation service name (the
Federation Service Name field doesn't contain the required value), you'll receive the following
error:
The federation service name does not match any of the subject names found in the certificate.
Federation Service Display Name: Enter the name of your organization. For example, Contoso,
Ltd..
When you're finished, click Next.
5. On the Specify Service Account page, configure the following settings:
Select Use an existing domain user account or group Managed Service Account.
Account Name: Click Select and enter the gMSA account that you created in Step 3a: Create a
gMSA on a domain controller (for example, FSgMSA ). Note that after you select it, the value that's
displayed is <Domain>\<gMSAAccountName>$ (for example, CONTOSO\FSgMSA$ ).
When you're finished, click Next.
6. On the Specify Configuration Database page, verify that Create a database on this server using
Windows Internal Database is selected, and then click Next.
7. On the Review Options page, verify your selections. You can click View Script button to copy the
Windows PowerShell equivalent of the selections that you made for future use. When you're finished, click
Next.
8. On the Pre-requisite Checks page, verify that all the prerequisite checks were successfully completed, and
then click Configure.
9. On the Results page, review the results, verify that the configuration completed successfully. You can click
Next steps required for completing your federation service deployment if you want to read about
the next steps (for example, configuring DNS ). When you're finished, click Close.
To use Windows PowerShell to configure AD FS, follow these steps:
1. Run the following command on the AD FS server to find the thumbprint value of the installed certificate
that contains adfs.contoso.com :
Import-Module ADFS
Federation gMSA SAM account name and domain: For example, for the gMSA account named FSgMSA
in the contoso.com domain, the required value is contoso\FSgMSA$ .
Notes:
When you create the gMSA, the $ is automatically appended to the Name value to create the
SamAccountName value, which is required here.
The escape character (```) is required for the $ in the SamAccountName.
For details and syntax, see Install-AdfsFarm.
Step 3c: Test the AD FS server
After you configure AD FS, you can verify the installation on the AD FS server by successfully opening the URL of
the federation metadata in a web browser. The URL uses the syntax
https://<FederationServiceName>/federationmetadata/2007-06/federationmetadata.xml . For example,
https://adfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml .
Step 4: Create a relying party trust and custom claim rules in AD FS for
Outlook on the web and the EAC
On the Exchange server, Outlook on the web uses the virtual directory named owa and the EAC uses the
virtual directory named ecp .
The trailing slash ( / ) that's used in the Outlook on the web and EAC URL values is intentional. It's
important that the AD FS relying party trusts and Exchange Audience URI's are identical. They both must
have or both must omit the trailing slashes in their URLs. The examples in this section contain the trailing
slashes after the owa and ecp URLs ( owa/ and ecp/ ).
In organizations with multiple Active Directory sites that use separate namespaces (for example,
eu.contoso.com and na.contoso.com ), you need to configure relying party trusts for each namespace for
both Outlook on the web and the EAC.
Step 4a: Create relying party trusts in AD FS for Outlook on the web and the EAC
To create the relying party trusts on the AD FS server, you can use the AD FS Management console or Windows
PowerShell.
To use the AD FS Management console to create the relying party trusts, follow these steps:
Note: You need to go through these steps twice: once for Outlook on the web, and once for the EAC. The only
difference is the values that you enter in steps 5 and 8 (the Specify Display Name and Configure URL pages in
the wizard).
1. In Server Manager, click Tools, and then select AD FS Management.
2. In the AD FS Management console, expand Trust Relationships and then select Relying Party Trusts. In
the Actions pane, select Add Relying Party Trust.
3. The Add Relying Party Trust Wizard opens. On the Welcome page, click Start.
4. On the Select Data Source page, select Enter data about the relying party manually, and then click
Next.
7. On the Configure Certificate page, click Next (don't specify an optional token encryption certificate).
8. On the Configure URL page, select Enable support for the WS -Federation Passive protocol, and in
Relying party WS -Federation Passive protocol URL, enter the following information:
Outlook on the web: Type your external Outlook on the web URL (for example,
https://mail.contoso.com/owa/).
9. On the Configure Identifiers page, click Next (the URL from the previous step is listed in Relying party
trust identifiers).
10. On the Configure Multi-factor Authentication Now? page, verify that I do not want to configure
multi-factor authentication settings for this relying party trust at this time is selected, and then click
Next.
11. On the Choose Issuance Authorization Rules page, verify Permit all users to access this relying party
is selected, and then click Next.
12. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust
information.
13. On the Finish page, uncheck Open the Edit Claim Rules dialog for this relying party trust when the
wizard closes, and then click Close.
To use Windows PowerShell prompt to create the relying party trusts, follow these steps:
1. In an elevated Windows PowerShell window, run the following command:
Import-Module ADFS
Add-AdfsRelyingPartyTrust -Name <"Outlook on the web" | EAC> -Notes "This is a trust for <OotwURL |
EACURL>" -Identifier <OotwURL | EACURL> -WSFedEndpoint <OotwURL | EACURL> -IssuanceAuthorizationRules
'@RuleTemplate = "AllowAllAuthzRule" => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit", Value = "true");' -IssueOAuthRefreshTokensTo
NoDevice
This example creates a relying party trust for Outlook on the web using the following values:
Name: Outlook on the web
Notes: This is a trust for https://mail.contoso.com/owa/
Identifier: https://mail.contoso.com/owa/
WSFedEndpoint: https://mail.contoso.com/owa/
This example creates a relying party trust for the EAC using the following values:
Name: EAC
Notes: This is a trust for https://mail.contoso.com/ecp/
Identifier: https://mail.contoso.com/ecp/
WSFedEndpoint: https://mail.contoso.com/ecp/
Step 4b: Create custom claim rules in AD FS for Outlook on the web and the EAC
For both Outlook on the web and the EAC, you need to create two claim rules:
Active Directory user SID
Active Directory UPN
To create the claim rules on the AD FS server, you can use the AD FS Management console or Windows
PowerShell.
To use the AD FS Management console to create the claim rules, follow these steps:
Note: You need to go through these steps twice: once for Outlook on the web, and once for EAC. The only
difference is the relying party trust that you select in the first step. All other values in the procedure are identical.
To add the required claims rules:
1. In the AD FS Management console, expand Trust Relationships select Relying Party Trusts, and then
select the Outlook on the web or EAC relying party trust. In the Actions pane, select Edit Claim Rules.
2. In the Edit Claim Rules for <RuleName> window that opens, verify that the Issuance Transform Rules
tab is selected, and then click Add Rule.
3. The Add Transform Claim Rule Wizard opens. On the Select Rule Template page, click the Claim rule
template drop down, and then select Send Claims Using a Custom Rule. When you're finished, click
Next.
6. The Add Transform Claim Rule Wizard opens. On the Select Rule Template page, click the Claim rule
template drop down, and then select Send Claims Using a Custom Rule. When you're finished, click
Next.
7. On the Configure Rule page, enter the following information:
Claim rule name: Enter a descriptive name for the claim rule. For example, ActiveDirectoryUPN.
Custom rule: Copy and paste the following text:
Import-Module ADFS
To create the custom claim rules in the existing relying party trust named Outlook on the web, run the following
command:
To create the custom claim rules in the existing relying party trust named EAC, run the following command:
Set-AdfsRelyingPartyTrust -TargetName EAC -IssuanceTransformRules '@RuleName = "ActiveDirectoryUserSID" c:
[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD
AUTHORITY"] => issue(store = "Active Directory", types =
("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;{0}", param =
c.Value); @RuleName = "ActiveDirectoryUPN" c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] =>
issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query
= ";userPrincipalName;{0}", param = c.Value);'
2. The Add Roles and Features Wizard opens. You'll start on the Before you begin page unless you
previously selected Skip this page by default. Click Next.
3. On the Select installation type page, verify that Role-based or feature-based installation is selected,
and then click Next.
4. On the Select destination server page, verify the server selection, and then click Next.
5. On the Select server roles page, select Remote Access in the list of roles, and then click Next.
6. On the Features page, click Next (accept the default feature selections).
7. On the Remote Access page, read the information, and then click Next.
8. On the Select role services page, select Web Application Proxy. In the add features dialog box that
opens, click Add Features to accept the default values and close the dialog box. Back on the Select role
services page, click Next.
9. On the Confirm installation selections page, click Install.
10. On the Installation progress page, watch the progress bar to verify that the installation was successful.
When the installation is finished, leave the wizard open so you can click Open the Web Application
Proxy Wizard in the next step (5b).
To use Windows PowerShell to install Web Application Proxy, run the following command:
If you closed the Add Roles and Features Wizard or you used Windows PowerShell to install Web
Application Proxy, you can get to the same place by clicking Notifications, and then clicking Open the
Web Application Proxy Wizard in the Post-deployment Configuration warning.
2. The Web Application Proxy Configuration Wizard opens. On the Welcome page, click Next.
3. On the Federation Server page, enter the following information:
Federation service name: For example, adfs.contoso.com .
User name and Password: Type the credentials of a local administrator account on the AD FS
server.
When you're finished, click Next.
4. On the AD FS Proxy Certificate page, select an installed certificate that contains the federation service
name (for example adfs.contoso.com ). You can select a certificate in the drop down list, and then click View
> Details to see more information about the certificate. When you're finished, click Next.
5. On the Confirmation page, review the settings. You can copy the Windows PowerShell command to
automate additional installations (in particular, the certificate thumbprint value). When you're finished, click
Configure.
6. On the Results page, verify that the configuration was successful, and then click Close.
To use Windows PowerShell to configure Web Application Proxy, follow these steps:
1. Run the following command on the Web Application Proxy server to find the thumbprint value of the
installed certificate that contains adfs.contoso.com :
2. Run the following command, and enter the username and password of a local administrator account on the
AD FS server.
$ADFSServerCred = Get-Credential
This example configure the Web Application Proxy server with the following settings:
Federation service name: adfs.contoso.com
AD FS SSL certificate thumbprint: The *.contoso.com certificate that has the thumbprint value
5AE82C737900B29C2BAC3AB6D8C44D249EE05609 .
Step 5c: Publish the claims relying party trusts for Outlook on the web and the EAC in Web Application Proxy
To publish the relying party trusts in Web Application Proxy, you can use the Remote Access Management console
or Windows PowerShell.
To use the Remote Access Management console, follow these steps:
Note: You need to go through these steps twice: once for Outlook on the web, and once for EAC. The required
settings are described in the procedure.
1. Open the Remote Access Management console on the Web Application Proxy server: in Server Manager,
click Tools > Remote Access Management.
2. In the Remote Access Management console, under Configuration, click Web Application Proxy, and
then in the Tasks pane, click Publish.
3. The Publish New Application Wizard opens. On the Welcome page, click Next.
4. On the Preauthentication page, verify Active Directory Federation Services (AD FS ) is selected, and
then click Next.
5. On the Relying Party page, select the relying party that you created on the AD FS server in Step 4: Create
a relying party trust and custom claim rules in AD FS for Outlook on the web and the EAC:
For Outlook on the web: Select Outlook on the web.
For the EAC: Select EAC.
When you're finished, click Next.
6. On the Publishing Settings page, enter the following information:
For Outlook on the web
Name: For example, Outlook on the web . This name is only visible in the Remote Access
Management console.
External URL: For example, https://mail.contoso.com/owa/ .
External certificate: Select an installed certificate that contains the host name of the external
URL for Outlook on the web (for example, mail.contoso.com ). You can select a certificate in
the drop down list, and then click View > Details to see more information about the
certificate.
Backend server URL: This value is automatically populated by the External URL. You only
need to change it if the backend server URL is different from the external URL. For example,
https://server01.contoso.com/owa/ . Note that the paths in the external URL and backend
server URL must match ( /owa/ ), but the host name values can be different (for example,
mail.contoso.com and server01.contoso.com ).
For the EAC
Name: For example, EAC . This name is only visible in the Remote Access Management
console.
External URL: The external URL for the EAC. For example, https://mail.contoso.com/ecp/.
External certificate: Select an installed certificate that contains the host name of the external
URL for the EAC (for example, mail.contoso.com ). The certificate is likely a wildcard certificate
or SAN certificate. You can select a certificate in the drop down list, and then click View >
Details to see more information about the certificate.
Backend server URL: This value is automatically populated by the External URL. You only
need to change it if the backend server URL is different from the external URL. For example,
https://server01.contoso.com/ecp/ . Note that the paths in the external URL and backend
server URL must match ( /ecp/ ), but the host name values can be different (for example,
mail.contoso.com and server01.contoso.com ).
7. On the Confirmation page, review the settings. You can copy the Windows PowerShell command to
automate additional installations (in particular, the certificate thumbprint value). When you're finished, click
Publish.
8. On the Results page, verify that the application published successfully, and then click Close.
To use Windows PowerShell to publish the relying party trusts, follow these steps:
1. Run the following command on the Web Application Proxy server to find the thumbprint of the installed
certificate that contains the host name of the Outlook on the web and EAC URLs (for example,
mail.contoso.com ):
This example publishes Outlook on the web in Web Application Proxy with the following settings:
AD FS relying party: Outlook on the web
Name: Outlook on the web
External URL: https://mail.contoso.com/owa/
External certificate thumbprint: The *.contoso.com certificate that has the thumbprint value
5AE82C737900B29C2BAC3AB6D8C44D249EE05609 .
Backend server URL: https://mail.contoso.com/owa/
This example publishes the EAC in Web Application Proxy with the following settings:
Name: EAC
External URL: https://external.contoso.com/ecp/
External certificate thumbprint: The *.contoso.com certificate that has the thumbprint value
5AE82C737900B29C2BAC3AB6D8C44D249EE05609 .
Backend server URL: https://mail.contoso.com/ecp/
Note: All AD FS endpoints that you want to publish through Web Application Proxy need to be proxy enabled. You
do this in the AD FS Management console at Service > Endpoints (verify that Proxy Enabled is Yes for the
specified endpoint).
Look for the Subject value CN=ADFS Signing - <FederationServiceName> (for example,
CN=ADFS Signing - adfs.contoso.com ).
You can confirm this thumbprint value on the AD FS server in an elevated Windows PowerShell window by
running the command Import-Module ADFS , and then running the command
Get-AdfsCertificate -CertificateType Token-Signing .
This example configures the EAC virtual directory in the default web site on the server named Mailbox01:
This example configures the Outlook on the web virtual directory in the default we site on the server named
Mailbox01:
Note: To configure all EAC and Outlook on the web virtual directories on every Exchange server in your
organization, run the following commands:
Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange
server (a Command Prompt window you open by selecting Run as administrator) and run the following
commands:
Additional considerations
Multifactor authentication
Deploying and configuring AD FS for claims-based authentication allows Outlook on the web and the EAC to
support multifactor authentication, such as certificate-based authentication, authentication or security tokens, and
fingerprint authentication. Multifactor authentication requires two of these three authentication factors:
Something only the user knows (for example, the password, PIN, or pattern).
Something only the user has (for example, an ATM card, security token, smart card, or mobile phone).
Something only the user is (for example, a biometric characteristic, such as a fingerprint).
For example, a password and a security code that's sent to a mobile phone, or a PIN and a fingerprint.
For details on multifactor authentication in Windows Server 2012 R2, see Overview: Manage Risk with Additional
Multi-Factor Authentication for Sensitive Applications and Walkthrough Guide: Manage Risk with Additional
Multi-Factor Authentication for Sensitive Applications.
On the AD FS server, the federation service functions as a security token service, and provides the security tokens
that are used with claims. The federation service issues tokens based on the credentials that are presented. After
the account store verifies a user's credentials, the claims for the user are generated according to the rules of the
trust policy and then added to a security token that is issued to the client. For more information about claims, see
Understanding Claims.
Co -existence with other versions of Exchange
You can use AD FS authentication for Outlook on the web and the EAC when you have more than one version of
Exchange deployed in your organization. This scenario is supported only if all clients are connecting through
Exchange servers, and all of those servers have been configured for AD FS authentication.
In Exchange 2016 organizations, users with mailboxes on Exchange 2010 servers can access their mailboxes
through an Exchange 2016 server that's configured for AD FS authentication. The initial client connection to the or
Exchange 2016 server uses AD FS authentication. However, the proxied connection to Exchange 2010 uses
Kerberos. There's no supported way to configure Exchange 2010 for direct AD FS authentication.
Client Access Rules in Exchange 2019
8/23/2019 • 7 minutes to read • Edit Online
Client Access Rules help you control access to your Exchange 2019 organization in the Exchange admin center
(EAC ) and remote PowerShell based on client properties or client access requests. Client Access Rules are like mail
flow rules (also known as transport rules) for EAC and remote PowerShell connections to your Exchange
organization. You can prevent EAC and remote PowerShell clients from connecting to Exchange based on their IP
address, authentication type, and user property values. For example:
Prevent client access using remote PowerShell (which also includes the Exchange Management Shell).
Block access to the EAC for users in a specific country or region.
For Client Access Rule procedures, see Procedures for Client Access Rules in Exchange Server.
Multiple rules that contain the same The first rule is applied, and subsequent For example, if your highest priority rule
condition rules are ignored blocks remote PowerShell connections,
and you create another rule that allows
remote PowerShell connections for a
specific IP address range, all remote
PowerShell connections are still blocked
by the first rule. Instead of creating
another rule for remote PowerShell, you
need to add an exception to the
existing remote PowerShell rule to allow
connections from the specified IP
address range.
Multiple conditions in one rule AND A client connection must match all
conditions in the rule. For example, EAC
connections from users in the
Accounting department.
One condition with multiple values in a OR For conditions that allow more than
rule one value, the connection must match
any one (not all) of the specified
conditions. For example, EAC or remote
PowerShell connections.
You can test how a specific client connection would be affected by Client Access Rules (which rules would match
and therefore affect the connection). For more information, see Use the Exchange Management Shell to test Client
Access Rules.
Important notes
Client connections from your internal network
Connections from your local network aren't automatically allowed to bypass Client Access Rules. Therefore, when
you create Client Access Rules that block client connections to Exchange, you need to consider how connections
from your internal network might be affected. The preferred method to allow internal client connections to bypass
Client Access Rules is to create a highest priority rule that allows client connections from your internal network (all
or specific IP addresses). That way, the client connections are always allowed, regardless of any other blocking
rules that you create in the future.
Client Access Rules and middle-tier applications
Many applications that access Exchange use a middle-tier architecture (clients talk to the middle-tier application
and the middle-tier application talks to Exchange). A Client Access Rule that only allows access from your local
network might block middle-tier applications. So, your rules need to allow the IP addresses of middle-tier
applications.
Middle-tier applications owned by Microsoft (for example, Outlook for iOS and Android) will bypass blocking by
Client Access Rules, and will always be allowed. To provide additional control over these applications, you need to
use the control capabilities that are available in the applications.
Timing for rule changes
To improve overall performance, Client Access Rules use a cache, which means changes to rules don't immediately
take effect. The first rule that you create in your organization can take up to 24 hours to take effect. After that,
modifying, adding, or removing rules can take up to one hour to take effect.
Administration
You can only use the Exchange Managment Shell (remote PowerShell) to manage Client Access Rules, so you
need to be careful about rules that block your access to remote PowerShell.
As a best practice, create a Client Access Rule with the highest priority to preserve your access to remote
PowerShell. For example:
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols RemotePowerShell -
Priority 1
Client Access Rules allow or block Exchange admin center (EAC ) or remote PowerShell connections to your
Exchange 2019 organization based on the properties of the connection. For more information about Client Access
Rules, see Client Access Rules in Exchange Server.
TIP
Verify that your rules work the way you expect. Be sure to thoroughly test each rule and the interactions between rules. For
more information, see the Use the Exchange Management Shell to test Client Access Rules section later in this topic.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Get-ClientAccessRule
This example returns all the property values for the rule named "Block Client Connections from 192.168.1.0/24".
This example returns only the specified properties for the same rule.
This example creates a new Client Access Rule named Block PowerShell that blocks remote PowerShell access,
except for clients in the IP address range 192.168.10.1/24.
Notes:
As a best practice, create a Client Access Rule with the highest priority to preserve your administrator
access to remote PowerShell. For example:
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols
RemotePowerShell -Priority 1
.
The rule has the default priority value, because we didn't use the Priority parameter. For more information,
see the Use the Exchange Management Shell to set the priority of Client Access Rules section later in this
topic.
The rule is enabled, because we didn't use the Enabled parameter, and the default value is $true .
This example creates a new Client Access Rule named Restrict EAC Access that blocks access for the Exchange
admin center, except if the client is coming from an IP address in the 192.168.10.1/24 range or if the user account
name contains "tanyas".
Get-ClientAccessRule
Replace <RuleName> with the name of the rule, and run this command to see the details of the rule:
See which Client Access Rules would affect a specific client connection to Exchange by using the Test-
ClientAccessRule cmdlet. For more information, see the Use the Exchange Management Shell to test
Client Access Rules section later in this topic.
This example disables the existing Client Access Rule named Allow EAC.
An important consideration when you modify Client Access Rules is modifying conditions or exceptions that
accept multiple values:
The values that you specify will replace any existing values.
To add or remove values without affecting other existing values, use this syntax:
@{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...}
This example adds the IP address range 172.17.17.27/16 to the existing Client Access Rule named Allow EAC
without affecting the existing IP address values.
See which Client Access Rules would affect a specific client connection to Exchange by using the Test-
ClientAccessRule cmdlet. For more information, see the Use the Exchange Management Shell to test
Client Access Rules section later in this topic.
This example sets the priority of the rule named Disable PowerShell to 3. All existing rules that have a priority less
than or equal to 3 are decreased by 1 (their priority numbers are increased by 1).
Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-
ClientAccessRule cmdlet.
How do you know this worked?
To verify that you've successfully set the priority of a Client Access Rule, use either of these procedures:
Run the this command in the Exchange Management Shell to see the list of rules and their Priority values:
Get-ClientAccessRule
Replace <RuleName> with the name of the rule, and run this command:
This example removes the Client Access Rule named Block EAC.
Note: To disable a Client Access Rule without deleting it, use the Enabled parameter with the value $false on the
Set-ClientAccessRule cmdlet.
For detailed syntax and parameter information, see Remove-ClientAccessRule.
How do you know this worked?
To verify that you've successfully removed a Client Access Rule, run this command in the Exchange Management
Shell to verify that the rule is no longer listed:
Get-ClientAccessRule
In Exchange Server, mail flow occurs through the transport pipeline. The transport pipeline is a collection of
services, connections, components, and queues that work together to route all messages to the categorizer in
the Transport service on an Exchange Mailbox server inside the organization.
For information about how to configure mail flow in a new Exchange 2016 or Exchange 2019 organization, see
Configure mail flow and client access.
1. The Mailbox Transport Submission service uses RPC to retrieve the outbound message from the local
mailbox database.
2. The Mailbox Transport Submission service uses SMTP to send the message to the Transport service on
the local Mailbox server or on a different Mailbox server.
3. In the Transport service, the default Receive connector named "Default <Mailbox server name>" accepts
the message.
4. What happens next depends on the configuration of the Send connector:
Default: The Transport service uses the Send connector you created to send the message to the
Internet.
Outbound proxy: The Transport service uses the Send connector you created to send the
message to the Front End Transport service on the local Mailbox server or on a remote Mailbox
server. In the Front End Transport service, the default Receive connector named "Outbound Proxy
Frontend <Mailbox server name>" accepts the message. The Front End Transport services sends
the message to the Internet.
Outbound mail flow with Edge Transport servers
If you have an Edge Transport server installed in the perimeter network, outbound mail never flows through the
Front End Transport service. Outbound mail flow with an Edge Transport server is described in the following
diagram and list.
1. The Mailbox Transport Submission service uses RPC to retrieve the outbound message from the local
mailbox database.
2. The Mailbox Transport Submission service uses SMTP to send the message to the Transport service on
the local Mailbox server or on a different Mailbox server.
3. In the Transport service on a Mailbox server in the subscribed Active Directory site, the default Receive
connector named "Default <Mailbox server name>" accepts the message.
4. The message is sent to the Edge Transport server using the implicit and invisible intra-organization Send
connector that automatically sends mail between Exchange servers in the same organization.
5. In the Transport service on the Edge Transport server, the default Receive connector named "Default
internal Receive connector <Edge Transport server name>" accepts the message.
6. In the Transport service on the Edge Transport server, the default Send connector named "EdgeSync -
<Active Directory site name> to Internet" sends the message to the Internet.
Accepted domains are the SMTP name spaces (also known as address spaces) that you configure in an Exchange
organization to receive email messages. For example, if your company registered the domain contoso.com, and
you configured a mail exchanger (MX) record in your Internet DNS for contoso.com, you need to configure
contoso.com as an accepted domain in your Exchange organization to accept messages that are addressed to
@contoso.com recipients.
Accepted domains in Exchange 2016 and Exchange 2019 are basically unchanged from Exchange Server 2010,
and consist of the following types:
Authoritative domains: Recipients (in particular, mailboxes) are configured with email addresses in these
domains. The Exchange organization accepts messages that are addressed to recipients in these domains,
and is responsible for generating non-delivery reports (also known as NDRs or bounce messages) for non-
existent recipients.
Relay domains: The Exchange organization accepts messages that are addressed to recipients in relay
domains, but isn't responsible for generating NDRs for non-existent recipients. Instead, Exchange (with
additional configuration) relays the messages to messaging servers that are external to the Exchange
organization. Relay domains can be internal (for domains that you control) or external (for domains that
you don't control).
An accepted domain can be a single domain (contoso.com) or a domain with subdomains (*.contoso.com).
Accepted domains are a global setting for the Exchange organization, and you can have multiple accepted
domains of the same or different types.
To configure accepted domains, see Procedures for accepted domains in Exchange Server.
NOTE
If you have a subscribed Edge Transport server in your perimeter network, you configure accepted domains on a Mailbox
server in your Exchange organization. The accepted domains configuration is replicated to the Edge Transport server during
EdgeSync synchronization. For more information, see Edge Subscriptions.
Authoritative domains
You configure an accepted domain as an authoritative domain when all recipients in that domain exist in your
Exchange organization.
By default, when you install the first Exchange Mailbox server, the fully qualified domain name (FQDN ) of your
forest root domain in Active Directory is configured as an authoritative domain. If you don't want to use this
domain for email, you need to add another authoritative domain. For instructions, see Create accepted domains.
An organization can be configured with multiple authoritative domains. The set of email domains for an
organization are the authoritative domains. You can use authoritative domains in email address policies, and
Exchange is responsible for generating NDRs for non-existent recipients in authoritative domains.
Relay domains
You configure an accepted domain as a relay domain (also known as non-authoritative domain) when some or
none of the recipients in that domain exist in your Exchange organization (for example, partners or subsidiaries).
Exchange isn't responsible for generating NDRs for non-existent recipients in a relay domain. Instead, you
configure a Send connector with the address space of the relay domain, and you configure this Send connector to
use smart host routing to relay messages to their destination (directly or to the next hop). For more information
about creating Send connectors that use smart host routing, see Create a Send connector to route outbound mail
through a smart host.
You configure a relay domain as an internal relay domain or as an external relay domain. The differences are
described in the following list:
Internal relay domains
Some of the recipients in the internal relay domain don't exist in the Exchange organization. For
example:
You share the domain between the Exchange organization and a third-party messaging
system.
You share the domain between Exchange organizations in different Active Directory forests.
Recipients in the internal relay domain can be represented as mail contacts or mail users in the
Exchange organization (manually created or automatically created by using directory
synchronization).
The Send connector that you configure for the internal relay domain is sourced on an internal
Mailbox server.
Note: By default, you can't configure a Send connector for an internal relay domain on a subscribed
Edge Transport server. Messages sent to recipients in the internal relay domain are automatically
forwarded to internal Mailbox servers in the subscribed Active Directory site by using the default
"EdgeSync - Inbound to <Active Directory site name>" Send connector. This Send connector is
automatically configured to route mail for all authoritative domains and internal relay domains (the
address space value is -- ). For more information, see Send connectors created automatically by the
Edge Subscription.
You can use internal relay domains in email address policies.
External relay domains
None of the recipients in the external relay domain exist in the Exchange organization (including
mail contacts or mail users). For example, your Exchange organization is the central location for
accepting Internet email for a group of separate organizations.
The Send connector that you configure for the external relay domain is sourced on an Edge
Transport server or Internet-facing Mailbox server.
You can't use external relay domains in email address policies.
Internal relay domain Disabled ( $false ) If all recipients in the internal relay
domain exist in the Exchange
organization (including mail contacts
and mail users), you can enable
Recipient Lookup for the domain.
If some or none of the recipients in the
internal relay domain exist in the
Exchange organization, you shouldn't
enable Recipient Lookup for the
domain.
Default domain
Because the forest root FQDN is automatically configured as the first accepted domain in your organization, that
accepted domain is also configured as the default domain. However, after you add additional accepted domains,
you can configure one of them as the default domain. Here's some information about the default domain:
You can't delete the default domain. You need to configure another accepted domain as the default domain
(one accepted domain is always configured as the default domain).
The default domain is used in the external postmaster address: postmaster@<default domain> .
The default domain is used in encapsulated non-SMTP email addresses (Internet Mail Connector
Encapsulated Address or IMCEA encapsulation).
The first default domain is used as the primary address for all recipients in the default email address policy.
If you configure another accepted domain as the default domain, the default email address policy isn't
automatically updated.
Although you can configure any accepted domain as the default domain, you typically specify an
authoritative domain.
Procedures for accepted domains in Exchange Server
8/23/2019 • 8 minutes to read • Edit Online
Accepted domains are the SMTP name spaces (also known as address spaces) that you configure in an Exchange
organization to receive email messages. You use the Exchange admin center (EAC ) or the Exchange Management
Shell to configure accepted domains in Exchange Server.
For more information about accepted domains, see Accepted domains in Exchange Server. The types of accepted
domains are summarized in the following list:
Authoritative domains
All recipients in the authoritative domain exist in the Exchange organization.
Exchange is responsible for generating non-delivery reports (also known as NDRs or bounce
messages) for non-existent recipients in an authoritative domain.
Internal relay domains
Some recipients in the internal relay domain might exist in the Exchange organization.
Exchange isn't responsible for generating NDRs for non-existent recipients in an internal relay
domain. Instead, you create a Send connector with the address space of the internal relay domain.
You source this Send connector on an internal Mailbox server to relay messages for the non-existent
recipients in the domain.
External relay domains
None of the recipients in the external relay domain exist in the Exchange organization.
Exchange isn't responsible for generating NDRs for non-existent recipients in an external relay
domain. Instead, you create a Send connector with the address space of the external relay domain.
You source this Send connector on an Edge Transport server or Internet-facing Mailbox server to
relay messages for all the recipients in the domain.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example creates a new authoritative domain named Contoso Corp for contoso.com.
Note: We didn't need to use the DomainType parameter, because the default value is Authoritative .
For detailed syntax and parameter information, see New -AcceptedDomain.
How do you know this worked?
To verify that you've successfully created an accepted domain, use either of the following procedures:
In the EAC, go to Mail flow > Accepted domains, verify that the accepted domain is listed, and the details
are correct.
In the Exchange Management Shell, run the following command to verify the property values:
This example configures the authoritative domain named Contoso Corp as the default domain.
This example enables Recipient Lookup on a Edge Transport server for the internal relay domain named Fabrikam
Corp. All external recipients in the fabrikam.com domain are represented in Exchange as mail users.
For more information about modifying email address policies, see Modify email address policies[Modify
email address policies]).
Use the EAC to remove accepted domains
1. In the EAC, go to Mail flow > Accepted domains, select the accepted domain from the list, and then click
Remove ( ).
2. In the Warning dialog that appears, click Yes to confirm.
Use the Exchange Management Shell to remove accepted domains
To remove an accepted domain, use the following syntax:
Get-AcceptedDomain
Exchange uses connectors to enable incoming and outgoing mail flow on Exchange servers, and also between
services in the transport pipeline on the local Exchange server.
These are the types of connectors that are available in Exchange.
CONNECTOR DESCRIPTION
Receive connectors Receive connectors control incoming SMTP mail flow. They
listen for incoming connections that match the configuration
of the connector. Multiple default Receive connectors are
created when you install Exchange.
Send connectors Send connectors control outgoing SMTP mail flow. A Send
connector is chosen based on the message recipients and the
configuration of the connector. No default Send connectors for
external mail flow are created when you install Exchange, but
implicit and invisible Send connectors exist, and are used to
route mail between internal Exchange servers.
Delivery agents and Delivery Agent Connectors Delivery agents and Delivery Agent connectors control
outgoing mail flow to non-SMTP systems. Outgoing messages
are put into message queues for delivery to the non-SMTP
system. Delivery agents and Delivery agent connectors are
preferred over Foreign connectors due to their improved
performance and management.
Exchange servers use Receive connectors to control inbound SMTP connections from:
Messaging servers that are external to the Exchange organization.
Services in the transport pipeline on the local Exchange server or on remote Exchange servers.
Email clients that need to use authenticated SMTP to send messages.
You can create Receive connectors in the Transport service on Mailbox servers, the Front End Transport service on
Mailbox servers, and on Edge Transport servers. By default, the Receive connectors that are required for inbound mail
flow are created automatically when you install an Exchange Mailbox server, and when you subscribe an Edge
Transport server to your Exchange organization.
A Receive connector is associated with the Mailbox server or Edge Transport server where it's created, and determines
how that specific server listens for SMTP connections. On Mailbox servers, the Receive connector is stored in Active
Directory as a child object of the server. On Edge Transport servers, the Receive connector is stored in Active Directory
Lightweight Directory Services (AD LDS ).
These are the important settings on Receive connectors:
Local adapter bindings: Configure the combination of local IP addresses and TCP ports that the Receive
connector uses to accept connections.
Remote network settings: Configure the source IP addresses that the Receive connector listens to for
connections.
Usage type: Configure the default permission groups and smart host authentication mechanisms for the
Receive connector.
Permission groups: Configure who's allowed to use the Receive connector, and the permissions that they
receive.
A Receive connector listens for inbound connections that match the configuration settings of the connector. Each
Receive connector on the Exchange server uses a unique combination of local IP address bindings, TCP ports, and
remote IP address ranges that define if and how connections from SMTP clients or servers are accepted.
Although the default Receive connectors are adequate in most cases, you can create custom Receive connectors for
specific scenarios. For example:
To apply special properties to an email source, for example, a larger maximum message size, more recipients
per message or more simultaneous inbound connections.
To accept encrypted mail by using a specific TLS certificate.
On Mailbox servers, you can create and manage Receive connectors in the Exchange admin center (EAC ) or in the
Exchange Management Shell. On Edge Transport servers, you can only use the Exchange Management Shell.
AUTHENTICA
LOCAL IP REMOTE IP TION
PROTOCOL ADDRESS ADDRESS MECHANISM PERMISSION
NAME DESCRIPTION LOGGING TCP PORT BINDINGS RANGES S GROUPS
AUTHENTICA
LOCAL IP REMOTE IP TION
PROTOCOL ADDRESS ADDRESS MECHANISM PERMISSION
NAME DESCRIPTION LOGGING TCP PORT BINDINGS RANGES S GROUPS
AUTHENTICA
LOCAL IP REMOTE IP TION
PROTOCOL ADDRESS ADDRESS MECHANISM PERMISSION
NAME DESCRIPTION LOGGING TCP PORT BINDINGS RANGES S GROUPS
Client Proxy Accepts None 465 All available {::- TLS ExchangeServers
<ServerNa authenticate IPv4 and ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,
BasicAuth ExchangeUsers
0.0.0.0-255.255.255.255}
me> d client IPv6 BasicAuthRequireTLS
connections addresses ( (all IPv4 and
IPv6 ExchangeServer
that are 0.0.0.0
Integrated
proxied ) addresses)
and [::]:
from the
Front End
Transport
service.
Implicit Receive connectors in the Mailbox Transport Delivery service on Mailbox servers
In addition to the Receive connectors are created during the installation of Exchange servers, there's a special implicit
Receive connector in the Mailbox Transport Delivery service on Mailbox servers. This implicit Receive connector is
automatically available, invisible, and requires no management. The primary function of this connector is to accept
mail from the Transport service on the local Mailbox server or remote Mailbox servers in your organization.
The implicit Receive connector that exists in the Mailbox Transport Delivery service on Mailbox servers is described in
the following table.
AUTHENTICA
LOCAL IP REMOTE IP TION
PROTOCOL ADDRESS ADDRESS MECHANISM PERMISSION
NAME DESCRIPTION LOGGING TCP PORT BINDINGS RANGES S GROUPS
NOTE
If you bind a Receive connector to a specific IP address, make sure that the address is configured on a local network adapter. If
you specify an invalid local IP address, the Microsoft Exchange Transport service may fail to start when the server or service is
restarted.
In the EAC, you use the Network adapter bindings field to configure the local address bindings in the new Receive
connector wizard, or on the Scoping tab in the properties of existing Receive connectors. In the Exchange
Management Shell, you use the Bindings parameter on the New-ReceiveConnector and Set-ReceiveConnector
cmdlets. Depending on the usage type that you select, you might not be able to configure the local address bindings
when you create the Receive connector, but you can modify them after you create the Receive connector. The affected
usage types are identified in the Receive connector usage types section.
Client Exchange users ( Transport Layer Security ( Used by POP3 and IMAP4
ExchangeUsers ) TLS ) clients that need to submit
Basic authentication ( email messages by using
BasicAuth ) authenticated SMTP.
Offer basic authentication When you create a Receive
only after starting TLS ( connector of this usage type
BasicAuthRequireTLS ) in the EAC or in the Exchange
Integrated Windows Management Shell, you can't
authentication ( select the local IP address
Integrated ) bindings or TCP port. By
default, this usage type is
bound to all local IPv4 and
IPv6 addresses on TCP port
587. You can change these
bindings after you create the
connector.
This usage type isn't available
on Edge Transport servers.
Internet Anonymous users ( Transport Layer Security ( Used to receive mail from the
AnonymousUsers ) TLS ) Internet.
When you create a Receive
connector of this usage type
in the EAC or in the Exchange
Management Shell, you can't
select the remote IP
addresses. By default, the
connector accepts remote
connections from all IPv4
addresses (0.0.0.0-
255.255.255.255). You can
change these bindings after
you create the connector.
Transport Layer Security (TLS) ( TLS ) Advertise STARTTLS in the EHLO response. TLS encrypted
connections require a server certificate that includes the name
that the Receive connector advertises in the EHLO response. For
more information, see Modify the SMTP banner on Receive
connectors. Other Exchange servers in your organization trust
the server's self-signed certificate, but clients and external
servers typically use a trusted third-party certificate.
Offer basic authentication only after starting TLS ( Basic authentication that's encrypted with TLS.
BasicAuthRequireTLS )
Exchange Server authentication ( ExchangeServer ) Generic Security Services application programming interface
(GSSAPI) and Mutual GSSAPI authentication.
AUTHENTICATION MECHANISM DESCRIPTION
The permissions are explained in the Receive connector permissions section later in this topic.
Notes:
In addition to the documented permissions, there are permissions that are assigned to all of the security
principals in the Exchange servers ( ExchangeServers ) permission group except
MS Exchange\Externally Secured Servers . These permissions are reserved for internal Microsoft use, and are
presented here for reference purposes only.
ms-Exch-SMTP-Accept-Xattr
ms-Exch-SMTP-Accept-XProxyFrom
ms-Exch-SMTP-Accept-XSessionParams
ms-Exch-SMTP-Accept-XShadow
ms-Exch-SMTP-Accept-XSysProbe
ms-Exch-SMTP-Send-XMessageContext-ADRecipientCache
ms-Exch-SMTP-Send-XMessageContext-ExtendedProperties
ms-Exch-SMTP-Send-XMessageContext-FastIndex
Permissions names that contain ms-Exch-Accept-Headers- are part of the header firewall feature. For more
information, see Header firewall.
Receive connector permission procedures
To see the permissions that are assigned to security principals on a Receive connector, use the following syntax in the
Exchange Management Shell:
Get-ADPermission -Identity <ReceiveConnector> [-User <SecurityPrincipal>] | where {($_.Deny -eq $false) -and
($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights
For example, to see the permissions that are assigned to all security principals on the Receive connector named Client
Frontend Mailbox01, run the following command:
Get-ADPermission -Identity "Client Frontend Mailbox01" | where {($_.Deny -eq $false) -and ($_.IsInherited -eq
$false)} | Format-Table User,ExtendedRights
To see the permissions that are assigned only to the security principal NT AUTHORITY\Authenticated Users on the
Receive connector named Default Mailbox01, run the following command:
Get-ADPermission -Identity "Default Mailbox01" -User "NT AUTHORITY\Authenticated Users" | where {($_.Deny -eq
$false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights
To add permissions to a security principal on a Receive connector, use the following syntax:
To remove permissions from a security principal on a Receive connector, use the following syntax:
By default, Exchange Server comes with many different Receive connectors that are configured for most common
mail flow scenarios. For more information about these connectors, see Default Receive connectors created during
setup.
However, you might need to process messages from another messaging system that's not running Exchange. Or, if
you have a network appliance that performs policy checks and then routes messages to your Exchange server,
you'll need to manually configure a Receive connector.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
After you've created the new Internet Receive connector on the Mailbox server, be sure to modify the local IP address
settings in the properties of the default Receive connector named Default Frontend <ServerName>. You'll need to go
to Scoping > Network adapter bindings in the properties of the connector, and then select a different local IP
address to replace the default IP addresses: (All available IPv4) and Port: 25 entry.
This example creates a new Receive connector named Internet Receive Connector on a Mailbox server that listens
on port 25 on the local IP address 10.1.15 from all remote IP addresses:
Notes:
To run this command on an Edge Transport server, omit the TransportRole parameter.
If another Receive connector is configured to listen on port 25 using all available local IP addresses on the
server, you'll need to use the Bindings parameter on the Set-ReceiveConnector cmdlet to specify a unique
local IP address for the other connector after you create the new Internet Receive connector.
This example creates a new Receive connector named Internet Receive Connector that listens on port 25 from all
remote IP addresses, but on all available local IP addresses. You can only run this command if the server has no
other Receive connectors that are configured to listen on port 25 using all available local IP addresses.
New-ReceiveConnector -Name "Internet Receive Connector" -TransportRole Frontend -Internet -Bindings "0.0.0.0","
[::]:"
Note: To run this command on an Edge Transport server, omit the TransportRole parameter.
For detailed syntax and parameter information, see New -ReceiveConnector.
How do you know this worked?
To verify that you've successfully created a Receive connector to receive messages from the Internet, do any of
these steps:
In the EAC, go to Mail flow > Receive connectors, select the Receive connector, select Edit ( ), and verify
the property values
In the Exchange Management Shell, run this command on the server, and verify the property values:
Enable protocol logging for the Receive connector. For more information, see Configure protocol logging.
From an external client, send a test message to someone in your organization. You can also connect to the
Receive connector by using Telnet. For more information, see Use Telnet to test SMTP communication on
Exchange servers.
This example creates a Receive connector named Fabrikam.com TLS on a Mailbox server that only accepts
messages from the IP addresses 17.17.17.1/24 using all available local IP addresses.
Note: To run this command on an Edge Transport server, omit the TransportRole parameter.
For detailed syntax and parameter information, see New -ReceiveConnector.
How do you know this worked?
To verify that you've successfully created a Receive connector to receive TLS encrypted messages from a partner,
do any of these steps:
In the EAC, go to Mail flow > Receive connectors, select the Receive connector, select Edit ( ), and verify
the property values
In the Exchange Management Shell, run this command on the server, and verify the property values:
Enable protocol logging for the Receive connector. For more information, see Configure protocol logging.
Have someone in the partner organization send a test message to someone in your organization. Verify that
the message is encrypted (you can verify that TLS is used by checking the message header).
Be very careful using the authentication mechanism Externally secured with the permission group
Exchange servers. This combination allows the remote IP addresses specified in the Remote
network settings section on the Scoping tab to anonymously relay messages through the Exchange
server. For more information, see Allow anonymous relay on Exchange servers.
When you're finished, click Save.
Use the Exchange Management Shell to create a Receive connector that only accepts messages from a specific
service or device
To create a Receive connector that only accepts messages from a specific service or device, use this syntax:
This example creates a Receive connector named Inbound From Service on a Mailbox server:
Bindings: All available local IP addresses.
Remote IP address ranges: 192.168.5.1/24.
Authentication mechanisms: Basic authentication.
Permission groups: Anonymous users.
New-ReceiveConnector -Name "Inbound From Service" -TransportRole Frontend -Custom -Bindings 0.0.0.0:25 -
RemoteIPRanges 192.168.10.5 -AuthMechanism BasicAuth -PermissionGroups AnonymousUsers
Note: To run this command on an Edge Transport server, omit the TransportRole parameter.
For detailed syntax and parameter information, see New -ReceiveConnector.
How do you know this worked?
To verify that you've successfully created a Receive connector that only accepts messages from a specific service or
device, do any of these steps:
In the EAC, go to Mail flow > Receive connectors, select the Receive connector, select Edit ( ), and verify
the property values.
In the Exchange Management Shell, run this command on the server, and verify the property values:
Enable protocol logging for the Receive connector. For more information, see Configure protocol logging.
Send a test message or connect to the Receive connector by using Telnet from the server or device. For
more information, see Use Telnet to test SMTP communication on Exchange servers.
This example creates a Receive connector named Inbound From Organization on an unsubscribed Edge Transport
server that listens for inbound messages from the internal Mailbox servers at IP addresses 10.1.2.10, 10.1.2.15, and
10.1.2.20.
Note: If your Edge Transport server uses different network adapters for internal and external networks, be sure to
use the Bindings parameter on the Set-ReceiveConnector cmdlet after you create the connector to specify the
correct local IP address for the connector.
For detailed syntax and parameter information, see New -ReceiveConnector.
How do you know this worked?
To verify that you've successfully created a Receive connector that only accepts messages from an internal
Exchange server, do any of these steps:
In the EAC, go to Mail flow > Receive connectors, select the Receive connector, select Edit ( ), and verify
the property values.
In the Exchange Management Shell, run this command on the server, and verify the property values:
Enable protocol logging for the Receive connector. For more information, see Configure protocol logging.
Send a test message or connect to the Receive connector by using Telnet from the remote Exchange server.
For more information, see Use Telnet to test SMTP communication on Exchange servers.
Modify the SMTP banner on Receive connectors
8/23/2019 • 2 minutes to read • Edit Online
The SMTP banner is the initial SMTP connection response that a messaging server receives after it connects to an
Exchange server. Specifically, the messaging server connects to a Receive connector that's configured on the
Exchange server. For Exchange Mailbox servers, external messaging servers connect through Receive connectors
that are configured in the Front End Transport service. The default Receive connector that's configured to accept
anonymous SMTP connections is named Default Frontend <ServerName>. For Edge Transport servers, the
default Receive connector in the Transport service named Default internal receive connector <ServerName>> is
configured to accept anonymous SMTP connections. For more information, see How messages from external
senders enter the transport pipeline and Default Receive connectors created during setup.
By default, the connection response looks like this:
220 <ServerName> Microsoft ESMTP MAIL service ready at <RegionalDay-Date-24HourTimeFormat>
<RegionalTimeZoneOffset>
Here are some reasons that you might want to modify the default SMTP banner:
You don't want Exchange or the internal Exchange server name disclosed in the connection response to
external messaging servers.
You want the connection response to include your domain name to satisfy antispam or reverse DNS to
SMTP banner checks.
You want the connection response to include the name of the Receive connector to make it easier to
troubleshoot connection problems.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example changes the SMTP banner on the Receive connector named Default Frontend Mailbox01 to the value
220 contoso.com.
This example removes the custom SMTP banner, which returns the SMTP banner to the default value.
2. Verify the that response contains the SMTP banner you configured.
Note that this procedure only works on Receive connectors that allow anonymous or Basic authentication. For
more information, see Use Telnet to test SMTP communication on Exchange servers.
Allow anonymous relay on Exchange servers
8/23/2019 • 11 minutes to read • Edit Online
Open relay is a very bad thing for messaging servers on the Internet. Messaging servers that are accidentally or
intentionally configured as open relays allow mail from any source to be transparently re-routed through the open
relay server. This behavior masks the original source of the messages, and makes it look like the mail originated
from the open relay server. Open relay servers are eagerly sought out and used by spammers, so you never want
your messaging servers to be configured for open relay.
On the other hand, anonymous relay is a common requirement for many businesses that have internal web
servers, database servers, monitoring applications, or other network devices that generate email messages, but are
incapable of actually sending those messages.
In Exchange Server, you can create a dedicated Receive connector in the Front End Transport service on a Mailbox
server that allows anonymous relay from a specific list of internal network hosts. Here are some key
considerations for the anonymous relay Receive connector:
You need to create a dedicated Receive connector to specify the network hosts that are allowed to
anonymously relay messages, so you can exclude anyone or anything else from using the connector. Don't
attempt to add anonymous relay capability to the default Receive connectors that are created by Exchange.
Restricting access to the Receive connector is critical, because you don't want to configure the server as an
open relay.
You need to create the dedicated Receive connector in the Front End Transport service, not in the Transport
service. In Exchange Server, the Front End Transport service and the Transport service are always located
together on Mailbox servers. The Front End Transport service has a default Receive connector named
Default Frontend <ServerName> that's configured to listen for inbound SMTP connections from any
source on TCP port 25. You can create another Receive connector in the Front End Transport service that
also listens for incoming SMTP connections on TCP port 25, but you need to specify the IP addresses that
are allowed to use the connector. The dedicated Receive connector will always be used for incoming
connections from those specific network hosts (the Receive connector that's configured with the most
specific match to the connecting server's IP address wins).
In contrast, the Transport service has a Default receive connector named Default <ServerName> that's also
configured to listed for inbound SMTP connections from any source, but this connector listens on TCP port
2525 so that it doesn't conflict with the Receive connector in the Front End Transport service. Furthermore,
only other transport services and Exchange servers in your organization are expected to use this Receive
connector, so the authentication and encryption methods are set accordingly.
For more information, see Mail flow and the transport pipeline and Default Receive connectors created
during setup.
After you create the dedicated Receive connector, you need to modify its permissions to allow anonymous
relay only by the specified network hosts as identified by their IP addresses. At a minimum, the network
hosts need the following permissions on the Receive connector to anonymously relay messages:
ms-Exch-Accept-Headers-Routing
ms-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Accept-Any-Sender
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
ms-Exch-SMTP-Submit
For more information about permissions on Receive connectors, see Receive connector permission
groups and Receive connector permissions.
There are two different methods that you can use to configure the permissions that are required for
anonymous relay on a Receive connector. These methods are described in the following table.
Add the Anonymous users Connections use the Grants the minimum More difficult to configure
( Anonymous ) permission NT AUTHORITY\ANONYMOUS required permissions to (must use the Exchange
LOGON allow anonymous relay. Management Shell).
group to the Receive
connector and add the security principal with the
Ms-Exch-SMTP-Accept- following permissions: The network hosts are
Any-Recipient • considered anonymous
permission to the ms-Exch-Accept-Headers- senders. Messages don't
Routing
NT AUTHORITY\ANONYMOUS bypass antispam or message
LOGON • size limit checks, and the
security principal on the ms-Exch-SMTP-Accept- sender's email address can't
Any-Recipient
Receive connector. be resolved to the
• corresponding display name
ms-Exch-SMTP-Accept-
Any-Sender (if any) in the global address
• list.
ms-Exch-SMTP-Accept-
Authoritative-Domain-
Sender
• ms-Exch-SMTP-Submit
Add the Exchange servers Connections use the Easier to configure (can do Grants the permissions to
( ExchangeServers ) MS Exchange\Externally everything in the Exchange submit messages as if they
Secured Servers admin center). originated from internal
permission group and the
Externally secured ( security principal with the senders within your
ExternalAuthoritative ) following permissions: The network hosts are Exchange organization. The
authentication mechanism • considered authenticated network hosts are
ms-Exch-Accept-Headers- senders. Messages bypass considered completely
to the Receive connector. Routing
antispam and message size trustworthy, regardless of
• limit checks, and the sender's the volume, size, or content
ms-Exch-Bypass-Anti- email address can be of the messages that they
Spam
resolved to a corresponding send.
• display name in the global
ms-Exch-Bypass-Message-
Size-Limit address list.
•
ms-Exch-SMTP-Accept-
Any-Recipient
•
ms-Exch-SMTP-Accept-
Any-Sender
•
ms-Exch-SMTP-Accept-
Authentication-Flag
•
ms-Exch-SMTP-Accept-
Authoritative-Domain-
Sender
•
ms-Exch-SMTP-Accept-
Exch50
• ms-Exch-SMTP-Submit
Ultimately, you need to decide on the approach that best fits the needs of your organization. We'll show you how
to configure both methods. Just remember that it's one method or the other, and not both at the same time.
What do you need to know before you begin?
Estimated time to complete this task: 10 minutes.
Some of these procedures require the Exchange Management Shell. To learn how to open the Exchange
Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Receive connectors" entry in the Mail flow permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example creates a new Receive connector with the following configuration options:
Name: Anonymous Relay
Transport role: FrontEndTransport
Notes:
The Bindings parameter is required when you specify the Custom usage type.
The RemoteIpRanges parameter accepts an individual IP address, an IP address range (for example,
192.168.5.10-192.168.5.20 ), or Classless InterDomain Routing ( CIDR ) (for example, 192.168.5.1/24 ). You
can specify multiple values separated by commas.
2.
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights
"Ms-Exch-SMTP-Accept-Any-Recipient"
Get-ADPermission "Anonymous Relay" -User "NT AUTHORITY\ANONYMOUS LOGON" | where {($_.Deny -eq $false) -
and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights
Or
Get-ADPermission "Anonymous Relay" -User "MS Exchange\Externally Secured Servers" | where {($_.Deny -eq
$false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights
Use Telnet to test if one or more of the specified network hosts can connect to the dedicated Receive
connector, and can anonymously relay mail through the connector. By default, the Telnet Client isn't installed
in most client or server versions of Microsoft Windows. To install it, see Install Telnet Client.
For more information, see Use Telnet to test SMTP communication on Exchange servers.
If the network host is a device that doesn't have Telnet, you could temporarily add the IP address of a
computer to the Receive connector, and then remove the IP address from the Receive connector when
you're finished testing.
For the test, the you'll need the following values:
Destination: This is the IP address or FQDN that you use to connect to the dedicated Receive
connector. This is likely the IP address of the Mailbox server where the Receive connector is defined.
This relates to the Network adapter bindings property (or the Bindings parameter) value that you
configured on the connector. You'll need to use the valid value for your environment. In this example,
we'll use 10.1.1.1.
Sender's email address: You'll probably configure the servers or devices that are anonymously
relaying mail to use a sending email address that's in an authoritative domain for your organization.
In this example, we'll use chris@contoso.com.
Recipient's email address: Use a valid email address. In this example, we'll use kate@fabrikam.com.
Message subject: Test
Message body: This is a test message
1. Open a Command Prompt window, type telnet, and then press Enter.
2. Type set localecho, and then press Enter.
3. Type OPEN 10.1.1.1 25, and then press Enter.
4. Type EHLO, and then press Enter.
5. Type MAIL FROM:chris@contoso.com, and then press Enter.
6. Type RCPT TO:kate@fabrikam.com, and then press Enter.
If you receive the response 250 2.1.5 Recipient OK , the Receive connector allows anonymous
relay from the network host. Continue to the next step to finish sending the test message.
If you receive the response 550 5.7.1 Unable to relay , the Receive connector doesn't allow
anonymous relay from the network host. If this happens, do the following:
Verify that you're connecting to the correct IP address or FQDN for the dedicated
Receive connector.
Verify that the computer where you're running Telnet is allowed to use the Receive
connector.
Verify the permissions on the Receive connector.
7. Type DATA, and then press Enter.
You should receive a response that looks like this:
354 Start mail input; end with <CLRF>.<CLRF>
12. To disconnect from the SMTP server, type QUIT, and then press Enter.
You should receive a response that looks like this:
221 2.0.0 Service closing transmission channel
13. To close the Telnet session, type quit, and then press Enter.
If anonymous relay works intermittently, you may need to modify the default message rate and throttling
limits on the Receive connector. For more information, see Message throttling on Receive connectors.
Send connectors
8/23/2019 • 12 minutes to read • Edit Online
Exchange uses Send connectors for outbound SMTP connections from source Exchange servers to destination
email servers. The Send connector that's used to route messages to a recipient is selected during the routing
resolution phase of message categorization. For more information, see Mail routing.
You can create Send connectors in the Transport service on Mailbox servers and on Edge Transport servers. Send
connectors are stored in Active Directory and are (by default) visible to all Mailbox servers in the organization.
IMPORTANT
By default, no Send connectors exist for external mail flow when you install Exchange. To enable outbound internet mail flow,
you need to create a Send connector, or subscribe an Edge Transport server to your Exchange organization. For more
information, see Create a Send connector to send mail to the Internet and Edge Transport servers.
You don't need to configure Send connectors to send mail between Exchange servers in the same Active Directory
forest. Implicit and invisible Send connectors that are fully aware of the Exchange server topology are available for
sending mail to internal Exchange servers. These connectors are described in the Implicit Send connectors section.
These are the important settings on Send connectors:
Usage type
Network settings: Configure how the Send connector routes mail: by using DNS or by automatically
forward all mail to a smart host.
Address spaces: Configure the destination domains that the Send connector is responsible for.
Scope: Configures the visibility of the Send connector to other Exchange servers in the organization.
Source servers: Configure the Exchange servers where the Send connector is hosted. Mail that needs to
be delivered by using the Send connector is routed to one of the source servers.
On Mailbox servers, you can create and manage Send connectors in the Exchange admin center or in the
Exchange Management Shell. On Edge Transport servers, you can only use the Exchange Management Shell.
Custom 35 MB None
Internet 35 MB None
USAGE TYPE MAXIMUM MESSAGE SIZE COMMENTS
Basic authentication ( BasicAuth ) Basic authentication. Requires a user name and password. The
user name and password are sent in clear text.
Offer basic authentication only after starting TLS ( Basic authentication that's encrypted with TLS. This requires a
BasicAuthRequireTLS ) server certificate on the smart host that contains the exact
FQDN of the smart host that's defined on the Send connector.
Exchange Server authentication ( ExchangeServer ) Generic Security Services application programming interface
(GSSAPI) and Mutual GSSAPI authentication.
Domain (for example, contoso.com ) The Send connector routes mail to recipients in the specified
domain, but not in any subdomains.
Domain and subdomains (for example, *.contoso.com ) The Send connector routes mail to recipients in the specified
domain, and in all subdomains.
An address space also has Type and Cost values that you can configure.
On Edge Transport servers, the Type value must be SMTP . On Mailbox servers, you can also use non-SMTP
address space types like X400 or any other text string. X.400 addresses need to be RFC 1685 compliant (for
example, o=MySite;p=MyOrg;a=adatum;c=us ), but other Type values accept any text value for the address space. If
you specify a non-SMTP address space type, the Send connector must use smart host routing, and SMTP is used
to send messages to the smart host. Delivery Agent connectors and Foreign connectors send non-SMTP
messages to non-SMTP servers without using SMTP. For more information, see Delivery Agents and Delivery
Agent Connectors and Foreign Connectors.
The Cost value on the address space is used for mail flow optimization and fault tolerance when you have the
same address spaces configured on multiple Send connectors on different source servers. A lower priority value
indicates a preferred Send connector.
The Send connector that's used to route messages to a recipient is selected during the routing resolution phase of
message categorization. The Send connector whose address space most closely matches the recipient's email
address, and whose priority value is lowest is selected.
For example, suppose the recipient is julia@marketing.contoso.com. If a Send connector is configured for
*.contoso.com, the message is routed through that connector. If no Send connector is configured for
*.contoso.com, the message is routed through the connector that's configured for *. If multiple Send connectors in
the same Active Directory site are configured for *.contoso.com, the connector with the lower priority value is
selected.
MS Exchange\Externally Secured
Servers
MS Exchange\Legacy Exchange
Servers
MS Exchange\Partner Servers
Note: Permissions names that contain ms-Exch-Send-Headers- are part of the header firewall feature. For more
information, see Header firewall.
Send connector permission procedures
To see the permissions that are assigned to security principals on a Send connector, use the following syntax in the
Exchange Management Shell:
Get-ADPermission -Identity <SendConnector> [-User <SecurityPrincipal>] | where {($_.Deny -eq $false) -and
($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights
For example, to see the permissions that are assigned to all security principals on the Send connector named To
Fabrikam.com, run the following command:
Get-ADPermission -Identity "To Fabrikam.com" | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} |
Format-Table User,ExtendedRights
To see the permissions that are assigned only to the security principal NT AUTHORITY\ANONYMOUS LOGON on the Send
connector named To Fabrikam, run the following command:
Get-ADPermission -Identity "To Fabrikam.com" -User "NT AUTHORITY\ANONYMOUS LOGON" | where {($_.Deny -eq
$false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights
To add permissions to a security principal on a Send connector, use the following syntax:
To remove permissions from a security principal on a Send connector, use the following syntax:
When install your first Exchange Server 2016 or Exchange 2019 server, the server isn't able to send mail outside
of your Exchange organization. To send mail outside your Exchange organization, you need to create a Send
connector.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example creates the internet Send connector named "To internet" with the following properties:
The usage type is Internet.
The Send connector uses DNS routing. We aren't using the DNSRoutingEnabled parameter, and the
default value is $true .
The Send connector is for all external domains (*).
The local Exchange server is the source server. We aren't using the SourceTransportServer
parameter, and the default value is the local Exchange server.
The Send connector isn't scoped to the local Active Directory site. We aren't using the
IsScopedConnector parameter, and the default value is $false .
Instead of routing all outbound messages directly to the Internet, you may need to route your organization's
outbound mail through a third-party smart host. For example, your organization may have an appliance that scans
outbound mail for spam and malware.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Use the EAC to create a Send connector that uses smart host routing
1. In the EAC, navigate to Mail flow > Send connectors, and then click Add . This starts the New Send
connector wizard.
2. On the first page, enter the following information:
Name: Enter a descriptive name for the Send connector, for example, Smart host to Internet.
Type: Select a descriptive value. For example, Internet or Custom. For more information about
Send connector usage types, see Send connector usage types.
When you're finished, click Next.
3. On the next page, select Route mail through smart hosts, and then click Add . In the Add smart host
dialog box that appears, identify the smart host by using one of the following values:
IP address: For example, 192.168.3.2.
Fully qualified domain name (FQDN ): For example, securitydevice01.contoso.com. Note that the
Exchange source servers for the Send connector must be able to resolve the smart host in DNS by
using this FQDN.
When you're finished, click Save.
4. You can enter multiple smart hosts by repeating Step 3. When you're finished, click Next.
5. On the next page, in the Route mail through smart hosts section, select the authentication method that's
required by the smart host. Valid values are:
Offer basic authentication only after starting TLS Basic authentication that's encrypted with TLS. This
requires a server certificate on the smart host that
contains the exact FQDN of the smart host that's defined
on the Send connector.
This example creates the Internet Send connector named "Smart host to Internet" with the following
properties:
The usage type is Custom.
The Send connector uses smart host routing (the DNSRoutingEnabled parameter is set to the value
$false ). The smart host's IP address is 192.168.3.2, and the authentication method is None,
because the smart host is configured to listen for connections only from a restricted list of source
servers.
The Send connector is for all external domains (*). The value * is equivalent to the value
"SMTP:*;1" , where the address space type is SMTP , and the address space cost value is 1 .
The local Exchange server is the source server. We aren't using the SourceTransportServer
parameter, and the default value is the local Exchange server.
The Send connector isn't scoped to the local Active Directory site. We aren't using the
IsScopedConnector parameter, and the default value is $false . The Send connector is useable by all
Exchange transport servers in the Active Directory forest.
When you create Send connectors, outbound mail flows through the Send connector in the Transport service on
the Mailbox server or servers you specify, as shown in the following diagram.
However, you can configure a Send connector to relay or proxy outbound mail through the Front End Transport
service on the Mailbox server, as shown in the following diagram.
By default, all inbound mail enters your Exchange organization through the Front End Transport service, and the
Front End Transport service proxies inbound mail to the Transport service. For more information, see Mail flow
and the transport pipeline.
When you configure a Send connector to proxy outbound mail through the Front End Transport service, the
Receive connector named "Outbound Proxy Frontend <Mailbox server name>" in the Front End Transport
service listens for these outbound messages from the Transport service, and then the Front End Transport service
sends the messages to the Internet. This configuration can consolidate and simplify mail flow by having inbound
and outbound mail enter and leave your organization from the same place.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example configures the existing Send connector named "Contoso.com Outbound" to proxy outbound
mail.
Protocol logging records the SMTP conversations that occur between messaging servers and between Exchange
services in the transport pipeline as part of message delivery. You can use protocol logging to diagnose mail flow
problems. The SMTP conversations that can be recorded by protocol logging occur in the following locations:
Send connectors and Receive connectors in the Transport service on Mailbox servers.
Send connectors and Receive connectors in the Transport service on Edge Transport servers.
Receive connectors in the Front End Transport service on Mailbox servers.
The implicit and invisible intra-organization Send connector in the Transport service on Mailbox servers.
The implicit and invisible intra-organization Send connector in the Front End Transport service on Mailbox
servers.
The implicit and invisible intra-organization Send connector in the Mailbox Transport Submission service
on Mailbox servers.
The implicit and invisible Mailbox Delivery Receive connector in the Mailbox Transport Delivery service on
Mailbox servers.
By default, protocol logging is enabled on the following connectors:
The default Receive connector named Default Frontend <ServerName> in the Front End Transport service
on Mailbox servers.
The implicit and invisible Send connector in the Front End Transport service on Mailbox servers.
By default, protocol logging is disabled on all other connectors. You need to enable or disable protocol logging on
each individual connector. You configure other protocol logging options for all Receive connectors or all Send
connectors that exist in each individual transport service on the Exchange server. All Receive connectors in a
transport service share the same protocol log files and protocol log options. These files and options are separate
from the Send connector protocol log files and protocol log options in the same transport service on the
Exchange server.
By default, Exchange uses circular logging to limit the protocol log based on file size and file age to help control
the hard disk space that's used by the log files. To configure protocol logging, see Configure protocol logging.
Note: Protocol logging for side effect messages that are submitted after messages are delivered to
mailboxes occurs in %ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend\Delivery . For
example, a message that's delivered to a mailbox triggers an Inbox rule that redirects the message to
another recipient.
Transport service on Edge Transport servers:
Receive connectors: %ExchangeInstallPath%TransportRoles\Logs\Edge\ProtocolLog\SmtpReceive
The naming convention for log files is SENDyyyymmdd-nnnn.log for Send connectors and RECVyyyymmdd-nnnn.log for
Receive connectors. The placeholders represent the following information:
yyyymmdd is the coordinated universal time (UTC ) date when the log file was created. yyyy = year, mm =
month, and dd = day.
nnnn is an instance number that starts at the value 1 every day.
Information is written to the log file until the file reaches its maximum size. Then, a new log file that has an
incremented instance number is opened (the first log file is -1, the next is -2, and so on). Circular logging deletes
the oldest log files when either of the following conditions is true:
A log file reaches its maximum age.
The protocol log folder reaches its maximum size.
The protocol log files are text files that contain data in the comma-separated value file (CSV ) format. Each
protocol log file has a header that contains the following information:
#Software: The value is Microsoft Exchange Server .
#Version: Version number of the Exchange server that created the message tracking log file. The value
uses the format 15.01.nnnn.nnn .
#Log-Type: The value is either SMTP Receive Protocol Log or SMTP Send Protocol Log .
#Date: UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601
date-time format: yyyy-mm -ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the
beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z
signifies Zulu, which is another way to denote UTC.
#Fields: Comma-delimited field names that are used in the protocol log files.
session-id GUID value that's unique for each SMTP session, but is the
same for every event that's associated with that SMTP
session.
One SMTP conversation that represents sending or receiving a single email message generates multiple SMTP
events. Each event is recorded on a separate line in the protocol log. An Exchange server has many SMTP
conversations going on at any given time. This creates protocol log entries from different SMTP conversations
that are mixed together. You can use the session-id and sequence-number fields to sort the protocol log entries
by each individual SMTP conversation.
Configure protocol logging
8/23/2019 • 9 minutes to read • Edit Online
Protocol logging records the SMTP conversations that occur between messaging servers and between Exchange
services in the transport pipeline as part of message delivery.
The following options are available for the protocol logs of all Send connectors and Receive connectors on the
Exchange server:
Specify the location of the protocol log files. The default locations are:
Front End Transport service on Mailbox servers:
Receive connectors: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
Note: Protocol logging for side effect messages that are submitted after messages are delivered to
mailboxes occurs in
%ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpSend\Delivery . For example, a
message that's delivered to a mailbox triggers an Inbox rule that redirects the message to another
recipient.
Transport service on Edge Transport servers:
Receive connectors: %ExchangeInstallPath%TransportRoles\Logs\Edge\ProtocolLog\SmtpReceive
Specify a maximum size for the protocol log files. The default size is 10 megabytes (MB ).
Specify a maximum size for the protocol log files. The default size is 250 MB.
Specify a maximum age for the protocol log files. The default age is 30 days.
Don't perform this procedure on an Edge Transport server that has been subscribed to the Exchange
organization by using EdgeSync. Instead, make the changes in the Transport service on the Mailbox server.
The changes are then replicated to the Edge Transport server the next time EdgeSync synchronization
occurs.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example enables protocol logging for the Receive connector named Connection from Contoso.com on the
server named Mailbox01.
This example disables protocol logging for the Send connector named Connection to Internet.
Use the Exchange Management Shell to enable or disable protocol logging on the intra-organization Send
connector
Use this procedure to enable or disable protocol logging on the implicit and invisible intra-organization Send
connector that exists in the Transport service, the Front End Transport service, and the Mailbox Transport
Submission service on Mailbox servers. For more information about these connectors, see Implicit Send
connectors.
Protocol logging for the intra-organization Send connector occurs in the Send connector protocol logs for the
specified transport service. Note that the Transport service setting controls protocol logging for the intra-
organization Send connector in the Transport service and in the Mailbox Transport Submission service.
To enable or disable protocol logging on the intra-organization Send connector, use the following syntax in the
Exchange Management Shell:
<Set-TransportService | Set-FrontEndTransportService> <ServerIdentity> -IntraOrgConnectorProtocolLoggingLevel
<Verbose | None>
This example enables protocol logging on the intra-organization Send connector in the Transport service and in
the Mailbox Transport Submission service on the server named Mailbox01.
This example disables protocol logging on the intra-organization Send connector in the Front End Transport
service on the same server.
Use the Exchange Management Shell to enable or disable protocol logging on the mailbox delivery Receive
connector
Use this procedure to enable or disable protocol logging on the implicit and invisible mailbox delivery Receive
connector that exists in the Mailbox Transport Delivery service. Protocol logging for this connector occurs in the
Receive connector protocol logs for the Mailbox Transport Delivery service. For more information about this
connector, see Implicit Receive connectors in the Mailbox Transport Delivery service on Mailbox servers .
To enable or disable protocol logging on the mailbox delivery Receive connector, use the following syntax in the
Exchange Management Shell:
This example enables protocol logging on the mailbox delivery Receive connector on the server named
Mailbox01.
This example disables protocol logging on the mailbox delivery Receive connector on the same server.
2. Browse to the location of the protocol log. If you enabled protocol logging, verify that a log file exists, and
that the file is being updated for the connector. If you disabled protocol logging, verify that the latest log
file is no longer being updated for the connector.
This example sets the following protocol log settings in the Transport service on the server named Mailbox01:
Sets the location of protocol log for all Receive connectors to D:\Hub SMTP Receive Log and the location
for all Send connectors to D:\Hub SMTP Send Log. If the folder doesn't exist, it's created for you.
Sets the maximum size of a connector protocol log file for Receive connectors and Send connectors to 20
MB.
Sets the maximum size of the connector protocol log folder for Receive connectors and Send connectors to
400 MB.
Sets the maximum age of a protocol log file for Receive connectors and Send connectors to 45 days.
Notes:
Setting the SendProtocolLogPath or ReceiveProtocolLogPath parameters to the value $null effectively
disables protocol logging for all Send connectors or Receive connectors on the server. However, setting the
value to $null generates event log errors when protocol logging is enabled for any Send connector or
Receive connector on the server, including the intra-organization Send connector or the mailbox delivery
Receive connector.
Setting the ReceiveProtocolLogMaxAge or SendProtocolLogMaxAge parameters to the value 00:00:00
prevents the automatic removal of protocol log files because of their age.
How do you know this worked?
To verify that you have successfully used the Exchange Management Shell to configure the protocol logging
settings on an Exchange server, perform the following steps:
1. Run the following command in the Exchange Management Shell and verify the protocol log settings on the
Exchange server:
Write-Host "Front End Transport service:" -ForegroundColor yellow; Get-FrontEndTransportService |
Format-List ReceiveProtocolLog*,SendProtocolLog*; Write-Host "Mailbox Transport Submission and Mailbox
Transport Delivery services:" -ForegroundColor yellow; Get-MailboxTransportService | Format-List
ReceiveProtocolLog*,SendProtocolLog*; Write-Host "Transport service:" -ForegroundColor yellow; Get-
TransportService | Format-List ReceiveProtocolLog*,SendProtocolLog*
2. Open the location of the protocol log in Windows Explorer or File Explorer to verify that the log files exist,
that data is being written to the files, and that the files are being recycled based on the maximum file size
and maximum directory size values that you configured.
Mail routing in Exchange Server
8/23/2019 • 19 minutes to read • Edit Online
The primary task of the Transport service that exists on Mailbox servers in your Exchange organization is to route
messages received from users and external sources to their ultimate destinations. Routing decisions are made
during message categorization. The categorizer is a component of the Transport service that processes all
incoming messages and determines what to do with the message based on information about their destinations.
Routing in Exchange 2016 and Exchange 2019 is virtually unchanged from Exchange 2013. These are the notable
changes to routing compared to Exchange 2010:
Routing is fully aware of database availability groups (DAGs), and is able to use DAG membership in
routing decisions, even when the DAG members are in different Active Directory sites. For Mailbox servers
that don't belong to DAGs and for interoperability with previous versions of Exchange, Active Directory site
membership is still used in routing decisions.
The Transport service never communicates directly with a mailbox database. Instead, the Transport service
communicates with the Mailbox Transport service locally or on remote Mailbox servers. Only the Mailbox
Transport service communicates with the local mailbox database. When the Mailbox server is a member of
a DAG, only the Mailbox Transport service on the Mailbox server that holds the active copy of the mailbox
database accepts messages for the destination recipient.
Remote procedure calls (RPCs) are used only by the Mailbox Transport service to send messages to or
receive messages from the local mailbox database. When the Mailbox server is a member of a DAG, the
Mailbox Transport service only uses RPCs to communicate locally with the active copies of the mailbox
databases. In other words, RPC is never used for cross-server or cross-service communication. Instead, the
Mailbox Transport service and the Transport service always communicate using SMTP.
Exchange now uses more precise queuing for remote destinations. Instead of using one queue for all
destinations in a remote Active Directory site, Exchange now queues messages for specific destinations
within the Active Directory site, such as individual Send connectors.
Linked connectors are no longer available. A linked connector was a Receive connector that was linked to a
Send connector. All messages received by the Receive connector were automatically forwarded to the Send
connector.
Routing components
When a message is received by the Transport service on a Mailbox server, the message must be categorized. The
first phase of message categorization is recipient resolution. After the recipient has been resolved, the ultimate
destination can be determined. The next phase, routing, determines how to best reach that destination. Routing in
Exchange is generalized for increased flexibility and decreased complexity by using the concepts of routing
destinations and delivery groups.
Routing destinations
The ultimate destination for a message is called a routing destination. Regardless of the complexity of an Exchange
organization, there are surprisingly few routing destinations. They are:
A mailbox database: This is the routing destination for any recipient with a mailbox in the Exchange
organization. In Exchange 2013 or later, public folders are a type of mailbox, so routing messages to public
folder recipients is the same as routing messages to mailbox recipients.
A connector: A Send connector is used as a routing destination for SMTP messages based on the
configuration of the Send connector (address spaces, scoped or not, etc.). Similarly, a Delivery Agent
connector or Foreign connector is used as a routing destination for non-SMTP messages.
A distribution group expansion server: This is the routing destination when a distribution group has a
designated expansion server (a server that's responsible for expanding the membership list of the group). A
distribution group expansion server is an Exchange 2013 or later Mailbox server or an Exchange 2010 Hub
Transport server.
Note that these routing destinations existed in previous versions of Exchange, but they weren't called routing
destinations.
Delivery groups
A collection of one or more transport servers is responsible for delivering mail to each routing destination. This
collection of transport servers is called a delivery group. The term transport servers is used because the servers
could be a mixture of Exchange 2013 or later Mailbox servers (the Transport service) or Exchange 2010 Hub
Transport servers. The relationship between routing destinations and delivery groups is explained in the following
table:
Exchange 2013 or later mailbox databases Exchange 2013 or later Mailbox servers.
Exchange 2010 mailbox databases in Exchange 2016 Only Exchange 2010 Hub Transport servers.
organizations
Distribution group expansion servers Exchange 2013 or later Mailbox servers or Exchange 2010
Hub Transport servers.
How the message is routed depends on the relationship between the source delivery group and the destination
delivery group:
If the source and destination delivery group are the same, no routing decisions are required. The routing
destination is the next hop for the message.
If the source delivery group is outside the destination delivery group, routing decisions are required. The
message is relayed along the least-cost routing path to the destination delivery group. Depending on the
size and complexity of the Exchange environment, the message might be relayed through many transport
servers to reach the destination delivery group for delivery to the routing destination.
The different types of delivery groups that exist in Exchange 2016 are summarized in the following table.
Routable DAG • Exchange 2019 Mailbox Mailbox databases in the After the message arrives at
servers that belong to the DAG a Mailbox server in the DAG,
Exchange 2019 DAG. the Transport service routes
• Exchange 2016 Mailbox the message to the Mailbox
servers that belong to the Transport Delivery service on
Exchange 2016 DAG. the DAG member that holds
• Exchange 2013 Mailbox the active copy of the
servers that belong to the destination mailbox
Exchange 2013 DAG. database. The Mailbox
Transport Delivery service
then delivers the message to
the local mailbox database.
Although a DAG might
contain Mailbox servers
located in different Active
Directory sites, the DAG
defines the delivery group,
not the Active Directory site.
DELIVERY GROUP TYPE DELIVERY GROUP ROUTING DESTINATION COMMENTS
Mailbox delivery group Exchange 2013 or later Mailbox databases on Mailbox databases located
(Exchange 2013 or later) Mailbox servers in the Active Exchange 2013 or later on servers that don't belong
Directory site. servers in the Active to a DAG are serviced by the
Directory site that don't Transport service on Mailbox
belong to a DAG. servers in the same Active
Directory site.
After the message arrives on
an Mailbox server in the
Active Directory site, the
Transport service uses SMTP
to transfer the message to
the Mailbox Transport
Delivery service on the
Mailbox server that holds
the mailbox database. The
Mailbox Transport Delivery
service then delivers the
message to the local mailbox
database using RPC.
In other words, the following
mail delivery paths are
supported between the
different versions of
Exchange:
• Exchange 2019 Transport
service to Exchange 2016
Mailbox Transport Delivery
service to Exchange 2016
mailbox database.
• Exchange 2019 Transport
service to Exchange 2013
Mailbox Transport Delivery
service to Exchange 2013
mailbox database.
• Exchange 2016 Transport
service to Exchange 2019
Mailbox Transport Delivery
service to Exchange 2019
mailbox database.
• Exchange 2016 Transport
service to Exchange 2013
Mailbox Transport Delivery
service to Exchange 2013
mailbox database.
• Exchange 2013 Transport
service to Exchange 2019
Mailbox Transport Delivery
service to Exchange 2019
mailbox database.
• Exchange 2013 Transport
service to Exchange 2016
Mailbox Transport Delivery
service to Exchange 2016
mailbox database.
DELIVERY GROUP TYPE DELIVERY GROUP ROUTING DESTINATION COMMENTS
Mailbox delivery group Exchange 2010 Hub Mailbox databases on Mailbox databases located
(Exchange 2010) Transport servers in the Exchange 2010 Mailbox on Exchange 2010 Mailbox
Active Directory site. servers in the Active servers are serviced by the
Directory site. Exchange 2010 Hub
Transport servers in the
same Active Directory site.
After the message arrives at
a random Exchange 2010
Hub Transport server in the
Active Directory site, the
store driver on the Hub
Transport server uses RPC to
write the message to the
mailbox database.
Connector source server A mixture of any Exchange A Send connector, Delivery If the connector is scoped
2013 or later Mailbox Agent connector, or Foreign (that is, restricted to
servers or Exchange 2010 connector. transport servers in the
Hub Transport servers that same Active Directory site),
are defined as source then only other transport
transport servers for the servers in that site are aware
connector. of the connector, and can
use the connector to route
mail.
If the connector isn't scoped,
then all transport servers in
the entire Active Directory
forest are aware of the
connector, and can use the
connector to route mail.
Server list The Exchange 2013 or later The distribution group none
Mailbox server or Exchange expansion server.
2010 Hub Transport server
that's defined as the
expansion server for the
distribution group.
DELIVERY GROUP TYPE DELIVERY GROUP ROUTING DESTINATION COMMENTS
AD site Any mixture of Exchange None. The message must This delivery group type is
2013 or later Mailbox travel through the Active the only routing scenario in
servers or Exchange 2010 Directory site on the way to Exchange 2013 or later
Hub Transport servers that the actual routing where delayed fan-out is
exist in: destination. still used. Delayed fan-out
• Active Directory sites that attempts to reduce the
are configured as hub sites. number of message
• Active Directory sites that transmissions when multiple
have subscribed Edge routing destinations share
Transport servers. part of the least-cost
routing path.
Hub sites are used only if
the Active Directory site
exists along the least-cost
routing path for the
message. br/> For Edge
Transport servers, the
Transport service on any
Mailbox server in the
subscribed Active Directory
site is able to send messages
to the Edge Transport server,
regardless of whether that
server participates in
EdgeSync synchronization.
For more information, see
Edge Transport servers.
NOTE
Delivery group membership isn't mutually exclusive. For example, a Mailbox server that's a member of a DAG can also be the
source transport server of a Send connector. The Mailbox server belongs to the routable DAG delivery group for the mailbox
databases in the DAG, and the connector source server delivery group for the Send connector.
Queues
From the perspective of the sending transport server, each message delivery queue represents the destination for
a particular message. When the Transport service selects the destination for a message, the destination is stamped
on the recipient as the NextHopSolutionKey attribute. If a single message is sent to more than one recipient,
each recipient has the NextHopSolutionKey attribute. The receiving transport server also performs message
categorization and queues the message for delivery. After a message is queued, you can examine the delivery type
for a particular queue to determine whether a message will be relayed again when it reaches the next hop
destination. Every unique value of the NextHopSolutionKey attribute corresponds to a separate message
delivery queue.
For more information, see NextHopSolutionKey.
Routing messages
When a message needs to be delivered to a remote delivery group, a routing path must be determined for the
message. Exchange uses the following logic to select the routing path for a message. This logic is basically
unchanged from Exchange 2010:
1. Calculate the least-cost routing path by adding the cost of the IP site links that must be traversed to reach
the destination. If the destination is a connector, the cost assigned to the address space is added to the cost
to reach the selected connector. If multiple routing paths are possible, the routing path with the lowest
aggregate cost is used.
Note: Size limits on connectors are a factor here. Connectors that are configured with message sizes limits
smaller than the size of the message are eliminated from consideration. For more information, see
Connector selection in external message routing.
2. If more than one routing path has the same aggregate cost, the number of hops in each path is evaluated
and the routing path with the least number of hops is used.
3. If more than one routing path is still available, the name assigned to the Active Directory sites before the
destination is considered. The routing path where the Active Directory site nearest the destination is lowest
in alphanumeric order is used. If the site nearest the destination is the same for all routing paths being
evaluated, an earlier site name is considered.
In Exchange 2010, each message recipient is associated with only one Active Directory site, and there is only one
least cost routing from the source Active Directory site to the destination site. In Exchange 2013 or later, a delivery
group might span multiple Active Directory sites, and there might be multiple least-cost routing paths to those
sites. Exchange designates a single Active Directory site in the destination delivery group as the primary site. The
primary site is closest Active Directory site based on the routing logic described earlier. To successfully route
messages between delivery groups, Exchange takes the following issues into consideration:
The presence of one or more hub sites along the least-cost routing path: If the least-cost routing
path to the primary site contains any hub sites, the message must be routed through the hub sites. The
closest hub site along the least-cost routing path is selected as a new delivery group of the type AD site,
which includes all transport servers in the hub site. After the message traverses the hub site, routing of the
message along the least-cost routing path continues. If the primary site happens to be a hub site, the
primary site is still considered a hub site for the following reasons:
If the destination delivery group spans multiple Active Directory sites, the source server should only
attempt to connect to the servers in the hub site.
The servers in the hub site that belong to the target delivery group are preferred.
As in previous version of Exchange, hub sites that aren't in the least-cost routing path to the primary
site are ignored.
The target Exchange server to select in the destination routing group: When the destination delivery
group spans multiple Active Directory sites, the routing path to specific servers within the delivery group
might have different costs. Servers located in the closest Active Directory site are selected as the target
servers for the delivery group based on the least-cost routing path, and the Active Directory site those
servers are in is selected as the primary site.
Fallback options when connection attempts to all servers in the destination routing group fail: If
the destination delivery group spans multiple Active Directory sites, the first fallback option is all other
servers in the destination delivery group in other Active Directory sites that aren't selected as target
servers. Server selection is based on the least-cost routing path to the other Active Directory sites. If the
destination delivery group has any servers in the local Active Directory site, there are no other fallback
options because the message is already as close to the target routing destination as possible. If the
destination delivery group has servers in remote Active Directory sites, the option is to try to connect to all
other servers in the primary site. If that fails, a backoff path in the least-cost routing path to the primary site
is used. Exchange tries to deliver the message as close to the destination as possible by backing off, hop by
hop, along the least-cost routing path until a connection is made.
Routing messages between Active Directory sites
The way that Exchange routes messages between Active Directory sites is virtually the same as Exchange 2010.
For more information, see Route Mail Between Active Directory Sites.
Routing in the Front End Transport service on Mailbox servers
The Front End Transport service acts as a stateless proxy for all inbound and (optionally) outbound external SMTP
traffic for the Exchange organization. For outgoing messages, the Transport service communicates with the Front
End Transport service only when it's specifically configured to do so. For more information, see Configure Send
connectors to proxy outbound mail.
For incoming messages, the Front End Transport service must quickly find a single, healthy Transport service to
receive the message transmission, regardless of the number or type of recipients. Failure to do so results in the
email service being perceived as unavailable by the sending server. Like the Transport service, the Front End
Transport service loads routing tables based on information from Active Directory, and uses delivery groups to
determine how to route messages. However, the routing tables used by the Front End Transport service have the
following unique characteristics:
The Front End Transport service is never considered a member of a delivery group, even when the Mailbox
server and the Client access server are installed on the same physical server (which is always the case in
Exchange 2016 or later). This forces the Front End Transport service to communicate only with the
Transport service.
The routing tables don't contain any Send connector routes.
The routing tables contain a special list of Mailbox servers in the local Active Directory site for fast fail-over
purposes.
Routing in the Front End Transport service resolves message recipients to mailbox databases. The list of Mailbox
servers used by the Front End Transport service is based on the mailbox databases of the message recipients.
Note that it's possible that none of the recipients have mailboxes, for example, if the recipient is a distribution
group or a mail user. For each mailbox database, the Front End Transport service looks up the delivery group and
the associated routing information. The delivery groups used by the Front End Transport service are:
Routable DAG
Mailbox delivery group
AD site
Depending on the number and type of recipients, the Front End Transport service performs one of the following
actions:
For messages with a single mailbox recipient, select a Mailbox server in the target delivery group, and give
preference to the Mailbox server based on the proximity of the Active Directory site. Routing the message
to the recipient might involve routing the message through a hub site.
For messages with multiple mailbox recipients, use the first 20 recipients to select a Mailbox server in the
closest delivery group, based on the proximity of the Active Directory site. Note that message bifurcation
doesn't occur in Front End Transport, so only one Mailbox server is ultimately selected, regardless of
number of recipients in a message.
If the message has no mailbox recipients, select a random Mailbox server in the local Active Directory site.
Routing in the Mailbox Transport service on Mailbox servers
The Mailbox Transport service consists of two separate services: the Mailbox Transport Submission service and
Mailbox Transport Delivery service. The Mailbox Transport Delivery service receives SMTP messages from the
Transport service, and connects to the local mailbox database by using RPC to deliver the message. The Mailbox
Transport Submission service connects to the local mailbox database by using RPC to retrieve messages, and
submits the messages over SMTP to the Transport service. The Mailbox Transport service is stateless, and doesn't
use message delivery queues.
Like the Transport service, the Mailbox Transport service loads routing tables based on information from Active
Directory, and uses delivery groups to determine how to route messages. However, there are routing aspects that
are unique to the Mailbox Transport service:
Because the Transport service and the Mailbox Transport service exist on the same Mailbox server, the
Mailbox Transport service always belongs to the same delivery group as the Mailbox server. This delivery
group is referred to as the local delivery group.
The Mailbox Transport Submission service doesn't automatically send messages to the Transport service on
the local Mailbox server or on other Mailbox servers in its own local delivery group. The Mailbox Transport
Submission service has access to the same routing topology information as the Transport service, so the
Mailbox Transport submission service can send messages to the Transport service on Mailbox servers
outside the delivery group. The Mailbox servers in the local delivery group are used as fallback options, and
for delivery to non-mailbox recipients.
The Mailbox Transport service only communicates with the Transport service on Mailbox servers.
The Mailbox Transport service only communicates with local mailbox databases. The Mailbox Transport
service never communicates with mailbox databases on other Mailbox servers.
When a user sends a message from their mailbox, the Mailbox Transport Submission service resolves the message
recipients to mailbox databases. The list of Mailbox servers used by the Mailbox Transport Submission service is
based on the mailbox databases of the message recipients. Note that it's possible that none of the recipients have
mailboxes, for example, if the recipient is a distribution group or a mail user. For each mailbox database, the
Mailbox Transport Submission service looks up the delivery group and the associated routing information. The
delivery groups used by the Mailbox Transport Submission service are:
Routable DAG
Mailbox delivery group
AD site
Depending on the number and type of recipients, the Mailbox Transport Submission service performs one of the
following actions:
For messages with a single mailbox recipient, select a Mailbox server in the target delivery group, and give
preference to the Mailbox server based on the proximity of the Active Directory site. Routing the message
to the recipient might involve routing the message through a hub site.
For messages with multiple mailbox recipients, use the first 20 recipients to select a Mailbox server in the
closest delivery group, based on the proximity of the Active Directory site.
If the message has no mailbox recipients, select a Mailbox server in the local delivery group.
When the Mailbox Transport Delivery service receives a message from the Transport service, it accepts or rejects
the message for delivery to a local mailbox database. The Mailbox Transport Delivery service can deliver the
message if the recipient resides in an active copy of a local mailbox database. But, if the recipient doesn't reside in
an active copy of a local mailbox database, the Mailbox Transport Delivery service can't deliver the message, and
must provide a non-delivery response to the Transport service. For example, if the active copy of the mailbox
database recently moved to another server, the Transport service might erroneously transmit a message to a
Mailbox server that now holds an inactive copy of the mailbox database. The non-delivery responses that the
Mailbox Transport Delivery service returns to the Transport service include:
Retry delivery
Generate an NDR (also known as a non-delivery report, delivery status notification, DSN, or bounce
message)
Reroute the message
Routing in the Transport service on Edge Transport servers
The Transport service on Edge Transport servers provides SMTP relay and smart host services for all Internet mail
flow. Messages that come and go from the Internet are stored in message delivery queues on the Edge Transport
server. The queues correspond to external domains or Send connectors. For more information, see
NextHopSolutionKey.
Typically, when you install an Edge Transport server in your perimeter network, you subscribe the Edge Transport
server to an Active Directory site. The Active Directory site contains the Mailbox servers that relay messages to
and from the Edge Transport server. The Edge Subscription process creates an Active Directory site membership
affiliation for the Edge Transport server. The site affiliation enables the Mailbox servers in the Active Directory site
to relay messages to the Edge Transport server without having to configure explicit Send connectors.
In organizations that have Exchange servers in multiple Active Directory sites, outbound mail from internal
recipients to external recipients is first routed to the subscribed Active Directory site. Transport servers in the
target Active Directory site are the delivery group. The routing destination is the intra-organization Send
connector in the Transport service on any of the Mailbox servers in the subscribed Active Directory site. The intra -
organization Send connector is special Send connector that exists in the Transport service on every Mailbox
server. This Send connector is implicitly created, invisible, requires no management, and is used to relay messages
between Exchange servers.
For more information about how mail is routed to and from Edge Transport servers, see Mail flow and the
transport pipeline.
Connector selection in external message routing
8/23/2019 • 4 minutes to read • Edit Online
Like previous versions of Exchange, Exchange Server 2016 and Exchange Server 2019 use connectors to deliver
messages to external recipients (recipients that don't exist in the Exchange organization). Exchange uses Send
connectors to route messages to external SMTP domains. If the external recipient isn't on an SMTP messaging
system, Exchange uses Delivery Agent connectors or Foreign connectors.
For more information about the different types of connectors, see Connectors. For more information about how
Exchange makes routing decisions, see Mail routing.
State (enabled or disabled) Only enabled connectors are used in routing decisions. If a
connector is disabled, it's not considered when routing
messages.
Address space The address spaces defines the destination domains or other
address spaces that are serviced by the connector. When
Exchange selects a connector for routing a message, it only
considers connectors that have a matching address space. If
more than one connector matches the destination address
space, the connector with the more precise address match is
selected.
Address space type By default, the address space type on a new Send connector is
SMTP. If you specify a non-SMTP address space, the messages
are still sent to the destination (a smart host) by using SMTP.
You need to create a Delivery Agent connector or a Foreign
connector to route non-SMTP messages to non-SMTP
messaging servers without using SMTP.
Address space cost You use the cost value on the address space for mail flow
optimization and fault tolerance when the same address space
is configured on multiple connectors. A lower cost value
indicates a preferred connector.
CONNECTOR SETTING COMMENTS
Source server At least one Mailbox server or Edge Transport server must be
configured to host the connector. You can configure multiple
source servers to provide load balancing and fault tolerance
for the address spaces that are defined on the connector.
Message size limits A message size restriction on a connector can eliminate the
connector from selection if the message is larger than the
maximum size that's allowed on the connector.
Recipient resolution is when the Exchange server expands and resolves all recipients in a message. Recipient
resolution is responsible for these actions:
Matching the recipient to the corresponding Active Directory object.
Expanding distribution groups into a list of individual recipients.
Applying message limits and any alternative recipients to each recipient.
Recipient resolution in Exchange 2016 or Exchange 2019 is basically unchanged from Exchange 2013. Recipient
resolution is done by the categorizer in the Transport service on Mailbox servers. Each message is processed by
the categorizer after the message is put in the Submission queue, but before the message is put in a delivery
queue. The component of the categorizer that's responsible for recipient resolution is frequently called the resolver.
For more information about the categorizer and the Submission queue, see Understanding the Transport service
on Mailbox servers.
This topic explains the various stages and components of recipient resolution that occur on the Exchange server.
Top-level resolution
Top -level resolution is the first stage of recipient resolution that associates each recipient in an incoming message
to a matching recipient object in Active Directory. The categorizer creates a list that contains the sender and the
initial, unexpanded recipient email addresses from the message, and uses that list to query Active Directory. When
a match is found in the email address properties for mail-enabled Active Directory objects, the categorizer caches
the properties of the objects, and enforces any sender message restrictions.
Recipient email addresses
Top-level resolution begins with a message and the initial, unexpanded list of recipients from the message
envelope. The message envelope contains the SMTP commands that are used to transmit messages between
messaging servers:
The sender's email address is contained in the MAIL FROM command.
Each recipient's email address is contained in a separate RCPT TO command.
The envelope sender and envelope recipients are typically created from the sender and recipients in the To: ,
From: , Cc: , and Bcc: header fields in the message header. However, these header fields are easily forged and
may not match the actual sender or recipient email addresses that were used to transmit the message.
Encapsulated email addresses
Standard SMTP email addresses follow the specifications in RFC 5321 and RFC 5322 (for example
chris@contoso.com). However, an email address can also be a non-SMTP address that's encapsulated in an SMTP
address. Exchange supports the Internet Mail Connector Encapsulated Address (IMCEA) encapsulation method
that replaces characters that would be invalid in an SMTP email address with valid characters.
IMCEA addresses use the syntax IMCEA<Type>-<address>@<domain> :
<Type> identifies the type of non-SMTP address (for example EX , X400 , or FAX ). Although SMTP and
X500 are theoretically valid values for <Type>, Exchange recipient resolution rejects any IMCEA -encoded
addresses that use either of these types.
<address> is the encoded version of original address:
Alphanumeric characters, the equal sign (=) and the hyphen (-) aren't replaced.
Forward slashes (/) are replaced by underscores (_).
Other US -ASCII characters are replaced by a plus sign (+) and the two digits of the ASCII value in
hexadecimal (for example, the space character has the encoded value +20 ).
<domain> is SMTP domain that's used to encapsulate the non-SMTP address (for example, contoso.com).
IMCEA addresses are returned to their original values (unencapsulated) only when the domain matches the default
accepted domain in the Exchange organization. For more information about the default accepted domain, see
Default domain.
The maximum length for an SMTP email address in Exchange is 571 characters. This limit includes:
315 characters for the name part of the address
255 characters for the domain name
The at sign (@) character that separates the name from the domain name
Exchange doesn't support IMCEA-encoded messages where the name part of the address exceeds 315 characters,
even if the complete email address is less than 571 characters.
Address resolution
For each message, the sender's email address and all recipient addresses are added to a list that's used to query
Active Directory. Any encapsulated addresses are unencapsulated before they're added to the list. The Active
Directory query is performed on up to 20 email addresses at a time. If the query encounters transient errors, the
message is returned to the Submission queue and deferred for the time that's specified by the
ResolverRetryInterval key in the %ExchangeInstallPath%Bin\EdgeTransport.exe.config XML application configuration
file that's associated with the Transport service. The default value is 30 minutes.
The Active Directory recipient objects that are used by Exchange are described in the following table. For more
information about Exchange recipient types, see Recipients.
MailPublicFolder A public folder object that has an email address. For more
information, see Public folders.
SystemMailbox A user object that has an email address and is located in the
Microsoft Exchange System Objects container. There should be
one system mailbox for each mailbox database in the
Exchange organization.
The Active Directory query classifies an object with missing or malformed critical properties as an invalid object
(for example, a dynamic distribution group object without an email address). Messages sent to recipients that are
classified as invalid objects generate a non-delivery report (also known as an NDR or bounce message).
For each email address, the categorizer does a single initial query for all possible recipient properties (for example,
the recipient identifiers, recipient type, message limits, email addresses, and alternative recipients). The applicable
recipient properties are cached for later use. Recipient resolution classifies recipients based on similarities in how
the recipients are resolved, and the similarity of the applicable recipient properties.
The LDAP filter that's used for address resolution depends on the recipient's email address:
For the EX email address type, the LDAP filter is based on the recipient's legacyExchangeDN attribute
(higher priority) or the recipient's proxyAddresses attribute (lower priority).
For all other email addresses types, the recipient proxyAddresses attribute is used as the LDAP filter.
If the email address doesn't match the recipient's primary SMTP address, the categorizer rewrites the email
address in the message to match the primary SMTP address. The original email address is saved in the ORCPT=
entry in the RCPT TO command in the message envelope.
Sender message restrictions
The size of a message can change because of content conversion, encoding, and agent processing. When a
message enters the Exchange organization, the original size of the message is recorded in the X-MS -Exchange-
Organization-OriginalSize: header field in the message header. The lower value of the current message size or
the original message size is used to enforce sender message size limits. If the original message size header field
doesn't exist, it's created using the current size of the message. If the message is too large, it's returned to the
sender in an NDR, and additional message processing is stopped.
The sender recipient limit is only enforced in the Transport service on the first Mailbox server that processes the
message. The original, unexpanded message envelope recipient count is compared to the sender recipient limit.
The message sender and all recipients are marked as resolved by stamping an extended property in the message.
This extended property allows the message to bypass top-level resolution if the message goes through recipient
resolution again (for example, because the Exchange Transport service restarted.
Expansion
Expansion occurs after top-level resolution. Expansion completely expands nested levels of recipients into
individual recipients. Expansion may require multiple trips through the expansion process to expand all recipients.
Not all recipients have to be expanded. However, all recipients go through the expansion process to enforce
recipient message restrictions for all kinds of recipients.
The types of recipients that require expansion are described in this list:
Distribution groups and dynamic distribution groups: Distribution groups are expanded based on the
memberOf Active Directory property. Dynamic distribution groups are expanded by using the Active
Directory query definition. If the ExpansionServer parameter is set on the group in the Exchange
Management Shell, the group is routed to the specified server for expansion.
Note: When you specify an expansion server for a group, the group becomes dependent on the availability
of the expansion server (messages can't be delivered to the group if the expansion server is unavailable).
Therefore, consider implementing high availability solutions for expansion servers.
Alternative recipients: You can configure mailboxes and mail-enabled public folders to forward messages
to other recipients:
Mailboxes: You can configure forwarding to another recipient in the Exchange organization, or to an
external email address. For more information, see Configure email forwarding for a mailbox.
Mail-enabled public folders: You can configure forwarding to another recipient in the Exchange
organization.
You can configure the mailbox or mail-enabled public folder to only send messages to the forwarding
address, or to the forwarding address and the original recipient.
Contact chains: A contact chain is a mail user or mail contact where the external email address is set to the
email address of another recipient in the Exchange organization.
Recipient loop detection
As groups, alternative recipients, and contacts chains are expanded, the categorizer checks for recipient loops. A
recipient loop is a configuration problem that causes message delivery to the same recipients in an endless circle.
The different types of recipient loops are described in this list:
Harmless recipient loop: These are the two scenarios when harmless recipient can loops occur:
When two groups contain one another as members.
When mailboxes or mail-enabled public folders are set to deliver and forward to one another (the
message is delivered to the original recipient and forwarded).
When the categorizer detects a harmless recipient loop, the message is delivered to the recipient, but
no additional attempts are made to deliver the message to the same recipient.
Broken recipient loop: When mailboxes or mail-enabled public folders are set to forward to one another
(the messages are only forwarded).
A broken recipient loop can't result in successful message delivery. When the categorizer detects a broken
recipient loop, expansion activity for the current recipient stops, and an NDR is generated.
Recipient loop detection doesn't prevent duplicate message delivery. For example, consider this scenario:
Distribution Group A has Distribution Group B and Distribution Group C as members.
Distribution Group C is also a member of Distribution Group B.
In this scenario, Distribution Group C will experience duplicate message delivery.
Delivery report redirection for groups
When a group is expanded, the message type is checked to see if it's a delivery report message. If the message is a
delivery report, the redirection settings of the group are checked to see if redirection of the delivery report is
required. You may want to suppress delivery reports for the group because a delivery report might disclose
unwanted information about the membership of the group.
The delivery report redirection settings that are available in the Exchange Management Shell for distribution
groups and dynamic distribution groups are described in this list:
ReportToManagerEnabled parameter: Enables or disables sending delivery reports to the group
manager. Valid values are $true or $false . The default value is $false . For a distribution group, the
manager is controlled by the ManagedBy parameter on the Set-Group (distribution groups), or Set-
DynamicDistributionGroup (dynamic distribution groups) cmdlets.
ReportToOriginatorEnabled parameter: Enables or disables sending delivery reports to the message
sender for messages that are sent to the group. Valid values are $true or $false . The default value is
$true .
The different types of delivery report messages that can be affected by delivery report redirection for groups are
described in this list:
Delivery receipt (DR): Confirms that a message was delivered to its intended recipient.
Delivery status notification (DSN ): Describes the result of an attempt to deliver a message that didn't
result in the message being returned to the sender in an non-delivery report (NDR ). For more information
about DSN messages, see DSNs and NDRs in Exchange Server.
Message disposition notification (MDN ): Describes the status of a message after it has been
successfully delivered to a recipient. Read notifications (RNs) and non-read notification (NRNs) are both
examples of MDN messages. MDN messages are defined in RFC 2298 and are controlled by the
Disposition-Notification-To: header field in the message header. MDN settings that use this header field
are compatible with many different kinds of messaging servers. MDN settings can also be defined by using
MAPI properties in Outlook and Exchange.
Non-delivery report (NDR): Indicates to the message sender that the message couldn't be delivered to
the specified recipients. The message is returned to the sender in the NDR.
Non-read notification (NRN ): Indicates that a message was deleted before it was read.
Out of office (OOF): Indicates that the recipient won't respond to email messages. The acronym OOF
dates back to the original Microsoft messaging system where the corresponding notification was named
"out of facility."
Read notification (RN ): Indicates that a message was read.
Recall Report: Indicates the status of a recall request for a specific recipient (the sender tried to recall a sent
message by using Outlook).
These are the settings that cause delivery report messages to be deleted when they're sent to a group:
Report redirection isn't configured for the group, or report redirection is set to the message sender.
Report redirection is set to the group manager, and the delivery report message isn't an NDR.
If report redirection is set to the group manager, and the delivery report message is an NDR, the message is
delivered to the group manager.
The affect of group delivery report redirection settings on regular messages that contain report requests are
described in this list:
If report redirection is set to the message sender, the report request settings aren't modified.
If report redirection isn't configured for the group, all report requests are suppressed. The NOTIFY=NEVER
entry is added to RCPT TO for each recipient in the message envelope.
If report redirection is set to the group manager, NDRs are sent to the group manager, but all other report
requests are suppressed.
Message restrictions on recipients
The expansion process also enforces any message restrictions that are configured on recipients. These restrictions
may be configured individually for each recipient or organizationally for all servers in the Exchange organization.
For more information on message size limits, see Recipient limits and Organizational limits.
EXCHANGE MANAGEMENT
RESTRICTION EAC CONFIGURATION SHELL CONFIGURATION DESCRIPTION
Maximum size of a message Organization: Mail flow > Organization cmdlet: Set- Specifies the maximum size
received Receive connectors > TransportConfig of a message, which includes
More options > Recipient cmdlets: Set- the message header, the
Organization transport DistributionGroup, Set- message body, and any
settings > Limits tab > DynamicDistributionGrou attachments. Whenever
Maximum receive p, Set-Mailbox, Set- Exchange checks the
message size (MB) MailContact, Set- message size, the lower
Mailboxes: Recipients > MailPublicFolder, and Set- value of the current message
Mailboxes > select the MailUser size or the original message
mailbox > Edit > Parameter: MaxReceiveSize size (the X-MS-Exchange-
Mailbox features > Mail Organization-
flow section > Message OriginalSize: message
size restrictions section > header) is used. The size of
View details > Received the message can change
messages section > because of content
Maximum message size conversion, encoding, and
(KB) transport agent processing.
Mail users: Recipients > Note: The specified
Contacts > select the mail maximum message size is
user > Edit > Mail flow inflated by approximately
settings > Message size 33% to account for Base64
restrictions section > View encoding (for example, the
details > Received specified value 64 MB results
messages section > in a realistic maximum
Maximum message size message size of
(KB) approximately 48 MB).
For more information, see
Message size limits in
Exchange Server.
EXCHANGE MANAGEMENT
RESTRICTION EAC CONFIGURATION SHELL CONFIGURATION DESCRIPTION
The recipient can only accept Mailboxes: Recipients > Cmdlets: New- You can configure the
messages from internal Mailboxes > select the DistributionGroup, Set- recipient to only accept
senders, and must reject mailbox > Edit > DistributionGroup, Set- messages from
messages from external Mailbox features > Mail DynamicDistributionGrou authenticated (internal)
senders flow section > Message p, Set-Mailbox, Set- senders, or to accept
delivery restrictions MailContact, Set- messages from
section > View details > MailPublicFolder, Set- authenticated and
Accept messages from MailUser, and Set- unauthenticated (external)
section > check or uncheck RemoteMailbox senders.
Require that all senders Parameter:
are authenticated RequireSenderAuthenticatio
Remote mailboxes: nEnabled
Recipients > Mialboxes >
select the Office 365 mailbox
> Edit > Mail flow
settings > Message
delivery restrictions
section > View details >
Accept messages from
section > check or uncheck
Require that all senders
are authenticated
Mail users: Recipients >
Contacts > select the mail
user > Edit > Mail flow
settings > Message
delivery restrictions
section > View details >
Accept messages from
section > check or uncheck
Require that all senders
are authenticated
Groups: Recipients >
Groups > select the group
> Edit > Delivery
management > select Only
senders inside my
organization or Senders
inside and outside of my
organization
EXCHANGE MANAGEMENT
RESTRICTION EAC CONFIGURATION SHELL CONFIGURATION DESCRIPTION
Senders who are allowed or Mailboxes: Recipients > Cmdlets: Set- The categorizer checks the
aren't allowed to send Mailboxes > select the DistributionGroup, Set- recipient permission in two
messages to the recipient mailbox > Edit > DynamicDistributionGrou passes. The first pass
Mailbox features > Mail p, Set-Mailbox, Set- determines whether the
flow section > Message MailContact, Set- sender is present in the
delivery restrictions MailPublicFolder, Set- accept or reject lists. If the
section > View details > MailUser, and Set- sender isn't found in either
Accept messages from RemoteMailbox list, the distribution groups
section: All senders or Only Accept parameters: in those parameters are fully
senders in the following AcceptMessagesOnlyFromSe expanded. This complete
list or Reject messages ndersOrMembers (or group expansion might take
from section: No senders AcceptMessagesOnlyFrom some time, so we
or Senders in the for individual recipients only recommend that you
following list and minimize the depth of
Remote mailboxes: AcceptMessagesOnlyFromD nested groups in the accept
Recipients > Mialboxes > LMembers for group or reject lists.
select the Office 365 mailbox members only)
> Edit > Mail flow Reject parameters:
settings > Message RejectMessagesFromSenders
delivery restrictions OrMembers (or
section > View details > RejectMessagesOnlyFrom
Accept messages from for individual recipients only
section: All senders or Only and
senders in the following RejectMessagesOnlyFromDL
list or Reject messages Members for group
from section: No senders members only)
or Senders in the
following list
Mail users: Recipients >
Contacts > select the mail
user > Edit > Mail flow
settings > Message
delivery restrictions
section > View details >
Accept messages from
section: All senders or Only
senders in the following
list or Reject messages
from section: No senders
or Senders in the
following list
Groups: Recipients >
Groups > select the group
> Edit > Delivery
management > click Add
or Remove to specify
users or group members
who can send to the group
(messages from others
senders are rejected).
Certain types of messages that are sent by authenticated senders are exempt from restrictions. The following list
describes the messages that are exempt from recipient restrictions:
Messages sent by the Microsoft Exchange recipient: These messages include DSNs and NDRs , journal
reports, quota messages, and other system-generated messages that are sent to internal message senders.
For more information about the Microsoft Exchange recipient, see Recipients.
Messages sent by the external postmaster address: These messages include DSNs and NDRs, and
other system-generated messages that are sent to external message senders. For more information about
the external postmaster address, see Managing the External Postmaster Address.
Exchange blocks certain types of messages that are sent to external domains (for example, internal OOF messages,
automatic replies, and meeting forward notifications). You configure these settings in remote domains (the default
remote domain, or remote domains for specific external domains). For more information, see Managing Remote
Domains.
Cau t i on
We recommend that you don't modify the value of the ExpansionSizeLimit key on an Exchange transport server in
a production environment.
NOTE
Any customized Exchange or Internet Information Server (IIS) settings that you made in Exchange XML application
configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will be
overwritten when you install an Exchange CU. Be sure save this information so you can easily re-apply the settings after the
install. After you install the Exchange CU, you need to re-configure these settings.
Transport high availability in Exchange Server
8/23/2019 • 3 minutes to read • Edit Online
In Exchange Server, transport high availability is responsible for keeping redundant copies of messages before
and after the messages are successfully delivered. These features were introduced in Exchange 2013 as
improvements to the transport high availability features in Exchange 2010 (for example, shadow redundancy and
the transport dumpster) to help ensure messages aren't lost in transit.
Key features that improve transport high availability in Exchange 2013, Exchange 2016, and Exchange 2019 over
Exchange 2010 include:
Shadow redundancy creates a redundant copy of the message on another server before the message is
accepted or acknowledged. The sending server's support or lack of support for shadow redundancy is
irrelevant.
Shadow redundancy recognizes both database availability groups (DAGs) and Active Directory sites as
transport high availability boundaries. This reduces the number of servers that can hold redundant copies
of messages, and eliminates unnecessary redundant message maintenance traffic across DAGs or Active
Directory sites.
For more information, see Shadow redundancy in Exchange Server.
The transport dumpster has been improved and is now named Safety Net. Safety Net stores messages that
were successfully processed by the Transport service on Mailbox servers. Safety Net works best for Mailbox
servers in a DAG, but Safety Net also works for multiple Mailbox servers in the same Active Directory site
that don't belong to a DAG.
Safety Net itself is now made redundant on another server. This is important to avoid a single point of
failure, because the Transport service and the mailbox databases are both located on the Mailbox server.
For more information, see Safety Net in Exchange Server.
This diagram provides a high-level overview of how transport high availability works in Exchange Server.
1. An Exchange Mailbox server named Mailbox01 receives a message from an SMTP server that's outside the
transport high availability boundary. The transport high availability boundary is a DAG or an Active
Directory site in non-DAG environments. The message could come from:
An internal third-party messaging server.
An Internet messaging server that's proxied through the Front End Transport service on a Mailbox
server.
Another Exchange server in your organization.
2. Before acknowledging receipt of the message, Mailbox01 initiates a new SMTP session to another
Exchange Mailbox server named Mailbox03 that's within the Transport high availability boundary, and
Mailbox03 makes a shadow copy of the message. In DAG environments, a shadow server in a remote
Active Directory site is preferred. Mailbox01 is the primary server holding the primary message, and
Mailbox03 is the shadow server holding the shadow message.
3. The Transport service on Mailbox01 processes the primary message.
a. In this example, the recipient's mailbox is located on Mailbox01, so the Transport service transmits the
message to the local Mailbox Transport service.
b. The Mailbox Transport service delivers the message to the local mailbox database.
c. Mailbox01 queues a discard status for Mailbox03 that indicates the primary message was successfully
processed, and Mailbox01 moves a copy of the primary message into the local Primary Safety Net. Note
that the message moves between queues within the same queue database.
4. Mailbox03 periodically polls Mailbox01 for the discard status of the primary message.
5. When Mailbox03 determines Mailbox01 successfully processed the primary message, Mailbox03 moves
the shadow message into the local Shadow Safety Net. Note that the message moves between queues
within the same queue database.
The message is retained in Primary Safety Net and Shadow Safety Net until the message expires based on a
configurable timeout value. If a mailbox database failover occurs before the message expires, the Primary Safety
Net on Mailbox01 resubmits the message. If the Mailbox01 isn't available, the Shadow Safety Net on Mailbox03
takes over and resubmits the message.
Shadow redundancy was introduced in Exchange 2010 to provide redundant copies of messages before they're
delivered to mailboxes. In Exchange 2010, shadow redundancy delayed deleting a message from the queue
database on a Hub Transport server until the server verified that the next hop in the message delivery path had
completed delivery. If the next hop failed before reporting successful delivery back to the Hub Transport server,
the server resubmitted the message to that next hop. Exchange 2010 Hub Transport servers used the
XSHADOW verb to advertise their shadow redundancy support. If a source messaging server didn't support
shadow redundancy, Exchange 2010 used delayed acknowledgment based on a configured time interval on the
Receive connector to make a redundant copy of the message.
Exchange 2016 and Exchange 2019 have the same improvements that were made to shadow redundancy in
Exchange 2013: the Transport service on a Mailbox server now makes a redundant copy of any message it
receives before acknowledging the receipt of the message to the sending server. Maintaining redundant copies of
messages in transit is more than a best effort that may or may not work, because now shadow redundancy
doesn't depend the sending server's supported features (support or lack of support for shadow redundancy
doesn't matter). This helps to ensure that all messages in the transport pipeline are made redundant while they're
in transit. If Exchange determines the original message was lost in transit, the redundant copy of the message is
redelivered.
For more information about transport high availability features in Exchange Server, see Transport high
availability in Exchange Server. For more information about message redundancy after a message has been
successfully delivered, see Safety Net in Exchange Server.
TERM DESCRIPTION
Transport high availability boundary A database availability group (DAG) in DAG environments, or
an Active Directory site in non-DAG environments. For DAGs
that span multiple Active Directory sites, the DAG itself is still
the boundary (not the site).
Primary message The message submitted into the transport pipeline for
delivery.
Shadow message The redundant copy of the message that the shadow server
retains until it confirms the primary message was successfully
processed by the primary server.
TERM DESCRIPTION
Primary server The Mailbox server that's currently processing the primary
message.
Shadow server The Mailbox server that holds the shadow message for the
primary server. A Mailbox server may be the primary server
for some messages and the shadow server for other
messages simultaneously.
Shadow queue The delivery queue where the shadow server stores shadow
messages. For messages with multiple recipients, each next
hop for the primary message requires separate shadow
queues.
Discard status The information that the Mailbox server maintains for
shadow messages to indicate the primary message has been
successfully processed.
Discard notification The response a shadow server receives from a primary server
indicating a shadow message is ready to be discarded.
Shadow Redundancy Manager The transport component that manages shadow redundancy.
Heartbeat The process that allows primary servers and shadow servers
to verify the availability of each other.
1. A messaging server transmits a message to the Transport service on a Mailbox server. The Mailbox server
is the primary server, and the message is the primary message.
2. While the original SMTP session with the messaging server is still active, the Transport service on primary
server opens a new, simultaneous SMTP session with the Transport service on a different Mailbox server
in the organization to create a redundant copy of the message.
If the primary server is a member of a DAG, the primary server connects to a different Mailbox
server in the same DAG. If the DAG spans multiple Active Directory sites, a Mailbox server in a
different Active Directory site is preferred by default (the default value of the
ShadowMessagePreference parameter on the Set-TransportService cmdlet is PreferRemote , but
you can change it to RemoteOnly or LocalOnly ).
If the primary server isn't a member of a DAG, the primary server connects to a different Mailbox
server in the same Active Directory site (regardless of the value of the ShadowMessagePreference
parameter).
3. The primary server transmits a copy of the message to the Transport service on another Mailbox server,
and Transport service on the other Mailbox server acknowledges that the copy of the message was created
successfully. The copy of the message is the shadow message, and the Mailbox server that holds it is the
shadow server for the primary server. The message exists in a shadow queue on the shadow server.
4. After the primary server receives acknowledgment from the shadow server, the primary server
acknowledges the receipt of the primary message to the original messaging server in the original SMTP
session, and the SMTP session is closed.
Messages sent outside a transport high availability boundary
When a Mailbox server transmits a message outside the transport high availability boundary, and the messaging
server on the other side acknowledges successful receipt of the message, and the Mailbox server moves the
message into Safety Net. No resubmission of the message from Safety Net can occur after the primary message
has been successfully transmitted across the transport high availability boundary. For more information about
Safety Net, see Safety Net in Exchange Server.
Messages transmitted within a transport high availability boundary
Message routing is optimized so that when the ultimate destination is in a DAG or Active Directory site, multiple
hops between servers within the destination DAG or site aren't typically required. After the message is accepted
by the Transport service on a Mailbox server in the destination DAG or Active Directory, the next hop for the
message is typically the ultimate destination itself (for example, the Mailbox server that holds the active copy of
the destination mailbox). Shadow redundancy's goal of keeping two copies of a message in transit is fulfilled
when one shadow copy of the message exists anywhere within the DAG or Active Directory site. Typically, only
failover scenarios in a DAG that require the Redirect-Message cmdlet to drain the active message queues on a
Mailbox server would require multiple hops within the same transport high availability boundary.
Shadow redundancy with Exchange 2010 Hub Transport servers in the same Active Directory site in Exchange
2016 organizations
When an Exchange 2010 Hub Transport server transmits a message to an Exchange 2016 Mailbox server in the
same Active Directory site, the Exchange 2010 Hub Transport server advertises support for shadow redundancy
using the XSHADOW command, but the Mailbox server doesn't advertise support for shadow redundancy. This
prevents the Exchange 2010 Hub Transport server from creating a shadow copy of the message on an Exchange
2016 Mailbox server.
When the Transport service on an Exchange 2016 Mailbox server transmits a message to an Exchange 2010 Hub
Transport in the same Active Directory site, the Exchange 2016 Mailbox server shadows the message for the
Exchange 2010 Hub Transport server. After the Exchange 2016 Mailbox server receives acknowledgment from
the Exchange 2010 Hub Transport server that the message was successfully received, the Exchange 2016 Mailbox
server moves the successfully processed message into Safety Net. However, the successfully processed messages
stored in Safety Net by Exchange 2016 Mailbox are never resubmitted to the Exchange 2010 Hub Transport
servers.
SMTP timeouts
During the attempt to make a redundant copy of the message, the SMTP connection between servers (the
sending server and the primary server, or the primary server and the shadow server) could timeout. Receive
connectors and Send connectors both have a ConnectionInactivityTimeOut parameter for when data is actually
being transmitted on the connector. Receive connectors also have an absolute ConnectionTimeOut parameter.
If any of the SMTP sessions time out before the shadow copy of the message is successfully created and
acknowledged, the result is controlled by the RejectMessageOnShadowFailure parameter on the Set-
TransportConfig cmdlet. By default, the value of this parameter is $false , which means the primary message is
accepted without a shadow copy being created. If the value of this parameter is $true the primary message is
rejected with the transient error 451 4.4.0 .
If the shadow copy of a message is successfully created, but the SMTP session between the sending server and
the primary server times out, the primary server accepts and processes the primary message. The sending server
will re-deliver the unacknowledged message, but duplicate message detection will prevent Exchange mailbox
users from seeing the duplicate messages. When the sending server resubmits the message, the primary server
will create another shadow copy of the message. There's no relationship between the shadow messages created
during message resubmissions by the sending server.
The following table describes the parameters that control the creation of shadow messages
SOURCE DEFAULT VALUE DESCRIPTION
ConnectionInactivityTimeout on Set- 5 minutes for Receive connectors in the This parameter specifies the maximum
ReceiveConnector Transport service on Mailbox servers time that an open SMTP connection
with the source messaging server can
remain idle before the connection is
closed. The value of this parameter
must be greater than the value of the
ConnectionTimeout parameter.
ConnectionTimeout on Set- 10 minutes for Receive connectors in This parameter specifies the maximum
ReceiveConnector the Transport service on Mailbox time that an SMTP connection with the
servers source messaging server can remain
open, even if the server is transmitting
data. The value of this parameter must
be greater than the value of the
ConnectionInactivityTimeout
parameter.
Mailbox01 comes back online with a new queue database When the new queue database ID is detected on Mailbox01,
before the value of the ShadowResubmitTimeSpan each server that has shadow messages queued for Mailbox01
parameter has passed (by default, 3 hours). will assume ownership of those messages and resubmit them.
The messages are then delivered to their destinations.
This scenario can occur when the queue database is
unrecoverable due to data corruption or hardware failure. The maximum delay for message submission after the new
queue database is detected is the value of the
ShadowHeartbeatFrequency parameter (by default, 2
minutes).
Mailbox01 comes back online with the same database after After Mailbox01 comes back online, it will deliver the
the value of the ShadowResubmitTimeSpan parameter has messages in its queues, which have already been delivered by
passed (by default, 3 hours). the servers that hold shadow copies of messages for
Mailbox01. This will result in duplicate delivery of these
This scenario can occur after a network card failure, or time- messages. Exchange mailbox users won't see duplicate
consuming maintenance on the server. messages due to duplicate message detection. However,
recipients on other messaging systems might see duplicate
copies of messages.
In Exchange 2010, the transport dumpster helped protect against data loss by maintaining a queue of successfully
delivered messages that hadn't replicated to the passive mailbox database copies in the database availability
group (DAG ). When a mailbox database or server failure required the promotion of an out-of-date copy of the
mailbox database, the messages in the transport dumpster were automatically resubmitted to the new active copy
of the mailbox database.
The transport dumpster was improved in Exchange 2013 and is now called Safety Net. Exchange 2016 and
Exchange 2019 have these same improvements.
Here's how Safety Net is similar to the transport dumpster in Exchange 2010:
Safety Net is a queue that's associated with the Transport service on a Mailbox server. This queue stores
copies of messages that were successfully processed by the server.
You can specify how long Safety Net stores copies of the successfully processed messages before they
expire and are automatically deleted. The default is 2 days.
Here's how Safety Net is improved from the transport dumpster in Exchange 2010:
Safety Net doesn't require a DAG: For Mailbox servers that don't belong to a DAG, Safety Net stores
copies of the delivered messages on other Mailbox servers in the local Active Directory site.
Safety Net itself isn't a single point of failure: Redundancy is provided by using a Primary Safety Net
and a Shadow Safety Net. If the Primary Safety Net is unavailable for more than 12 hours, resubmit
requests become shadow resubmit requests, and messages are re-delivered from the Shadow Safety Net.
Safety Net takes over some responsibility from shadow redundancy in DAG environments:
Shadow redundancy doesn't need to keep another copy of the delivered message in a shadow queue while
it waits for the delivered message to replicate to the passive copies of mailbox database. The copy of the
delivered message is already stored in Safety Net, so the message can be resubmitted from Safety Net if
necessary.
Safety Net tries to guarantee message redundancy: Safety Net is more than just a best effort for
message redundancy, so you can't specify a maximum size limit for Safety Net. You can only specify how
long Safety Net stores messages before they're automatically deleted.
For more information about transport high availability features in Exchange Server, see Transport high
availability in Exchange Server. For more information about message redundancy for messages in transit, see
Shadow redundancy in Exchange Server.
ReplayLagTime on Set- Not configured The amount of time that the Microsoft
MailboxDatabaseCopy Exchange Replication service should
wait before replaying log files that have
been copied to the passive database
copy. Setting this parameter to a value
greater than 0 creates a lagged copy of
the mailbox database. The maximum
value is 14 days.
This example configures 15 minutes for the Safety Net hold time. This is the minimum value that you can
set.
Transport logs provide information about what's happening in the transport pipeline. For more information about
the transport pipeline, see Mail flow and the transport pipeline.
The transport logs in Exchange Server are described in the following sections.
Agent logging
Agent logging records the actions that are performed on messages by specific antispam transport agents on the
Exchange server. For more information, see these topics:
Antispam Agent Logging
Configure Antispam Agent Logging
Enable antispam functionality on Mailbox servers
Enabled by default?: Yes
Default location of log files: Note that the folder isn't created until an agent attempts to write information to the
log.
Mailbox servers:
Front End Transport service: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog
Connectivity logging
Connectivity logging records outbound message transmission activity by the transport services on the Exchange
server. For more information, see these topics:
Connectivity logging in Exchange Server
Configure connectivity logging in Exchange Server
Enabled by default?: Yes
Default location of log files:
Mailbox servers:
Front End Transport service: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\Connectivity
Pipeline tracing
Pipeline tracing records snapshots of messages before and after the message is affected by transport agents in the
transport pipeline. For more information, see these topics:
Pipeline Tracing
Configure Pipeline Tracing
Enabled by default?: No
Default location of log files: Note that the folder isn't created until pipeline tracing is enabled.
Mailbox servers:
Transport service: %ExchangeInstallPath%TransportRoles\Logs\Hub\PipelineTracing
Protocol logging
Protocol logging records the SMTP conversations that occur on Send connectors and Receive connectors during
message delivery. For more information, see these topics:
Protocol logging
Configure protocol logging
Enabled by default?: Only on these connectors:
The default Receive connector named Default Frontend <ServerName> in the Front End Transport service
on Mailbox servers.
The implicit and invisible Send connector in the Front End Transport service on Mailbox servers.
For more information about these connectors, see Default Receive connectors created during setup and Implicit
Send connectors.
Default location of log files:
Mailbox servers:
Front End Transport service:
Receive connectors: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
Transport service:
Receive connectors: %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive
The message tracking log is a detailed record of all activity as mail flows through the transport pipeline on Mailbox
servers and Edge Transport servers. You can use message tracking for message forensics, mail flow analysis,
reporting, and troubleshooting.
By default, Exchange uses circular logging to limit the message tracking log based on file size and file age to help
control the hard disk space that's used by the log files. To configure the message tracking log, see Configure
message tracking.
MSGTRK Mailbox servers and Edge Transport Log files for the Transport service.
servers
The other placeholders in the log file names represent the following information:
yyyymmdd is the coordinated universal time (UTC ) date when the log file was created. yyyy = year, mm =
month, and dd = day.
nnnn is an instance number that starts at the value 1 every day for each log.
Information is written to the log file until the file reaches its maximum size. Then, a new log file that has an
incremented instance number is opened (the first log file is -1, the next is -2, and so on). Circular logging deletes
the oldest log files for a service when either of the following conditions are true:
A log file reaches its maximum age.
The message tracking log folder reaches its maximum size.
Notes:
The maximum size of the message tracking log folder is calculated as the total size of all log files that
have the same name prefix. Other files that do not follow the name prefix convention are not counted
in the total folder size calculation. Renaming old log files or copying other files into the message
tracking log folder could cause the folder to exceed its specified maximum size.
On Mailbox servers, the maximum size of the message tracking log folder is three times the specified
value. Although the message tracking log files are generated by the four different services and have
four different name prefixes, the amount and frequency of data written to the moderated transport
log ( MSGTRKMA ) is negligible compared to the other three logs.
The message tracking log files are text files that contain data in the comma-separated value (CSV ) format. Each
message tracking log file has a header that contains the following information:
#Software: The value is Microsoft Exchange Server .
#Version: Version number of the Exchange server that created the message tracking log file. The value uses
the format 15.01.nnnn.nnn .
#Log-Type: The value is Message Tracking Log .
#Date: The UTC date-time when the log file was created. The UTC date-time is represented in the ISO 8601
date-time format: yyyy-mm -ddThh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, T indicates the
beginning of the time component, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z
signifies Zulu, which is another way to denote UTC.
#Fields: Comma-delimited field names that are used in the message tracking log files.
date-time The UTC date-time of the message tracking event. The UTC
date-time is represented in the ISO 8601 date-time format:
yyyy-mm-ddThh:mm:ss.fffZ, where yyyy = year, mm = month,
dd = day, T indicates the beginning of the time component,
hh = hour, mm = minute, ss = second, fff = fractions of a
second, and Z signifies Zulu, which is another way to denote
UTC.
event-id The message event type. These values are described in the
Event types in the message tracking log section later in this
topic.
message-subject The message's subject found in the Subject: header field. The
tracking of message subjects is controlled by the
MessageTrackingLogSubjectLoggingEnabled parameter on
the Set-TransportService cmdlet. By default, message
subject tracking is enabled.
sender-address The email address specified in the Sender: header field, or the
From: header field if the Sender: field doesn't exist.
FIELD NAME DESCRIPTION
custom-data This field contains data related to specific event types. For
example, the Transport Rule agent uses this field to record the
GUID of the mail flow rule (also known as a transport rule) or
DLP policy that acted on the message. For more information
about these Transport Rule agent values, see the "Data
logging" section in the DLP Policy Detection Management
topic,
schema-version Version number of the Exchange server that created the entry
in the message tracking log. The value uses the format
15.01.nnnn.nnn .
HADISCARD A shadow message was discarded after the primary copy was
delivered to the next hop. For more information, see Shadow
redundancy in Exchange Server.
APPROVAL The event source was the approval framework that's used with
moderated recipients. For more information, see Moderated
Transport.
BOOTLOADER The event source was unprocessed messages that exist on the
server at boot time. This is related to the LOAD event type.
MAILBOXRULE The event source was an Inbox rule. For more information, see
Inbox rules.
MEETINGMESSAGEPROCESSOR The event source was the meeting message processor, which
updates calendars based on meeting updates.
PICKUP The event source was the Pickup directory. For more
information, see Pickup Directory and Replay Directory.
POISONMESSAGE The event source was the poison message identifier. For more
information about poison messages and the poison message
queue, see Queues and messages in queues
SAFETYNET The event source was Safety Net. For more information, see
Safety Net in Exchange Server.
Message tracking records the message activity as mail flows through the transport pipeline on Mailbox servers
and Edge Transport servers. You can use message tracking logs for message forensics, mail flow analysis,
reporting, and troubleshooting.
You use the Set-TransportService cmdlet in the Exchange Management Shell on Mailbox servers and Edge
Transport servers for all message tracking configuration tasks. For example:
Enable or disable message tracking. The default is enabled.
Specify the location of the message tracking log files. The default location is
%ExchangeInstallPath%TransportRoles\Logs\MessageTracking .
Specify a maximum size for the individual message tracking log files. The default is 10 MB.
Specify a maximum size for the directory that contains the message tracking log files: The default is 1000
MB.
Specify maximum age for the message tracking log files: The default is 30 days.
Enable or disable message subject logging in the message tracking logs. The default is enabled.
NOTE
On Mailbox servers, you can also use the Exchange admin center (EAC) to enable or disable message tracking, and to specify
the location of the message tracking log files.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Note that you don't need to specify the Exchange server when you run the command on the server that you want
to configure.
This example configures the following message tracking log settings on the server named Mailbox01:
Sets the location of the message tracking log files to D:\Message Tracking Log. Note that if the folder
doesn't exist, it's created for you.
Sets the maximum size of a message tracking log file to 20 MB.
Sets the maximum size of the message tracking log directory to 1.5 GB.
Sets the maximum age of a message tracking log file to 45 days.
NOTE
• Setting the MessageTrackingLogPath parameter to the value $null , effectively disables message tracking. However, if the
value of the MessageTrackingLogEnabled parameter is $true , event log errors are generated.
• Setting the MessageTrackingLogMaxAge parameter to the value 00:00:00 prevents the automatic removal of message
tracking log files because of their age.
• The maximum size of the message tracking log directory is three times the value of the
MessageTrackingLogMaxDirectorySize parameter. Although the message tracking log files that are generated by the four
different services have four different name prefixes, the amount and frequency of data written to the moderated transport
log (MSGTRKMA) is negligible compared to the other three logs. For more information, see Structure of the message
tracking log files.
This example disables message subject logging in the message tracking log on the server named Mailbox01:
You can also open the location of the message tracking log in Windows Explorer or File Explorer to verify that the
log files exist, that data is being written to the files, and that they're being recycled based on the maximum file size
and maximum directory size values that you configured.
Search message tracking logs
8/23/2019 • 4 minutes to read • Edit Online
Message tracking records the message activity as mail flows through the transport pipeline on Mailbox servers
and Edge Transport servers. You can use the Get-MessageTrackingLog cmdlet in the Exchange Management
Shell to search for entries in the message tracking log by using specific search criteria. For example:
Find out what happened to a message that was sent by a user to a specific recipient.
Find out if a mail flow rule (also known as a transport rule) acted on a message.
Find out if a message sent from an Internet sender made it into your Exchange organization.
Find all messages sent by a specified user during a specified time period.
To view the 1000 most recent message tracking log entries on the server, run the following command:
Get-MessageTrackingLog
This example searches the message tracking logs on the local server for all entries from 3/28/2015 8:00 AM to
3/28/2015 5:00 PM for all FAIL events where the message sender was pat@contoso.com.
Get-MessageTrackingLog -ResultSize Unlimited -Start "3/28/2015 8:00AM" -End "3/28/2015 5:00PM" -EventId "Fail"
-Sender "pat@contoso.com"
This example searches the message tracking logs using the following search criteria:
Return results for the first 1,000 Send events.
Display the results in the list format.
Display only those field names that begin with Send or Recipient .
Write the output to a new file named D:\Send Search.txt
$Servers = Get-ExchangeServer; $Servers | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq
$true} | Get-MessageTrackingLog -MessageId <MessageID> | Select-Object <CommaSeparatedFieldNames> | Sort-
Object -Property <FieldName>
This example searches the message tracking logs on all Mailbox servers and Exchange 2010 Hub Transport server
by using the following search criteria:
Find any entries related to a message that has a MessageID: value of
<ba18339e-8151-4ff3-aeea-87ccf5fc9796@mailbox01.contoso.com> . Note that you can omit the angle bracket
characters ( < > ). If you don't, you need to enclose the entire MessageID: value in quotation marks.
For each entry, display the fields date-time, server-hostname, client-hostname, source, event-id, and
recipient-address.
Sort the results by the date-time field.
$Servers = Get-ExchangeServer; $Servers | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq
$true} | Get-MessageTrackingLog -MessageId ba18339e-8151-4ff3-aeea-87ccf5fc9796@mailbox01.contoso.com |
Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property
Timestamp
With delivery reports for administrators, you can track delivery information about messages sent by or received
from any specific mailbox in your organization. Specifically, delivery reports for administrators uses the Exchange
admin center (EAC ) to perform a targeted search of the message tracking logs. The search is always scoped to a
specific mailbox. You can search for messages sent by the mailbox, or sent to the mailbox, and you can filter the
search results by the message subject.
The content of the message body isn't returned in a delivery report, but the subject line is displayed in the results.
If you want to search the mailboxes in your organization for specific email messages based on message content,
see In-Place eDiscovery in Exchange Server.
You may find delivery report searches useful in the following situations:
A manager gives a poor review for a trainee because the trainee didn't turn in an assignment on time. The
trainee insists he sent a message with the assignment attached. The manager asks you to verify the status of
the message.
A security bulletin has been sent to users asking that they reply immediately, but no one has replied. Are
they ignoring the message or did they just not receive it?
Users complain that no one is receiving their messages. They check delivery status for their mail but can't
figure out what is going on. This may be because a rule is being applied to messages at the organization
level.
After you create a delivery report search, the resulting delivery report will show the following information: Who
the message was sent from and to, the subject line, and when the message was sent. The delivery report also
shows message delivery status and reasons why delivery may be delayed or failed.
Delivery Reports is a message tracking tool in the Exchange admin center (EAC ) that you can use to search for
delivery status on email messages that were sent to or from users in your organization's address book. You can
track delivery information about messages sent by or received from any specific mailbox in your organization.
The message's content isn't returned in the delivery report, but the subject line is displayed in the results. You can
track messages for up to 14 days after they were sent or received.
NOTE
Delivery Reports tracks messages that were sent by people using Microsoft Outlook or Outlook on the web. It doesn't track
messages sent from POP3 or IMAP4 email clients, such as Windows Live Mail or Mozilla Thunderbird.
Connectivity logging records the outbound connection activity that's used to transmit messages on Exchange
servers. In Exchange Server, the following services transmit messages, so they have connectivity logs:
The Transport service on Mailbox servers and Edge Transport servers.
The Front End Transport service on Mailbox servers.
The Mailbox Transport Submission service on Mailbox servers.
The Mailbox Transport Delivery service on Mailbox servers.
For more information about these transport services, and where they can transmit messages, see Mail flow and
the transport pipeline.
Connectivity logging doesn't track the transmission of individual messages. Instead, it tracks the number and size
of messages that were transmitted over a connection, DNS resolution information for the destination, and
informational messages that are related to the connection.
By default, connectivity logging is enabled, and Exchange uses circular logging to limit the connectivity log files
based on size and age to help control the hard disk space that's used. To configure connectivity logging, see
Configure connectivity logging in Exchange Server.
Note: If you're interested in a detailed record of the entire SMTP protocol conversation from start to finish, see
Protocol logging.
session A GUID value. The value is the same for every event that's
associated with the session, but different for each session.
The transport services connect to and transmit messages to multiple destinations simultaneously. Entries in the log
file from different connection events are interlaced (they typically aren't grouped together as one uninterrupted
series of connection events). However you can use the fields (in particular, the unique session field value for a
connection) to organize and arrange the log entries for each separate connection from start to finish.
Configure connectivity logging in Exchange Server
8/23/2019 • 4 minutes to read • Edit Online
Connectivity logging records outbound connection activity (source, destination, number and size of messages, and
connection information) for the transport services on Exchange servers. For more information about connectivity
logging, see Connectivity logging in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example sets the following connectivity log settings in the Transport service on the Mailbox server named
Mailbox01:
Location of the connectivity log: D:\Connectivity Log\Hub. Note that if the folder doesn't exist, it will be
created for you if the parent folder has the required permissions.
Maximum size of a connectivity log file: Sets the maximum size of a connectivity log file to 20 MB.
Maximum size of the connectivity log folder: Sets the maximum size of the connectivity log directory
to 1.5 GB.
Maximum age of a connectivity log file: Sets the maximum age of a connectivity log file to 45 days.
For detailed syntax and parameter information, see Set-TransportService, Set-FrontendTransportService, and Set-
MailboxTransportService.
Notes:
Setting the ConnectivityLogPath parameter to the value $null , effectively disables connectivity logging.
However, this value generates event log errors if the value of the ConnectivityLogEnabled parameter is also
$true .
When you use the ConnectivityLogPath parameter on the Set-MailboxTransportService cmdlet, two
subfolders are automatically created in the folder you specify:
Delivery for the Mailbox Transport Delivery service.
Submission for the Mailbox Transport Submission service.
Setting the ConnectivityLogMaxAge parameter to the value 00:00:00 prevents the automatic removal of
connectivity log files because of their age.
2. Open the location of the connectivity log in Windows Explorer or File Explorer to verify that the log files
exist, that data is being written to the files, and that the files are being recycled based on the maximum file
size and maximum directory size values that you configured. If you disabled connectivity logging, verify
that the log files aren't being updated.
Queues and messages in queues in Exchange Server
8/23/2019 • 26 minutes to read • Edit Online
A queue is a temporary holding location for messages that are waiting to enter the next stage of processing or delivery to
a destination. Each queue represents a logical set of messages that the Exchange server processes in a specific order. In
Exchange 2016 and Exchange 2019, queues hold messages before, during, and after delivery. Queues exist in the
Transport service on Mailbox servers and on Edge Transport servers. Mailbox servers and Edge Transport servers are
called transport servers throughout this topic.
Like all previous versions of Exchange, a single Extensible Storage Engine (ESE ) database is used for queue storage.
You can manage queues and messages in queues by using the Exchange Management Shell and Queue Viewer in the
Exchange Toolbox. You can use these interfaces to view the status and contents of queues and detailed message
properties. You can also perform actions that modify queues or the messages in queues. For more information, see
Procedures for queues and Procedures for messages in queues.
Types of queues
The following types of queues are used in Exchange 2016 and Exchage 2019, which are the same as Exchange 2013:
Delivery queues Mailbox servers and Edge Transport Holds messages that are being delivered
servers to all internal and external destinations.
Delivery queues are dynamically created
when they're required, and are
automatically deleted when the queue is
empty and the expiration time has passed.
The queue expiration time is controlled by
the QueueMaxIdleTime parameter on the
Set-TransportService cmdlet. The default
value is three minutes.
On Edge Transport servers, there's a
queue for every unique destination SMTP
domain or smart host.
On Mailbox servers, there's a queue for
every unique destination as indicated by
the NextHopSolutionKey property. For
more information, see the
NextHopSolutionKey section later in this
topic.
All messages are transmitted between
Exchange 2016 and Exchange 2013
servers by using SMTP. Non-SMTP
destinations also use delivery queues if
the destination is serviced by a Delivery
Agent connector. For more information,
see Delivery Agents and Delivery Agent
Connectors.
QUEUE SERVER ROLE DESCRIPTION
Poison message queue Mailbox servers and Edge Transport Isolates messages that contain errors and
servers are determined to be harmful to Exchange
after a server or service failure. The
messages may be genuinely harmful in
their content and format, or the messages
might have been the victims of a poorly
written transport agent or a software bug
that crashed the Exchange server while it
was processing the otherwise valid
messages.
The poison message queue is typically
empty. If the poison message queue
contains no messages, then it doesn't
appear in the queue management tools.
Messages in the poison message queue
are never automatically resumed or
expired. Messages remain in the poison
message queue until they're manually
resumed or removed by an administrator.
Every Mailbox server or Edge Transport
server has only one poison message
queue.
Submission queue Mailbox servers and Edge Transport Holds messages that have been accepted
servers by the Transport service, but haven't been
processed. Messages in the Submission
queue are either waiting to be processed,
or are actively being processed.
On Mailbox servers, messages are
received by a Receive connector, the
Pickup or Replay directories, or the
Mailbox Transport Submission service. On
Edge Transport servers, messages are
typically received by a Receive connector,
but the Pickup and Replay directories are
also available.
The categorizer retrieves messages from
this queue and, among other things,
determines the location of the recipient
and the route to that location. After
categorization, the message is moved to a
delivery queue or to the Unreachable
queue. For more information about the
categorizer and the transport pipeline, see
Mail flow and the transport pipeline.
Every Mailbox server or Edge Transport
server has only one Submission queue.
Unreachable queue Mailbox servers and Edge Transport Contains messages that can't be routed to
servers their destinations. Typically, an
unreachable destination is caused by
configuration changes that have modified
the routing path for delivery. Regardless of
destination, all messages that have
unreachable recipients reside in this
queue.
Every Mailbox server or Edge Transport
server has only one Unreachable queue.
Queue database files
All the different queues are stored in a single ESE database. By default, this queue database is located on the transport
server at %ExchangeInstallPath%TransportRoles\data\Queue .
Like any ESE database, the queue database uses log files to accept, track, and maintain data. To enhance performance, all
message transactions are written first to log files and memory, and then to the database file. The checkpoint file tracks the
transaction log entries that have been committed to the database. During an ordinary shutdown of the Microsoft
Exchange Transport service, uncommitted database changes that are found in the transaction logs are committed to the
database.
Circular logging is used for the queue database. This means that transaction logs that are older than the current
checkpoint are immediately and automatically deleted. Therefore, the transaction logs can't be replayed for queue
database recovery from backup.
The following table lists the files that constitute the queue database.
FILE DESCRIPTION
Mail.que This queue database file stores all the queued messages.
Tmp.edb This temporary database file is used to verify the queue database
schema on startup.
Trn.chk This checkpoint file tracks the transaction log entries that have
been committed to the database. This file is always in the same
location as the mail.que file.
Exchange uses generation tables for storage and clean-up of messages in the queue database. Instead of processing and
deleting individual message records from one large table, the queue database stores messages in time-based tables, and
only deletes the entire table after all the messages in the table have been successfully processed. For example, consider
the following example:
All messages queued from 1:00 PM to 2:00 PM, regardless of the queue or destination, are stored in the
1p-2p_msgs table.
NOTE
Any customized per-server Exchange or Internet Information Server settings you make in exExchangeNoVersion XML application
configuration files (for example, web.config files or the EdgeTransport.exe.config file) will be overwritten when you install an
exExchangeNoVersion Cumulative Update (CU). Make sure that you save this information so that you can easily re-configure your
server after the install. You must re-configure these settings after you install an exExchangeNoVersion CU.
The <appSettings> section of the EdgeTransport.exe.config file is where you can add new keys or modify existing keys. If
a specific key doesn't exist, you can add it manually to change its value.
The keys for the queue database that are available in the EdgeTransport.exe.config file are described in the following
table.
Message queue database keys that are available in the EdgeTransport.exe.config file
QueueDatabaseOnlineDefragSchedule 1:00:00 or 1:00 A.M. Specifies the time of day in 24 hour format
to start the online defragmentation of the
mail queue database. To specify a value,
enter the value as a time span: hh:mm:ss,
where h = hours, m = minutes, and s =
seconds.
Queue properties
A queue has many properties that describe the purpose and status of the queue. Some queue properties are applied to
the queue when the queue is created, and don't change. Other properties contain status, size, time, or other indicators
that are updated frequently.
NextHopSolutionKey
The routing component of the categorizer in the Microsoft Exchange Transport service selects the destination for a
message, and this destination is used to create the delivery queue. The destination is stamped on every recipient as the
NextHopSolutionKey property. Every unique value of the NextHopSolutionKey property corresponds to a separate
delivery queue.
The NextHopSolutionKey property contains the following fields:
DeliveryType: Represents the results of the categorization of the message, and how the Transport service intends
to transmit the message to the next hop, which could be the ultimate destination of the message, or an
intermediate hop along the way. The Transport service uses a predefined list of values for DeliveryType.
Based on the value of DeliveryType, the NextHopCategory property is added to the queue.
The value External indicates the next hop for the queue is outside the Exchange organization.
The value Internal indicates the next hop for the queue is inside the Exchange organization.
Note that a message for an external recipient may require one or more internal hops before the message is
delivered externally.
NextHopDomain: Uses specific values based on the value of the DeliveryType field. For delivery queues, the
value of this field is effectively the name of the queue.
The value of NextHopDomain isn't always a domain name. For example, the value could be the name of the
target Active Directory site or database availability group (DAG ). Think of this field as the next hop name.
NextHopConnector: Uses specific values based on the value of the DeliveryType field. The value is always
expressed as a GUID. If this field isn't used, the value is a GUID with all zeroes.
The value of NextHopConnector isn't always the GUID of a connector. For example, the value could be the GUID
of the target Active Directory site or DAG. Think of this field as the next hop GUID.
The values of DeliveryType, NextHopCategory, NextHopDomain and NextHopConnector are described in the
following table.
DELIVERYTYPE IN
THE EXCHANGE
DELIVERY TYPE IN MANAGEMENT NEX THOPCONNECT
QUEUE VIEWER SHELL DESCRIPTION NEX THOPCATEGORY NEX THOPDOMAIN OR
Delivery Agent DeliveryAgent The queue holds External This value is the This value is the
messages for destination GUID of the
delivery to address space Delivery Agent
recipients in a that's configured connector. For
non-SMTP address on the Delivery example,
space that's Agent connector. 4520e633-d83d-
serviced by a For example, 411a-bbe4-
6a84648674ee
delivery agent and MOBILE .
a Delivery Agent .
connector. The
connector has the
local Mailbox
server configured
as a source server.
For more
information, see
Delivery Agents
and Delivery
Agent Connectors.
DnsConnectorDel DnsConnectorDeliveryThe queue holds External This value is the This value is the
ivery messages for destination GUID of the Send
delivery to address space connector. For
recipients in an that's configured example,
SMTP domain. The on the Send 4520e633-d83d-
Send connector connector. For 411a-bbe4-
6a84648674ee
that services the example,
domain has the contoso.com .
.
local transport
server configured
as source server,
and the Send
connector is
configured to use
DNS routing.
Shadow ShadowRedundancy The queue holds Internal This value is the This value is
Redundancy messages in a FQDN of the 00000000-0000-
shadow queue. A primary transport 0000-0000-
000000000000
shadow queue server for which
holds redundant the shadow queue .
copies messages in is holding
transit in case the redundant copies
primary messages of the primary
aren't successfully messages. For
delivered. For example,
more information, mailbox01.contoso.com
see Shadow .
redundancy in
Exchange Server.
DELIVERYTYPE IN
THE EXCHANGE
DELIVERY TYPE IN MANAGEMENT NEX THOPCONNECT
QUEUE VIEWER SHELL DESCRIPTION NEX THOPCATEGORY NEX THOPDOMAIN OR
SMTP Relay to SmtpRelayToDag The queue holds Internal This value is the This value is the
Database messages for name of the GUID of the
Availability delivery to destination DAG. destination DAG.
Group Exchange 2013 or For example, For example,
later mailbox DAG1 . 6dcb5a1e-0a88-
recipients, where 4fc9-b8f9-
634c34b1a123
the destination
mailbox database
is located in a
remote DAG.
The remote DAG
could be located in
the local Active
Directory site, or in
a remote Active
Directory site.
DELIVERYTYPE IN
THE EXCHANGE
DELIVERY TYPE IN MANAGEMENT NEX THOPCONNECT
QUEUE VIEWER SHELL DESCRIPTION NEX THOPCATEGORY NEX THOPDOMAIN OR
SMTP Relay to SmtpRelayToServers The queue holds Internal This value is the This value is
Specified messages for FQDN of the 0000000-0000-
Exchange delivery to a target expansion 0000-0000-
000000000000
Servers distribution group server. For
that's configured example, .
for a specific mailbox01.contoso.com
expansion server. .
The expansion
server could be an
Exchange 2013 or
later Mailbox
server or an
Exchange 2010
Hub Transport
server.
The expansion
server could be
located in the local
Active Directory
site, or in a remote
Active Directory
site.
Undefined Undefined This value is used Internal For the This value is
only on the Submission queue, 00000000-0000-
Submission queue this value is 0000-0000-
000000000000
and the poison Submisssion . For
message queue. .
the poison
message queue,
this value is
Poison Message .
Unreachable Unreachable This value is used Internal This value is This value is
only on the Unreachable 00000000-0000-
Unreachable Domain 0000-0000-
. 000000000000
queue.
.
PROPERTY DESCRIPTION
IncomingRate The rate that messages are entering the queue. The rate is the
number of messages per second averaged over the last minute.
OutgoingRate The rate that messages are leaving the queue. The rate is the
number of messages per second averaged over the last minute.
Velocity The drain rate of the queue, calculated by subtracting the value of
IncomingRate from the value of OutgoingRate.
If the value is greater than 0, messages are leaving the queue
faster than they are entering the queue.
If the value equals 0, messages are leaving the queue as fast as
they are entering the queue. This is also the value you'll see when
the queue is inactive.
If the value is less than 0, messages are entering the queue faster
than they are leaving the queue.
The Velocity value is displayed in the results of Get-Queue.
At a basic level, a positive value of Velocity indicates a healthy queue that's efficiently draining, and a negative value of
Velocity indicates a queue that isn't efficiently draining. However, you also need to consider the values of
IncomingRate, OutgoingRate, and MessageCount, as well as the magnitude of Velocity.
For example, consider a queue that has the following property values.
Velocity: -50
MessageCount: 1000
OutgoingRate: 10
IncomingRate: 60
Based on the property values for this queue, the negative value for Velocity clearly indicates that the queue isn't draining
properly.
Now consider a queue that has the following property values.
Velocity: -0.85
MessageCount: 2
OutgoingRate: 0.15
IncomingRate: 1
Although the value for Velocity is negative, it's very close to zero, and the values of the other properties are also very
small. Therefore, a negative Velocity value for this queue doesn't indicate a problem with the queue.
Queue status
The current status of a queue is stored in the Status property of the queue. A queue can have one of the status values
that's described in the following table:
Ready The queue recently transmitted messages, but the queue is now
empty.
Retry The last automatic or manual connection attempt failed, and the
queue is waiting to retry the connection.
Message properties
A message in a queue has many properties. Many of the properties reflect the information that was used to create the
message. Some of the messages status and information properties are heavily influenced by corresponding properties
on the queue. However, an individual message may have a different value than the corresponding property of the queue.
Other properties contain status, time, or other indicators that are updated frequently.
Message status
The current status of a message is stored in the Status property of the message. A message can have one of the status
values that's described in the following table:
Locked This value is reserved for internal Microsoft use, and isn't used in
on-premises Exchange organizations.
PendingRemove The message was deleted by the administrator, but the message
was already in the act of being transmitted to the next hop. The
message will be deleted if the delivery ends in an error that causes
the message to reenter the queue. Otherwise, delivery will
continue.
Retry The last automatic or manual connection attempt fail for the
queue that holds the message. The message is waiting for the
next automatic queue connection retry.
NOTE
By default, the Get-QueueDigest cmdlet displays delivery queues that contain ten or more messages, and the results are between
one and two minutes old. For instructions on how to change these default values, see Configure Get-QueueDigest.
The following table describes the management tasks you can perform on queues or messages in queues.
View and filter queues on a Displays one or more queues Queue Viewer or the Get- Procedures for queues
server on a transport server. You can Queue cmdlet.
use the results to take action
on the queues.
View and filter queues on Displays a summary list of Get-QueueDigest cmdlet Procedures for queues
specific servers in specific queues.
DAGs, specific Active Directory
sites, or in the whole Active
Directory forest.
Suspend queues Temporarily prevent delivery Queue Viewer or the Procedures for queues
of messages that are currently Suspend-Queue cmdlet.
in the queue. The queue
continues to accept new
messages, but no messages
leave the queue.
Resume queues Reverses the effect of the Queue Viewer or the Procedures for queues
suspend queue action, and Resume-Queue cmdlet.
enables delivery of queued
messages to resume.
Retry queues Immediately tries to connect Queue Viewer or the Retry- Procedures for queues
to the next hop. Without Queue cmdlet.
manual intervention, when the
connection to the next hop
fails, the connection is
attempted a specific number
of times after a specific time
interval between each
attempt.
Whether the connection
attempt is manual or
automatic, any connection
attempt resets the next retry
time. For more information,
see Message retry, resubmit,
and expiration intervals.
TASK DESCRIPTION TOOL TO USE INSTRUCTIONS
Resubmit messages in queues Causes messages in the queue Retry-Queue with the Procedures for queues
to be resubmitted to the Resubmit parameter
Submission queue and to go Note that you can use Queue
back through the Viewer to resubmit messages,
categorization process. but only from the poison
message queue. To resubmit a
poison message, you first
need to resume the message
in Queue Viewer, or by using
the Resume-Message cmdlet.
Suspend messages in queues Temporarily prevents delivery Queue Viewer or the Procedures for messages in
of a message. You can use the Suspend-Message cmdlet. queues
suspend message action to
prevent delivery of a message
to all the recipients in a
specific queue or to all
recipients in all queues.
Resume messages in queues Reverses the effect of the Queue Viewer or the Procedures for messages in
suspend message action, and Resume-Message cmdlet. queues
enables the delivery of queued
messages to resume. You can
resume the delivery of a
message to all recipients in a
specific queue, or to all
recipients in all queues.
Remove messages from Permanently prevents the Queue Viewer or the Procedures for messages in
queues delivery of a message. You can Remove-Message cmdlet. queues
prevent the delivery of a
message to any recipients in a
specific queue, or to all
recipients in all queues.
Optionally, you can send a
non-delivery report (also
known as an NDR, delivery
status notification, DSN or
bounce message) to the
sender when the message is
removed.
Export messages from queues Copies a message to the Export-Message cmdlet only. Export messages from queues
location that you specify. The
messages aren't deleted from
the queue, but a copy of the
message is saved as a file in
the specified location. This
enables administrators or
officials in an organization to
later examine the messages.
Before you export a message,
you need to temporarily
suspend the message.
Procedures for queues
8/23/2019 • 12 minutes to read • Edit Online
In Exchange Server, you can use the Queue Viewer in the Exchange Toolbox or the Exchange Management Shell
to manage queues. For more information about queues, see Queues and messages in queues.
This topic describes how to perform the following procedures on queues:
View queues
Retry queues: When an Exchange server can't connect to the next hop, the queue is put into a status of
Retry, and the server periodically tries to connect and deliver the messages. When you manually retry a
queue, you override the scheduled retry time by forcing an immediate connection attempt.
Resubmit queues: Resubmitting a queue is similar to retrying a queue, except the messages are sent
back to the Submission queue for the categorizer to process, instead of immediately trying to connect to
the next hop. This is useful if changes to your network infrastructure are preventing the messages in the
queue from being delivered.
Suspend queues: New messages can enter the queue, and messages that are in the act of being
transmitted to the next hop will leave the queue, but otherwise, messages won't leave the queue until the
queue is manually resumed.
Resume queues: Restart outgoing message delivery for a queue that has a status of Suspended. When
you resume a queue, the status of messages in the queue doesn't change (for example, messages that
have a status of Suspended remain suspended and won't leave the queue).
For procedures on messages in queues, see Procedures for messages in queues.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
View queues
Use Queue Viewer to view queues
1. In the Exchange Toolbox, in the Mail flow tools section, double-click Queue Viewer to open the tool
in a new window.
2. In Queue Viewer, click the Queues tab. A list of all queues on the server to which you're connected is
displayed.
3. You can use the Export List link in the action pane to export the list of queues. For more information, see
How to Export Lists from the Exchange Management Consoles.
Use the Exchange Management Shell to view queues
To view queues, use the following syntax.
Get-Queue [-Filter <Filter> -Server <ServerIdentity> -Include <Internal | External | Empty | DeliveryType> -
Exclude <Internal | External | Empty | DeliveryType>]
This example displays basic information about all non-empty queues on the server named Mailbox01.
This example displays detailed information for all queues on the local Exchange server that contain more than
100 messages.
For more information, see Get-Queue and Find queues and messages in queues in the Exchange Management
Shell.
Use the Exchange Management Shell to view queue summary information on multiple Exchange servers
The Get-QueueDigest cmdlet provides a high-level, aggregate view of the state of queues on all servers within
a specific scope (for example, a DAG, an Active Directory site, a list of servers, or the entire Active Directory
forest).
By default, the Get-QueueDigest cmdlet displays delivery queues that contain ten or more messages, and the
results are between one and two minutes old. For instructions on how to change these default values, see
Configure Get-QueueDigest.
Notes:
Queues on a subscribed Edge Transport server aren't included in the results of Get-QueueDigest.
Get-QueueDigest is available on Edge Transport servers, but the results are restricted to local queues on
the server.
To view summary information about queues on multiple Exchange servers, run the following command:
This example displays summary information about the queues on all Exchange 2013 or later Mailbox servers in
the Active Directory site named FirstSite where the message count is greater than 100.
This example displays summary information about the queues on all Mailbox servers in the database availability
group (DAG ) named DAG01 where the queue status has the value Retry.
Retry queues
When you retry a delivery queue, you force an immediate connection attempt and override the next scheduled
retry time. For more information about the schedule retry time for queues, see Message retry, resubmit, and
expiration intervals.
Notes:
The queue must be in a status of Retry for this action to have any effect.
If the connection isn't successful, the retry interval timer is reset.
Use Queue Viewer to retry a queue
1. In the Exchange Toolbox, in the Mail flow tools section, double-click Queue Viewer to open the tool
in a new window.
2. In Queue Viewer, click the Queues tab. A list of all queues on the server that you're connected to is
displayed.
3. Click Create Filter, and enter your filter expression as follows:
a. Select Status from the queue property drop-down list.
b. Select Equals from the comparison operator drop-down list.
c. Select Retry from the value drop-down list.
d. Click Apply Filter. All queues that currently have a Retry status are displayed.
e. Select one or more queues from the list. Right-click, and then select Retry Queue. If the
connection attempt is successful, the queue status changes to Active. If no connection can be
made, the queue remains in a status of Retry and the next retry time is updated.
Use the Exchange Management Shell to retry a queue
To retry queues, use the following syntax.
This example retries all queues on the local server with the status of Retry.
This example retries the queue named contoso.com on the server named Mailbox01.
Resubmit queues
Resubmitting a queue sends all messages in the queue back to the Submission queue for the categorizer to
process. For more information about the categorizer, see Mail flow and the transport pipeline.
Notes:
You can't use Queue Viewer to resubmit queues. You can only use the Exchange Management Shell.
You can resubmit the following queues:
A delivery queue that has the status of Retry.
The Unreachable queue.
Any messages in the queue that have the status value of Suspended aren't resubmitted.
You can't resubmit the poison message queue, but you can resubmit individual messages in the queue.
For more information, see the Resubmit messages in the poison message queue section later in this topic.
Instead of resubmitting the queue, you can export the messages to .eml files and resubmit them by using
the Replay directory on any Exchange server. For more information, see Export messages from queues
Use the Exchange Management Shell to resubmit queues
To resubmit queues, use the following syntax:
Retry-Queue <-Identity QueueIdentity | -Filter {Status -eq "Retry"} -Server ServerIdentity> -Resubmit $true
This example resubmits all messages located in any delivery queues with the status of Retry on the server
named Mailbox01.
Retry-Queue -Filter {Status -eq "Retry"} -Server Mailbox01 -Resubmit $true
This example resubmits all messages located in the Unreachable queue on the server Mailbox01.
2. Use the identity of the message from the previous step in the following command.
Resume-Message <PoisonMessageIdentity>
This example resumes a message from the poison message queue that has the message Identity value of
222.
Resume-Message 222
If the message you resubmitted was the only message in the poison message queue, and the queue is no longer
visible, that's also an indication of a successful message resubmission.
Suspend queues
You can suspend a queue to stop mail flow, and then suspend one or more messages in the queue. For more
information, see Suspend messages in queues.
Notes:
You can suspend the following queues:
A delivery queue that has any status.
The Unreachable queue. Until you manually resume this queue, messages are no longer
automatically resubmitted to the categorizer when configuration updates are detected.
The Submission queue. Until you manually resume this queue, messages aren't picked up by the
categorizer.
Suspending a queue doesn't change the status of the messages in the queue to Suspended.
Use Queue Viewer to suspend a queue
1. In the Exchange Toolbox, in the Mail flow tools section, double-click Queue Viewer to open the tool
in a new window.
2. In Queue Viewer, click the Queues tab. A list of all queues on the server that you're connected to is
displayed. You can create a filter to display only queues that meet specific criteria.
3. Select one or more queues, right-click, and then select Suspend.
Use the Exchange Management Shell to suspend a queue
To suspend a queue, use the following syntax:
This example suspends the queue named contoso.com on the server named Mailbox01.
Resume queues
By resuming a queue, you restart outgoing message delivery from a queue that has a status of Suspended.
Notes:
You can only resume queues that have been suspended.
Resuming a queue doesn't change the status of messages in the queue. For example, messages that have
a status of Suspended remain suspended and don't leave the queue after you resume the queue.
Use Queue Viewer to resume queues
1. In the Exchange Toolbox, in the Mail flow tools section, double-click Queue Viewer to open the tool
in a new window.
2. In Queue Viewer, click the Queues tab. A list of all queues on the server that you're connected to is
displayed.
3. Click Create Filter, and enter your filter expression as follows:
a. Select Status from the queue property drop-down list.
b. Select Equals from the comparison operator drop-down list.
c. Select Suspended from the value drop-down list.
4. Click Apply Filter. All queues on the server that are currently suspended are displayed.
5. Select one or more queues from the list, right-click, and then select Resume.
Use the Exchange Management Shell to resume queues
To resume queues, use the following syntax:
This example resumes the suspended delivery queue named contoso.com on the server named Mailbox01.
Filtering queues by one or more queue properties in Exchange Server allows you to quickly find and take action
on those queues. The following scenarios are examples of how you might use queue filtering to manage mail flow:
You receive a message from System Center Operations Manager that indicates a queue length has
exceeded the established threshold. You want to investigate whether a server-wide mail flow problem
exists.
You create a filter to view all the queues on a server whose message count exceeds what you consider to be
typical. If a mail flow problem is indicated, you can select all the queues in the results and suspend the
queues while you continue to investigate.
You suspend several queues to investigate the cause of mail flow problems. You determine that the
problem was caused by an incorrect connector configuration that is now fixed.
You can create a filter to view all the queues that have a status of Suspended, and then select all the queues
in the filter results and resume the queues.
You can create queue filters in Queue Viewer in the Exchange Toolbox, or by using the Filter parameter on the
queue management cmdlets. Note that the queue management cmdlets support more filterable properties than
Queue Viewer.
For more information about Queue Viewer, see Queue Viewer. For more information about the queue
management cmdlets, see Procedures for queues and Find queues and messages in queues in the Exchange
Management Shell.
EXCHANGE MANAGEMENT
QUEUE VIEWER SHELL COMPARISON OPERATORS DESCRIPTION
Last Error LastError Equals ( -eq ) The last error that was
Does Not Equal ( -ne ) recorded for the queue. For
Contains ( -contains ) more information about
Is Present SMTP error codes, see DSNs
Is Not Present and NDRs in Exchange
Server.
EXCHANGE MANAGEMENT
QUEUE VIEWER SHELL COMPARISON OPERATORS DESCRIPTION
Last Retry Time LastRetryTime Greater Than ( -gt ) The date/time of the last
Greater Than or Equals ( connection attempt for a
-ge ) queue that has a status of
Less Than ( -lt ) Retry . For more
Less Than or Equals ( -le ) information, see Message
Is Present retry, resubmit, and
Is Not Present expiration intervals.
Next Hop Domain NextHopDomain Equals ( -eq ) The name of next hop based
Does Not Equal ( -ne ) on the value of the
Contains ( -like ) DeliveryType property. For
more information, see
NextHopSolutionKey.
Next Retry Time NextRetryTime Greater Than ( -gt ) The date/time of the next
Greater Than or Equals ( connection attempt for a
-ge ) queue that has a status of
Less Than ( -lt ) Retry . For more
Less Than or Equals ( -le ) information, see Message
Is Present retry, resubmit, and
Is Not Present expiration intervals.
On Mailbox servers and Edge Transport servers in Exchange Server, you can export the messages in a queue to
files. The exported messages aren't removed from the queue. Copies of the messages are made in the specified
location as a plain text files. You can view the message files in Notepad or Outlook, and you can resubmit the
message files by using the Replay directory on any other Mailbox server or Edge Transport server inside or
outside your Exchange organization.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example takes the following actions on the server named Mailbox01:
1. Suspends the contoso.com delivery queue.
2. Suspends the message in the queue that has the InternalMessageID value 1234.
3. Exports a copy of the message to the file D:\contoso Export\export.eml.
Suspend-Queue Mailbox01\contoso.com
This example takes the following actions on the server named Mailbox01:
1. Suspends the contoso.com delivery queue.
2. Suspends all messages in the queue.
3. Exports copies of the messages to the local folder named D:\Contoso Export.
Suspend-Queue Mailbox01\contoso.com
Get-Queue Mailbox01\contoso.com | Get-Message -ResultSize Unlimited | Suspend-Message
This example takes the following actions on the server named Mailbox01:
1. Suspends all queues on the server.
2. Suspends all messages in all queues on the server from senders in the fabrikam.com domain.
3. Exports copies of the messages to the local folder named D:\Fabrikam Export.
Get-Message -Filter {FromAddress -like "*@fabrikam.com"} -Server Mailbox01 -ResultSize Unlimited | ForEach-
Object {$Temp="D:\Fabrikam Export\"+$_.InternetMessageID+".eml"; $Temp=$Temp.Replace("<","_");
$Temp=$Temp.Replace(">","_"); Export-Message $_.Identity | AssembleMessage -Path $Temp}
Use the Exchange Management Shell to export all messages from all
queues on a server
To export all messages from all queues on a server, and use the InternetMessageID value of each message as
the file name, use the following syntax:
This example takes the following actions on the server named Mailbox01:
1. Suspends all queues on the server.
2. Suspends all messages in all queues on the server.
3. Exports copies of the messages to the local folder named D:\Mailbox01 Export.
Suspend-Queue -Server Mailbox01
In Exchange Server, you can use the Queue Viewer in the Exchange Toolbox or the Exchange Management Shell
to manage messages in queues. For more information about messages in queues, see Message properties.
This topic describes how to perform the following procedures on messages in queues:
Remove messages: You can remove messages from queues with our without a non-delivery report to the
sender (also known as an NDR, delivery status notification, DSN, or bounce message).
Suspend messages: When you suspend a message, you prevent delivery of the message. The message
won't leave the queue until you resume the message.
Resume messages: You can resume a message that currently has a status of Suspended. By resuming a
message, you enable delivery of the message.
Redirect messages: You can drain messages from all the delivery queues on a Mailbox server, and
transfer those messages to another Mailbox server.
For information about exporting messages from queues, see Export messages from queues.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
If you're working with a filtered list, the displayed page may not include all items in the filter. In this case, a prompt
appears that displays: This action will affect all items on this page. To expand the scope of this action to
include all items in this filter, check the following box before you click OK.
This example removes messages in the queues that have a subject of "Win Big" without sending an NDR.
This example removes the message with the message ID 3 from the Unreachable queue on server named
Mailbox01 and sends an NDR.
Remove-Message -Identity Mailbox01\Unreachable\3 -WithNDR $true
Or
This example suspends the message with the message ID 3 in the Unreachable queue on server named
Mailbox01.
This example suspends all messages in the delivery queue for contoso.com on the server named Mailbox01.
This example suspends all messages in all queues on the local server.
Or
This example resumes all messages being sent from any sender in the contoso.com domain.
This example resumes the message with the message ID 3 in the Unreachable queue on server named
Mailbox01.
Or
This example redirects messages from all delivery queues on the server named Mailbox01 to the server named
Mailbox02.contoso.com.
Get-Queue
Properties of messages in queues
8/23/2019 • 6 minutes to read • Edit Online
Filtering messages in queues by one or more message properties in Exchange Server allows you to quickly locate messages and take
action on them. When an email message is sent to multiple recipients, the message might be located in multiple queues on the server.
When you filter messages in queues by message properties, you can locate messages across all queues. The following scenarios are
examples of how you might use message filtering to manage mail flow:
The Submission queue on the Mailbox server or Edge Transport server that receives email from the Internet has a high volume of
messages that are queued for delivery. Many of the messages have the same subject. Therefore, you suspect that spam is being
sent to your organization. You can create a filter to view all the messages that meet the subject criteria. If you determine that the
messages are spam, you can select them all and delete them from the delivery queue without sending an NDR.
A user reports that mail flow is slow. You examine the queues and see that many messages with random subjects appear to be
coming from a single domain. You can create a filter to view all the queued messages from that domain. If you determine that the
messages are spam, you can select them all and delete them from the queues without sending an NDR.
You can create message filters in Queue Viewer in the Exchange Toolbox, or by using the Filter parameter on the message management
cmdlets. Note that the message management cmdlets support more filterable properties than Queue Viewer.
For more information about Queue Viewer, see Queue Viewer. For more information about the message management cmdlets, see
Procedures for messages in queues and Find queues and messages in queues in the Exchange Management Shell.
Date Received DateReceived Greater Than ( -gt ) The date/time when the message
was placed in the queue.
Greater Than or Equals ( -ge )
Expiration Time ExpirationTime Greater Than ( -gt ) The date/time when the message
will expire and be deleted from the
Greater Than or Equals ( -ge ) queue if the message can't be
delivered.
Less Than ( -lt )
From Address FromAddress Equals ( -eq ) The SMTP address of the sender.
Contains ( -contains )
Last Error LastError Equals ( -eq ) The last error that was recorded for
a message. For example,
Does Not Equal ( -ne ) A matching connector cannot
be found to route the
external recipient
Contains ( -contains ) .
Is Present
Is Not Present
Message Source Name MessageSourceName Equals ( -eq ) The name of the transport
component that submitted the
Does Not Equal ( -ne ) message to the queue. For
example, if the message came in
Contains ( -contains ) through a Receive connector, the
value is: SMTP:
<ConnectorName>. If the
message is a delivery status
notification (DSN), the value is
DSN .
Queue ID Queue Equals ( -eq ) The queue that holds the message.
The queue identity uses the syntax
Does Not Equal ( -ne ) <Server>\<Queue>. For more
information, see Queue identity.
Contains ( -contains )
QUEUE VIEWER EXCHANGE MANAGEMENT SHELL COMPARISON OPERATORS DESCRIPTION
{chris@contoso.com;2;2;A
matching connector cannot be
found to route the external
recipient;16;<No Matching
Connector>;0}
Size (KB) Size Equals ( -eq ) The size of the message. In Queue
Viewer, you need to specify the
Does Not Equal ( -ne ) message size in kilobytes (KB), but
in the Exchange Management Shell,
Greater Than ( -gt ) you can also specify other sizes, for
example, bytes (B) or megabytes
Greater Than or Equals ( -ge ) (MB).
Less Than ( -lt )
Less Than or Equals ( -le
Pending Suspend (
PendingSuspend )
Ready
Retry
Suspended
For more information, see Message
status.
QUEUE VIEWER EXCHANGE MANAGEMENT SHELL COMPARISON OPERATORS DESCRIPTION
Contains ( -contains )
Is Present
Is Not Present
Queue Viewer is part of the Exchange Toolbox that's installed on Mailbox servers and Edge Transport servers in
Exchange Server 2016 and Exchange Server 2019. Queue Viewer is an Microsoft Management Console (MMC )
snap-in that you can use to view information about and take action on queues and messages in queues. Queue
Viewer is useful for troubleshooting mail flow issues and identifying spam.
Queue Viewer is located in the Mail flow tools section of the Exchange Toolbox.
To find and open the Exchange Toolbox, use one of the following procedures:
Windows 10: Click Start > All Apps > Microsoft Exchange Server <Version> > Exchange Toolbox.
Windows Server 2012 R2 or Windows 8.1: On the Start screen, open the Apps view by clicking the down
arrow near the lower-left corner or swiping up from the middle of the screen. The Exchange Toolbox
shortcut is in a group named Microsoft Exchange Server <Version>.
Windows Server 2012: Use any of the following methods:
On the Start screen, click an empty area, and type Exchange Toolbox.
On the desktop or the Start screen, press Windows key + Q. In the Search charm, type Exchange
Toolbox.
On the desktop or the Start screen, move your cursor to the upper-right corner, or swipe left from
the right edge of the screen to show the charms. Click the Search charm, and type Exchange Toolbox.
When the shortcut appears in the results, you can select it.
For more information about queues and messages in queues, see Queues and messages in queues.
TOPIC DESCRIPTION
Connect to a Server in Queue Viewer By default, Queue Viewer opens the queue database on the
server where you opened Queue Viewer. However, you can
connect to a different server.
Set Queue Viewer Options You can configure the queue and message refresh intervals,
and the number of items that are displayed on each page.
View queued message properties in Queue Viewer Explains how to use Queue Viewer to view messages, and
explains the message properties.
Export Lists from Queue Viewer You can use the Export List link in the action pane to export
the list of queues or a list of messages for troubleshooting
and diagnostics.
TOPIC DESCRIPTION
Queue properties Describes the queue properties, and shows the properties
that are available in Queue View versus the Exchange
Management Shell.
Properties of messages in queues Describes the message properties, and shows the properties
that are available in Queue View versus the Exchange
Management Shell.
Procedures for queues Explains how to view, retry, resubmit, suspend, and resume
queues.
Procedures for messages in queues Explains how to remove, suspend, resume, and redirect
messages in queues.
View queued message properties in Queue Viewer
8/23/2019 • 6 minutes to read • Edit Online
You can use the Queue Viewer in the Exchange Toolbox to view queues and the properties of messages in queues.
In Exchange Server 2016 and Exchange Server 2019, Queue Viewer is available on Mailbox servers and Edge
Transport servers.
For more information about queues, see Queues and messages in queues. For more information about Queue
Viewer, see Queue Viewer.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Source IP: The IPv4 or IPv6 address of the internal Exchange server or external messaging server
that submitted the message.
Date Received: The date-time when the message entered the queue.
Expiration Time: The date-time when the message will expire and will be deleted from the queue if
the message can't be delivered.
Recipients: The recipients in the message, with any corresponding error messages. To see the status
and error messages for each recipient, go to the Recipient Information tab.
The Recipient Information tab displays the Address, Status, and Last Error values for each
recipient in the message. The Status value for a recipient can be Complete, Ready, or Retry.
Find queues and messages in queues in the
Exchange Management Shell
8/23/2019 • 17 minutes to read • Edit Online
As in previous versions of Exchange, you can use the Exchange Management Shell in Exchange Server to view
information about queues and messages, and use that information to take action on queues and messages.
Typically, an active Exchange contains a large number of queues and messages to be delivered, so it's important
to understand how to identify the queues or messages that you want to manage.
Note that you can also use Queue Viewer in the Exchange Toolbox to manage queues and messages in queues.
However, the queue and message viewing cmdlets in the Exchange Management Shell support more filterable
properties and filter options than Queue Viewer. For more information about using Queue Viewer, see Queue
Viewer.
Also remember that queues exist on Mailbox servers and Edge Transport servers (the Transport service). For
more information about queues and messages in queues, see Queues and messages in queues.
Queue identity
The Identity parameter uses the basic syntax <Server>\ <Queue>. Typically, this value uniquely identifies the
queue, so you can't use other filtering parameters with the Identity parameter. The exception is the Get-Queue
cmdlet, where you can use the Include and Exclude parameters with the Identity parameter.
The following table explains the Identity parameter syntax on the queue management cmdlets.
For a complete list of queue properties you can use with the Filter parameter, see Queue properties.
For a list of comparison operators you can use with the Filter parameter, see the Comparison operators to use
when filtering queues or messages section in this topic.
For examples of procedures that use the Filter parameter to view and manage queues, see Procedures for
queues.
Include and Exclude parameters on Get-Queue
You can use the Include and Exclude parameters on the Get-Queue cmdlet by themselves, with each othe , or
with the other filtering parameters to fine-tune your results. For example, you can:
Exclude empty queues.
Exclude queues to external destinations.
Include queues that have a specific value of DeliveryType.
The Include and Exclude parameters use the following queue properties to filter queues:
DeliveryType Includes or excludes queues based on Returns all delivery queues on the local
the DeliveryType property that server where the next hop is a Send
defines how the message will be connector that's hosted on the local
transmitted to the next hop. The valid server and is configured for smart host
values are described in routing.
NextHopSolutionKey. Get-Queue -Include
You can specify multiple values SmartHostConnectorDelivery
separated by commas.
Empty Includes or excludes empty queues. Returns all queues on the local server
Empty queues have the value 0 in the that contain messages.
MessageCount property. Get-Queue -Exclude Empty
External Includes or excludes queues that have Returns all internal queues on the local
the value External in the server.
NextHopCategory property. Get-Queue -Exclude External
External queues always have one of the
following values for DeliveryType:
• DeliveryAgent
• DnsConnectorDelivery
• NonSmtpGatewayDelivery
• SmartHostConnectorDelivery
For more information, see
NextHopSolutionKey.
Internal This value includes or excludes queues Returns all internal queues on the local
that have the value Internal in the server.
NextHopCategory property. Note Get-Queue -Include Internal
that a message for an external recipient
may require multiple internal hops
before it reaches a gateway server
where it's delivered externally.
Note that you can duplicate the functionality of the Include and Exclude parameters by using the Filter parameter.
For example, the following commands produce the same result:
Get-Queue -Exclude Empty
However, as you can see, the syntax of the Include and Exclude parameters is simpler and easier to remember.
Get-QueueDigest
The Get-QueueDigest cmdlet allows you to view information about some or all of the queues in your
organization by using a single command. Specifically, the Get-QueueDigest cmdlet allows you to view
information about queues based on their location on servers, in DAGs, in Active Directory sites, or in the whole
Active Directory forest.
Note that queues on a subscribed Edge Transport server aren't included in the results. Also, Get-QueueDigest is
available on an Edge Transport server, but the results are restricted to local queues on the Edge Transport server.
NOTE
By default, the Get-QueueDigest cmdlet displays delivery queues that contain ten or more messages, and the results are
between one and two minutes old. For instructions on how to change these default values, see Configure Get-
QueueDigest.
The following table describes the filtering and sorting parameters that are available on the Get-QueueDigest
cmdlet.
PARAMETER DESCRIPTION
Dag, Server, or Site These parameters are mutually exclusive (can't be used in the
same command), and set the scope for the cmdlet. You need
to specify one of these parameters or the Forest switch.
Typically, you would use the name of the server, DAG or
Active Directory site, but you can use any value that uniquely
identifies the server, DAG, or site. You can specify multiple
servers, DAGs, or sites separated by commas.
Forest This switch is required if you aren't using the Dag, Server, or
Site parameters. You don't specify a value with this switch. By
using this switch, you get queues from all Exchange Mailbox
servers in the local Active Directory forest. You can't use this
switch to view queues in remote Active Directory forests.
GroupBy Groups the queue results. You can group the results by one
of the following properties:
• DeliveryType
• LastError
• NextHopCategory
• NextHopDomain
• NextHopKey
• Status
• ServerName
By default, the results are grouped by NextHopDomain. For
information about these queue properties, see Queue
properties.
ResultSize Limits the queue results to the value you specify. The queues
are sorted in descending order based on the number of
messages in the queue, and grouped by the value specified
by the GroupBy parameter. The default value is 1000. This
means that by default, the command displays the top 1000
queues grouped by NextHopDomain, and sorted by the
queues containing the most messages to the queues
containing the least messages.
This example returns all non-empty external queues on the servers named Mailbox01, Mailbox02, and
Mailbox03.
Message identity
The Identity parameter on the message management cmdlets uniquely identifies a message in one or more
queues, so you can't use any other message filtering parameters. The Identity parameter uses the basic syntax
<Server>\<Queue>\<MessageInteger> .
The following table describes the syntax you can use with Identity parameter on the message management
cmdlets.
<Server>\*\<MessageInteger> or *\<MessageInteger> All copies of the message in all queues in the queue database
or <MessageInteger> on the specified or local server.
For a complete list of message properties you can use with the Filter parameter, see Message properties ).
For a list of comparison operators you can use with the Filter parameter, see the Comparison operators to use
when filtering queues or messages section in this topic.
For examples of procedures that use the Filter parameter to view and manage messages, see Procedures for
messages in queues.
Queue parameter
The Queue parameter is available only on the Get-Message cmdlet. You can use this parameter to get all
messages in a specific queue, or all messages from multiple queues by using the wildcard character (*). When
you use the Queue parameter, use the queue identity format <Server>\<Queue> as described in the Queue identity
section in this topic.
-eq Exact match of the specified value. Show all queues that have a status of
Retry:
Get-Queue -Filter {Status -eq
"Retry"}
Show all messages that have a status
of Retry:
Get-Message -Filter {Status -eq
"Retry"}
-ne Does not match the specified value. Show all queues that don't have a
status of Active:
Get-Queue -Filter {Status -ne
"Active"}
Show all messages that don't have a
status of Active:
Get-Message -Filter {Status -ne
"Active"}
-gt Greater than the specified integer or Show queues that currently contain
date/time value. more than 1,000 messages:
Get-Queue -Filter {MessageCount
-gt 1000}
Show messages that currently have a
retry count that's more than 3:
Get-Message -Filter {RetryCount
-gt 3}
OPERATOR FUNCTION CODE EXAMPLE
-ge Greater than or equal to the specified Show queues that currently contain
integer or date/time value. 1,000 or more messages:
Get-Queue -Filter {MessageCount
-ge 1000}
Show messages that currently have a
retry count that's 3 or more:
Get-Message -Filter {RetryCount
-ge 3}
-lt Less than the specified integer or Show queues that currently contain
date/time value. less than 1,000 messages:
Get-Queue -Filter {MessageCount
-lt 1000}
Show messages that have an SCL that's
less than 6:
Get-Message -Filter {SCL -lt 6}
-le Less than or equal to the specified Show queues that currently contain
integer or date/time value. 1,000 or fewer messages:
Get-Queue -Filter {MessageCount
-le 1000}
Show messages that have an SCL that's
6 or less:
Get-Message -Filter {SCL -le 6}
-like Contains the specified text. You need to Show queues that have a destination
include the wildcard character (*) in the to any SMTP domain that ends in
text string. Contoso.com:
Get-Queue -Filter {Identity -
like "*contoso.com"}
Show messages that have a subject
that contains the text "payday loan":
Get-Message -Filter {Subject -
like "*payday loan*"}
You can specify a filter that evaluates multiple expressions by using the logical operator -and . The queues or
messages must match all of the filter conditions to be included in the results.
This example displays a list of queues that have a destination to any SMTP domain name that ends in
Contoso.com and that currently contain more than 500 messages.
This example displays a list of messages that are sent from any email address in the contoso.com domain that
have an SCL value that's greater than 5.
PARAMETER DESCRIPTION
BookmarkObject Specifies the object in the results where the displayed results
start. If you specify a bookmark object, that object is used as
the point to start the search. The rows before or after that
object (depending on the value of the SearchForward
parameter) are retrieved.
You can't use this parameter with the BookmarkIndex
parameter.
SortOrder Specifies the message properties that control the sort order
of the results. The order that the properties are specified
indicates a descending order of precedence (the results are
sorted by the first property, then those results are sorted by
the second property, and son on).
This parameter uses the syntax:
<+|-><Property1>,<+|-><Property2>... , where + sorts
the property in ascending order, and - sorts the property
in descending order.
If you don't use this parameter, the results are sorted by the
Identity property in ascending order.
This example shows how to use the advanced paging parameters in a query. The command returns the first 500
messages on the specified server. The results are sorted first in ascending order by sender address, and then in
descending order by message size.
This example returns the first 500 messages on the specified server in the specified sort order, sets a bookmark
object, excludes the bookmark object from the results, and retrieves the next 500 messages in the same sort
order.
1. Run the following command to retrieve the first page of results.
2. To set the bookmark object, run the following command to save the last element of the first page to a
variable.
$Temp=$Results[$results.length-1]
3. To retrieve the next 500 objects on the specified server, and to exclude the bookmark object, run the
following command.
Exchange Server uses an Extensible Storage Engine (ESE ) database for queue message storage. All the different
queues are stored in a single ESE database. Queues exist on Exchange Mailbox servers and Edge Transport
servers. For more information about queues, see Queues and messages in queues.
The location of the queue database and the queue database transaction logs is controlled by keys in the
%ExchangeInstallPath%Bin\EdgeTransport.exe.config XML application configuration file. This file is associated with
the Exchange Transport service. The following table explains each key in more detail.
KEY DESCRIPTION
QueueDatabasePath Specifies the location of the queue database files. The files are:
• Mail.que
• Trn.chk
The default location is
%ExchangeInstallPath%TransportRoles\data\Queue .
Notepad %ExchangeInstallPath%Bin\EdgeTransport.exe.config
For example, to create a new queue database and transaction logs in D:\Queue\QueueDB, use the
following values:
Use the Command Prompt to move the existing queue database and
transaction logs to a new location
NOTE
There is also a script to move the queue database and transaction logs, it can be found in the %ExchangeInstallPath%Scripts
folder and it's called Move-TransportDatabase.ps1. You have to specify the following parameters: queueDatabasePath,
queueDatabaseLoggingPath, iPFilterDatabasePath, iPFilterDatabaseLoggingPath and temporaryStoragePath.
Although you'll need to move the existing queue database to preserve any undelivered messages in it, you
typically don't need to move the existing transaction logs because:
An ordinary shutdown of the Exchange Transport service writes all uncommitted transaction log entries to
the queue database.
Circular logging is used, so transaction logs that contain previously committed database changes aren't
preserved.
1. Create the folder where you want to keep the queue database and transaction logs. Make sure that the
correct permissions are applied to the folder.
2. In a Command prompt window, open the EdgeTransport.exe.config file in Notepad by running the
following command:
Notepad %ExchangeInstallPath%Bin\EdgeTransport.exe.config
For example, to change the location of the queue database and transaction logs to D:\Queue\QueueDB, use
the following values:
5. Move the existing database files Mail.que and Trn.chk from the old location to the new location.
6. Move the existing transaction log files Trn.log, Trntmp.log, Trn nnnnn.log, Trnres00001.jrs, Trnres00002.jrs,
and Temp.edb from the old location to the new location.
7. Start the Exchange Transport service by running the following command:
net start MSExchangeTransport
In Exchange Server, messages that can't be successfully delivered are subject to various retry, resubmit, and
expiration deadlines based on the message's source and destination. Retry is a renewed connection attempt with
the destination. Resubmit is the act of sending messages back to the Submission queue for the categorizer to
reprocess. The message expires after all delivery efforts have failed over a specified period of time. After a
message expires, the sender is notified of the delivery failure, and the message is deleted from the queue.
In all three cases of retry, resubmit, or expire, you can manually intervene before the automatic actions are
performed on the messages.
For instructions on how to configure these intervals, see Configure message retry, resubmit, and expiration
intervals.
NOTE
Any customized Exchange or Internet Information Server (IIS) settings that you made in Exchange XML application
configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will be
overwritten when you install an Exchange CU. Be sure save this information so you can easily re-apply the settings after
the install. After you install the Exchange CU, you need to re-configure these settings.
Configuration options for automatic message retry in the Exchange admin center and the Exchange
Management Shell
The automatic message retry interval settings that are available in the Exchange admin center (EAC ) and the
Exchange Management Shell are described in the following table.
Outbound connection Transport service on Cmdlet: Set- Servers > select server >
failure retry interval: The Mailbox servers: 10 minutes TransportService Edit ( ) > Transport
retry interval for outbound ( 00:10:00 ) Parameter: limits > Retry section >
connection attempts that Edge Transport Servers: 30 OutboundConnectionFailur Outbound connection
have previously failed. The minutes ( 00:30:00 ) eRetryInterval failure retry interval
previously failed connection (seconds)
attempts are controlled by
the transient failure retry
count and interval values.
EXCHANGE ADMIN CENTER
AUTOMATIC MESSAGE RETRY EXCHANGE MANAGEMENT CONFIGURATION ON
SETTING DEFAULT VALUE SHELL CONFIGURATION MAILBOX SERVERS
Transient failure retry 6 Cmdlet: Set- Servers > select server >
count: The number of TransportService Edit ( ) > Transport
connection attempts that Parameter: limits > Retries section >
are tried after the queue TransientFailureRetryCount Transient failure retry
glitch retry count and attempts
interval values have failed.
These failures can be caused
by server restarts or cached
DNS lookup failures.
A valid value is an integer
from 0 through 15. The
value 0 means the next
connection attempt is
controlled by the outbound
connection failure retry
interval.
Transient failure retry Transport service on Cmdlet: Set- Servers > select server >
interval: The connection Mailbox servers: 5 minutes ( TransportService Edit ( ) > Transport
interval between each 00:05:00 ) Parameter: limits > Retries section >
connection attempt that's Edge Transport servers: 10 TransientFailureRetryInterv Transient failure retry
specified by the transient minutes ( 00:10:00 ) al interval (minutes)
failure retry count value.
Delay notification 4 hours ( 4:00:00 ) Cmdlet: Set- Servers > select server >
timeout: How long the TransportService Edit ( ) > Transport
server waits before it sends Parameter: limits > Notifications
a delay DSN message to the DelayNotificationTimeOut section > Notify sender
sender. when message is delayed
This value should always be after (hours)
greater than the transient
failure retry count multiplied
by the transient failure retry
interval (the default total is
30 minutes on a Mailbox
server, and one hour on an
Edge Transport server).
NOTE
Any customized Exchange or Internet Information Server (IIS) settings that you made in Exchange XML application
configuration files on the Exchange server (for example, web.config files or the EdgeTransport.exe.config file) will be
overwritten when you install an Exchange CU. Be sure save this information so you can easily re-apply the settings after
the install. After you install the Exchange CU, you need to re-configure these settings.
2 days ( 2.00:00:00 ) Cmdlet: Set-TransportService Servers > select server > Edit ( ) >
Parameter: MessageExpirationTimeOut Transport limits > Message
expiration section > Maximum time
since submission (days)
In Exchange Server, you can configure message retry, resubmit, and expiration intervals in the Transport service on
Mailbox servers and Edge Transport servers. For detailed descriptions of these settings, see Message retry,
resubmit, and expiration intervals.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
1. In a Command prompt window on the Mailbox server or Edge Transport server, open the
EdgeTransport.exe.config file in Notepad by running this command:
Notepad %ExchangeInstallPath%Bin\EdgeTransport.exe.config
This example changes the queue glitch retry count to 6, the queue glitch retry interval to 30 seconds, the
mailbox delivery queue retry interval to 3 minutes, and the maximum idle time before resubmit interval to
6 hours.
Notepad %ExchangeInstallPath%Bin\EdgeTransport.exe.config
Configure the transient failure retry attempts, the transient failure retry
interval, and the outbound connection failure retry interval
Transient failure retry attempts: The number of connection attempts that are tried after the connection
attempts controlled by the QueueGlitchRetryCount and QueueGlitchRetryInterval keys have failed. A valid
value is 0 through 15, and the default value is 6. If you set the value to 0, the next connection attempt is
controlled by the outbound connection failure retry interval.
Transient failure retry interval: The interval between each transient failure retry attempt. On Mailbox
servers, the default value is 5 minutes. On Edge Tranport Servers, the default value is 10 minutes.
Outbound connection failure retry interval: The retry interval for outgoing connection attempts that
have previously failed (the transient failure retry attempts and the transient failure retry interval). On
Mailbox servers, the default value is 10 minutes. On Edge Tranport Servers, the default value is 30 minutes.
Use the EAC to configure the transient failure retry attempts, the transient failure retry interval, or the
outbound connection failure retry interval on Mailbox servers
1. In the EAC, go to Servers > Servers, select the server, and then click Edit .
2. In the server properties window that opens, click Transport limits.
3. In the Retries section, enter a value for any of these settings:
Outbound connection failure retry interval (seconds)
Transient failure retry interval (minutes)
Transient failure retry attempts
When you're finished, click Save.
Use the Exchange Management Shell to configure the transient failure retry attempts, the transient failure retry
interval, and the outbound connection failure retry interval on Mailbox severs or Edge Transport servers
To configure the intervals in the Transport service on Mailbox servers or Edge Transport servers, use this syntax:
To configure the intervals in the Front End Transport service on Mailbox servers, use this syntax:
This example changes the following values on the Mailbox server named Mailbox01:
The number of transient failure retry attempts is set to 8.
The transient failure retry interval is set to 1 minute.
The outbound connection failure retry interval is set to 45 minutes.
In the Exchange Management Shell on a Mailbox serve, run this command to verify the property values:
This example changes the message retry interval to 20 minutes on the Mailbox server named Mailbox01.
This example changes the delay DSN message notification timeout interval to 6 hours on the Mailbox server
named Mailbox01.
Use the Exchange Management Shell to enable or disable the sending of delay DSN notifications to external or
internal message senders
To configure the delay DSN notification settings, use this syntax:
This example prevents the sending of delay DSN notification messages to external senders.
This example prevents the sending of delay DSN notification messages to internal senders.
This example changes the message expiration timeout interval to 4 days on the Exchange server named
Mailbox01.
When there's a problem delivering a message, Exchange sends an NDR to the message sender that indicates there
was a problem. NDRs include a code that indicates why the message wasn't delivered, and possible solutions to
help get the message delivered.
The information that's included in NDRs is designed to be easy to read and helpful for both users and
administrators. In some cases, senders can identify and fix their own problems (for example, when there's a typo in
the recipient's email address). In other cases, an administrator may need to fix an issue in the Exchange
environment, or notify the administrators in the destination domain about problems in their messaging
environment.
For procedures related to NDRs in Exchange Server, see Procedures for DSNs and NDRs in Exchange Server.
If you need help with NDRs in Office 365 or Exchange Online, see Email non-delivery reports in Office 365 .
Information in NDRs
This is an example of an NDR:
NOTE
For information about enhanced status codes in Office 365 and hybrid environments, see Email non-delivery reports in
Office 365.
4.3.1 Insufficient system resources Free disk space is low (for example, the
disk that holds the queue database
doesn't have the required amount of
free space). For more information, see
Understanding back pressure. To move
the queue database to different disk,
see Change the location of the queue
database.
Available memory is low (for example,
Exchange installed on a virtual machine
that's configured to use dynamic
memory). Always use static memory on
Exchange virtual machines. For more
information, see Exchange memory
requirements and recommendations.
ENHANCED STATUS CODE DESCRIPTION POSSIBLE CAUSES AND SOLUTIONS
5.1.8 Access denied, bad outbound The sender has exceeded a message
sender rate limit (for example, an application
server is configured to relay a large
number of messages through
Exchange. For more information, see
Message rate limits and throttling and
Allow anonymous relay on Exchange
servers.
5.3.2 STOREDRV.Deliver: Missing or bad You're using the ABP Routing agent,
StoreDriver MDB properties and the recipient isn't a member of the
global address list that's specified in
their address book policy (ABP). For
more information, see Install and
Configure the Address Book Policy
Routing Agent and Address book
policies in Exchange Server.
5.3.4 Message size exceeds fixed The message is too large. This error can
maximum message size be generated by the source or
destination messaging system. Send
the message again without any
attachments, or configure a larger
message size limit. For more
information, see Message size limits in
Exchange Server.
5.3.5 System incorrectly configured A mail loop was detected. Verify that
the FQDN property on the Receive
connector doesn't match the FQDN of
another server, service, or device that's
used in mail flow in your organization
(by default, the Receive connector uses
the FQDN of the Exchange server).
5.7.3 Cannot achieve Exchange Server A firewall or other device is blocking the
authentication Extended SMTP command that's
or required for Exchange Server
Not Authorized authentication (X-EXPS).
Internal email traffic is flowing through
connectors that aren't configured to
use the Exchange Server authentication
method . Verify the remote IP address
ranges on any custom Receive
connectors.
5.7.900 Delivery not authorized, message The message was rejected by a mail
to refused flow rule (also known as a transport
5.7.999 rule). This enhanced status code range
is available when the rule is configured
to reject messages (otherwise, the
default code that's used is 5.7.1). For
more information, see Mail flow rule
actions in Exchange Server.
Procedures for DSNs and NDRs in Exchange Server
8/23/2019 • 15 minutes to read • Edit Online
Like previous versions of Exchange, Exchange Server uses delivery status notifications (also known as DSNs, non-
delivery reports, NDRs, or bounce messages) to provide delivery status and failure notification messages to
message senders. For more information about NDRs, see DSNs and NDRs in Exchange Server.
You can use the default NDRs that are included in Exchange, or you can use the Exchange Management Shell to
create NDRs with custom text to meet the needs of your organization. The custom NDR text replaces the default
text for a given enhanced status code or quota event. If you remove the custom NDR, the default NDR text is used
(you can't completely remove a default NDR ). You can also disable custom NDRs to preserve them, but not use
them (the default NDR text is used).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Note: You should output the list to a file, because the list is very long, and you'll receive errors if you don't have
the required language packs installed.
For detailed syntax and parameter information, see Get-SystemMessage.
Get-SystemMessage
Note: By default, there are no custom NDRs, so this command returns no results.
To view detailed information for a custom NDR, use this syntax:
For an explanation of the available <NDRIdentity> values, see the Identity values for NDRs section in this topic.
This example returns detailed information for the custom NDR for the enhanced status code 5.1.2 that's sent to
internal senders in English. If there's no custom NDR for this combination of language, audience, and enhanced
status code, you'll receive an error.
This example returns detailed information for the custom English NDR for the ProhibitSendReceive quota on
mailboxes. If there's no custom NDR for this combination of language and quota, you'll receive an error.
New-SystemMessage -Internal <$true | $false> -Language <Locale> -DSNCode <x.y.z> -Text "<NDR text>"
This example creates a custom HTML NDR for the enhanced status code 5.1.2 that's sent to internal senders in
English.
New-SystemMessage -DSNCode 5.1.2 -Internal $true -Language En -Text 'You tried to send a message to a
<B>disabled</B> mailbox. Please visit <A HREF="https://it.contoso.com">Internal Support</A> or contact
"InfoSec" for more information.'
Send a test message that will generate the custom NDR that you configured.
For an explanation of the available <NDRIdentity> values, see the Identity values for NDRs section in this topic.
For an explanation of the <NDR text> values, see the HTML tags and special characters in NDRs section in this
topic.
This example changes the text in the custom NDR for the enhanced status code 5.1.2 that's sent to internal senders
in English.
Set-SystemMessage -Identity En\Internal\5.1.2 -Text "The mailbox you tried to send an email message to is
disabled and is no longer accepting messages. Please contact the Help Desk at extension 123 for assistance."
This example changes the text in the custom English NDR for the ProhibitSendReceive quota on mailboxes.
Set-SystemMessage -Identity En\ProhibitSendReceiveMailBox -Text "Your mailbox is full. Delete large messages
and empty your Deleted Items folder."
This example disables the specified custom NDR. The custom NDR is preserved, and appears in the results of Get-
SystemMessage, but the default NDR is used instead.
Note: If there's no corresponding default NDR, you receive an error when you use the Original switch.
For detailed syntax and parameter information, see Set-SystemMessage.
How do you know this worked?
To verify that you have successfully modified a custom NDR, replace <NDRIdentity> with the appropriate value,
and run this command to verify the property values:
For an explanation of the available <NDRIdentity> values, see the Identity values for NDRs section in this topic.
This example removes the custom NDR for the enhanced status code 5.1.2 that's sent to internal senders in
English.
This example removes the custom English NDR for the ProhibitSendReceive quota on mailboxes.
Get-SystemMessage
Forward copies of NDRs to the Exchange recipient mailbox
You can configure your Exchange organization to send copies of NDRs to the Exchange recipient. However, by
default, no mailbox is assigned to the Exchange recipient, so any messages that are sent to the Exchange recipient
are discarded. To send copies of NDRs to the Exchange recipient mailbox, you need to:
1. Assign a mailbox to the Exchange recipient.
2. Specify the enhanced status codes that you want to monitor (not quotas).
Step 1: Use the Exchange Management Shell to assign a mailbox to the Exchange recipient
Note: Due to the high volume of messages, we recommend using a dedicated mailbox for the Exchange recipient.
For more information about creating mailboxes, see Create shared mailboxes in the Exchange admin center and
Create user mailboxes in Exchange Server.
To assign a mailbox to the Exchange recipient, use this syntax:
This example assigns the existing mailbox named "Contoso System Mailbox" to the Exchange recipient.
Step 2: Specify the enhanced status codes that you want to monitor
You can use the EAC or the Exchange Management Shell.
By default, even though there are no enhanced status codes specified, NDRs for these codes are
automatically sent to the Exchange recipient:
5.1.4
5.2.0
5.2.4
5.4.4
5.4.6
5.4.8
You can only specify enhanced status codes. You can't specify quotas.
Use the EAC to specify the enhanced status codes to monitor
For more information about the EAC, see Exchange admin center in Exchange Server.
1. In the EAC, go to Mail flow > Receive connectors.
2. Click More options ( ) and select Organization transport settings.
3. In the Organization transport settings window that opens, click the Delivery tab. In the DSN codes
section, do one or more of these steps:
To add entries, type the enhanced status code that you want to monitor (4. <y.z> or 5. <y.z>), and
then click Add ( ). Repeat this step as many times as you need to.
To modify an existing entry, select it click Edit ( ), and then modify it inline.
To remove an existing entry, select it and then click Remove ( ).
When you're finished, click Save.
Use the Exchange Management Shell to specify the enhanced status codes to monitor
To add enhanced status codes to monitor, which replaces any existing values, use this syntax:
This example configures the Exchange organization to forward all NDRs for the enhanced status code values 5.7.1,
5.7.2, and 5.7.3 to the Exchange recipient.
To add or remove entries without modifying any existing values, use this syntax:
This example adds the enhanced status code 5.7.5 and removes 5.7.1 from the existing list of NDRs that are
forwarded to the Exchange recipient.
Monitor the Exchange recipient mailbox to see if NDRs that contain the specified enhanced status codes are
delivered there.
<DSNcode>: Valid values are 4. x. y or 5. x. y where x and y are one to three digit numbers. To
generate a list of the enhanced status codes that are used by Exchange, see the Use the Exchange
Management Shell to view all default NDRs section earlier in this topic.
Internal or External: You can use different text in NDRs for internal or external senders.
<Language>: For the list of supported languages, see the Supported languages for NDRs section in
this topic.
NDRs for quotas: <Language>\ <QuotaMessageType>. For example, En\ProhibitSendReceiveMailBox .
<Language>: For the list of supported languages, see the Supported languages for NDRs section in
this topic.
<QuotaMessageType>: Valid values are:
Mailbox size quotas:
ProhibitSendReceiveMailBox: A mailbox exceeds its ProhibitSendReceiveQuota limit.
ProhibitSendMailbox: A mailbox exceeds its ProhibitSendQuota limit.
WarningMailbox: A mailbox exceeds its IssueWarningQuota limit when it has a
ProhibitSendQuota or ProhibitSendReceiveQuota limit configured.
af Afrikaans
ar Arabic
bg Bulgarian
ca Catalan
cs Czech
da Danish
de German
el Greek
en English
es Spanish
et Estonian
eu Basque
fa Persian
LANGUAGE CODE LANGUAGE
fi Finnish
fr French
gl Galician
gu Gujarati
he Hebrew
hi Hindi
hr Croatian
hu Hungarian
hy Armenian
id Indonesian
is Icelandic
it Italian
ja Japanese
ka Georgian
kk Kazakh
kn Kannada
ko Korean
kok Konkani
ky Kyrgyz
LANGUAGE CODE LANGUAGE
lt Lithuanian
lv Latvian
mk Macedonian
mr Marathi
ms Malay
nl Dutch
no Norwegian
pa Punjabi
pl Polish
pt Portuguese
ro Romanian
LANGUAGE CODE LANGUAGE
ru Russian
sk Slovak
sl Slovenian
sq Albanian
sr Serbian
sv Swedish
sw Kiswahili
ta Tamil
te Telugu
th Thai
tr Turkish
tt Tatar
uk Ukrainian
ur Urdu
uz Uzbek
vi Vietnamese
To control the languages that are used in NDRs, you use these parameters on the Set-TransportConfig cmdlet:
ExternalDsnDefaultLanguage: Specifies the default language to use on external NDRs. The default value is
blank ( $null ), which means the default Windows server language is used.
InternalDsnDefaultLanguage: Specifies the default language to use on internal NDRs. The default value is
blank ( $null ), which means the default Windows server language is used.
ExternalDsnLanguageDetectionEnabled
$true : Exchange tries to send an external NDR in the same language as the original message. This is
the default value.
$false : Language detection is disabled for external NDRs, The NDR language is determined by the
ExternalDsnDefaultLanguage parameter.
InternalDsnLanguageDetectionEnabled
$true : Exchange tries to send an internal NDR in the same language as the original message. This is
the default value.
$false : Language detection is disabled for internal NDRs, The NDR language is determined by the
InternalDsnDefaultLanguage parameter.
This table describes the HTML tags that you can use in the NDR text.
Certain characters in an NDR require escape codes to identify them literally, and not by their function in the NDR.
These characters are described in the following table:
< <
> >
" "
& &
For example, if you want the NDR to display the text Please contact the Help Desk at <1234>. , you need to the
value "Please contact the Help Desk at <1234>."
This is an example of a custom NDR text value that uses HTML tags and escape codes.
Content conversion is the process of correctly formatting a message for each recipient. The decision to perform
content conversion on a message depends on the destination and format of the message. They types of content
conversion that occur in Exchange 2016 and Exchange 2019 are unchanged from Exchange 2013:
Message conversion for external recipients: This type of content conversion includes the Transport
Neutral Encapsulation Format (TNEF ) conversion options and message encoding options for external
recipients. Messages sent to recipients inside the Exchange organization don't require this type of content
conversion. This type of content conversion is handled by the categorizer in the Transport service on a
Mailbox server. Categorization on each message happens after a newly arrived message is put in the
Submission queue. In addition to recipient resolution and routing resolution, content conversion is
performed on the message before the message is put in a delivery queue. If a single message contains
multiple recipients, the categorizer determines the appropriate encoding for each message recipient.
Content conversion tracing doesn't capture any content conversion failures that the categorizer encounters
as it converts messages sent to external recipients.
MAPI conversion for internal recipients: his type of content conversion is handled by the Mailbox
Transport service. The Mailbox Transport service exists on Mailbox servers to transmit messages between
mailbox databases on the local server, and the Transport service on Mailbox servers. Specifically, the
Mailbox Transport Submission service transmits messages from the sender's Outbox to the Transport
service on a Mailbox server. The Mailbox Transport Delivery service transmits messages from the Transport
service on a Mailbox server to the recipient's Inbox. The Mailbox Transport Submission service converts all
outgoing messages from MAPI and the Mailbox Transport Delivery service converts all incoming messages
to MAPI. Content conversion tracing captures these MAPI conversion failures. For more information, see
Managing Content Conversion Tracing.
HTML: An HTML message supports text formatting, background images, tables, bullet points, and other
graphical elements. By definition, an HTML -formatted message must be MIME -encoded to preserve these
formatting elements.
Rich text format (RTF): RTF supports text formatting and other graphical elements. RTF is synonymous
with TNEF (TNEF and RTF can be used interchangeably). The rich text message format is completely
different from the rich text document format that's available in Word.
TNEF: The Transport Neutral Encapsulation Format is a Microsoft-specific format for encapsulating MAPI
message properties. A TNEF message contains a plain text version of the message and an attachment that
packages the original formatted version of the message. Typically, this attachment is named Winmail.dat.
The Winmail.dat attachment includes the following information:
Original formatted version of the message (for example, fonts, text sizes, and text colors)
OLE objects (for example, embedded pictures or embedded Office documents)
Special Outlook features (for example, custom forms, voting buttons, or meeting requests)
Regular message attachments that were in the original message
The resulting plain text message can be represented in the following formats:
RFC 5322-compliant message composed of only US -ASCII text with a Winmail.dat attachment
encoded in Uuencode
Multipart MIME -encoded message that has a Winmail.dat attachment
Outlook and other email clients that fully understand TNEF process the Winmail.dat attachment and
display the original message content without ever displaying the Winmail.dat attachment. Email
clients that don't understand TNEF may present TNEF messages in any of the following ways:
The plain text version of the message is displayed, and the message contains an attachment named
Winmail.dat, Win.dat, or some other generic name such as Att nnnnn.dat or Att nnnnn.eml where the
nnnnn placeholder represents a random number.
The plain text version of the message is displayed. The TNEF attachment is ignored or removed. The
result is a plain text message.
Messaging servers that understand TNEF can be configured to remove TNEF attachments from
incoming messages. The result is a plain text message. Moreover, some email clients may not
understand TNEF, but recognize and ignore TNEF attachments. The result is a plain text message.
There are third-party utilities that can help convert Winmail.dat attachments.
TNEF is understood by all versions of Exchange since Exchange Server version 5.5.
Summary Transport Neutral Encapsulation Format (STNEF): STNEF is equivalent to TNEF. However,
STNEF messages are encoded differently than TNEF messages. Specifically, STNEF messages are always
MIME -encoded, and always have the Content-Transfer-Encoding value Binary . Therefore, there's no
plain text representation of the message, and there's no distinct Winmail.dat attachment contained in the
body of the message. The whole message is represented by using only binary data. Messages that have a
Content-Transfer-Encoding value of Binary can only be transferred between messaging servers that
support and advertise the BINARYMIME and CHUNKING SMTP extensions as defined in RFC 3030. The
messages are always transferred between messaging servers by using the BDAT command, instead of the
standard DATA command.
STNEF is understood by all versions of Exchange since Exchange 2000. STNEF is automatically used for all
messages transferred between Exchange servers in the organization since native mode Exchange Server
2003.
Exchange never sends STNEF messages to external recipients. Only TNEF messages can be sent to
recipients outside the Exchange organization.
Content conversion options for external recipients
The content conversion options that you can set in an Exchange organization for external recipients can be
described in the following categories:
TNEF conversion options: These conversion options specify whether TNEF should be preserved or
removed from messages that leave the Exchange organization.
Message encoding options: These options specify message encoding options, such as MIME and non-
MIME character sets, message encoding, and attachment formats.
These conversion and encoding options are independent of one another. For example, whether TNEF messages
can leave the Exchange organization isn't related to the MIME encoding settings or plain text encoding settings of
those messages.
You can specify the content conversion at various levels of the Exchange organization as described in the following
list:
Remote domain settings: Remote domains define the settings for outgoing message transfers between
the Exchange organization and external domains.. Even if you don't create remote domain entries for
specific domains, there's a predefined remote domain named Default that applies to all remote address
spaces (*). For more information about remote domains, see Remote Domains.
Mail user and mail contact settings: Mail users and mail contacts are similar because both have external
email addresses and contain information about people outside the Exchange organization. The main
difference is mail users have accounts that they can use to log on to Active Directory and access resources in
the organization. For more information, see Recipients.
Outlook settings: You can set these message formatting and encoding options in Outlook:
Message format: You can set the default message format for all messages. You can override the
default message format as you compose a specific message.
Internet message format: You can control whether TNEF messages are sent to remote recipients or
whether they are first converted to a more compatible format. You can also specify various message
encoding options for messages sent to remote recipients. These settings don't apply to messages
sent to recipients in the Exchange organization.
Internet recipient message format (Outlook 2010 or earlier): You can control whether TNEF
messages are sent to specific contacts in your Contacts folder. These conversion options aren't
available for recipients in the Exchange organization.
Internet recipient message encoding options (Outlook 2010 or earlier): You can control the
MIME or plain text encoding options for specific contacts in your Contacts folder. These conversion
options aren't available for recipients in the Exchange organization.
International options: You can control the character sets used in messages.
For more information about these settings, see TNEF conversion options and Message encoding
options in Exchange Server.
Binary: Indicates that the message body contains non-US -ASCII text or binary data. Specifically, this
means that the following conditions are true:
Any sequence of characters is allowed.
There is no line length limitation.
Binary message elements don't require encoding.
Messages that have binary bodies can only travel between messaging servers that support the
BINARYMIME SMTP extension as defined in RFC 3030, such as Exchange 2000 Server or later.
Specifically, this means that the following conditions must be true:
The BINARYMIME keyword must be advertised in the server's EHLO response.
The BINARYMIME SMTP extension can only be used with the CHUNKING SMTP extension.
Chunking enables large message bodies to be sent in multiple, smaller chunks. Chunking is also
defined in RFC 3030. The CHUNKING keyword must also be advertised in the server's EHLO
response.
Messages are transferred using the BDAT command instead of the standard DATA command.
The BODY=BINARYMIME parameter must be added to the end of the MAIL FROM command when the
message has a message body.
The values 7bit , 8bit , and Binary never exist together in the same multipart message (the values are mutually
exclusive). The Quoted-printable or Base64 values may appear in a 7-bit or 8-bit multipart message body, but
never in a binary message body. If a multipart message body contains different parts composed of 7-bit and 8-bit
content, the whole message is classified as 8-bit. If a multipart message body contains different parts composed of
7-bit, 8-bit, and binary content, the whole message is classified as binary.
Content-Disposition header field
Default value: Attachment
This header field instructs a MIME -enabled email client on how it should display an attached file, and is described
in RFC 2183. Valid values are:
Inline : The attachment is displayed in the message body.
Attachment: The attached file appears as a regular attachment separate from the message body. Other
parameters are also with this values (for example, Filename , Creation-date , and Size ).
Message encoding options in Exchange Server
8/23/2019 • 9 minutes to read • Edit Online
The message encoding options in Exchange Server let you specify message characteristics such as MIME and non-
MIME character sets, binary encoding, and attachment formats. You can specify message encoding options in the
following locations:
Remote domain settings
Mail contact and mail user settings
Outlook settings:
Message format
Internet message format
Internet recipient message format (Outlook 2010 or earlier)
Message character set encoding options
Outlook on the web (formerly known as Outlook Web App) message format settings
Typically, the default settings for these message encoding options will work fine. However, you might need to
change the messaging encoding options for recipients that are using older email clients or messaging systems.
They'll likely tell you if messages from your Exchange environment appear to have formatting issues.
For more information about content conversion in Exchange, see Content conversion. For TNEF (also known as or
Rich Text) settings, see TNEF conversion options.
MIME character set: The specified Mail flow > Remote domains > Add Cmdlet: Set-RemoteDomain
character set is only used for MIME , or select an existing remote domain, Parameters: CharacterSet and
messages that don't contain a character and then click Edit > Supported NonMimeCharacterSet
set. This setting won't overwrite character set section.
character sets that are already specified
in outgoing messages.
Non-MIME character set: This setting
is used if either of these conditions are
true:
• Incoming messages from a remote
domain are missing the value of the
charset= setting in the MIME Content-
Type: header field.
• Outgoing messages to a remote
domain are missing the value of the
MIME character set.
Line wrap size: You can specify the n/a Cmdlet: Set-RemoteDomain
maximum number of characters that Parameter: LineWrapSize
can exist on a single line of text in the The default value is Unlimited , which
body of the email message. Older email means the email client is responsible for
clients might prefer 78 characters per setting the line wrap size in new
line. messages.
If the MessageFormat value is Text , the MessageBodyFormat value can only be Text .
MacAttachmentFormat parameter: Specifies the message attachment format for Apple Macintosh
operating system clients. Valid values are BinHex , UuEncode , AppleSingle , or AppleDouble , and the default
value is BinHex .
The MessageFormat and MacAttachmentFormat parameters are interdependent:
If the MessageFormat value is Text , the MacAttachmentFormat value can be BinHex or UuEncode .
If the MessageFormat value is Mime , the MacAttachmentFormat value can be BinHex , AppleSingle ,
or AppleDouble .
Outlook settings
As a sender, you can specify the message encoding in Outlook by using any of these methods:
Configure the default message format to plain text or HTML.
Configure the message format to plain text or HTML as you're composing the message by using the
Format area in the Format Text tab.
Configure the message encoding options for messages sent to all external recipients. These options are
called Internet message format options, and they only apply to remote recipients (not to recipients in the
Exchange organization).
Configure the message encoding options for messages sent to specific external recipients (Outlook 2010 or
earlier). These options are called Internet recipient message format options, and they only apply to remote
recipients in your Contacts folder (not to recipients in the Exchange organization).
For instructions on configuring these settings in Outlook, see Change the message format to HTML, Rich Text
Format, or plain text.
By default, Outlook uses automatic character set message encoding by scanning the whole text of the outgoing
message to determine the appropriate encoding to use for the message. This setting applies to internal and
external recipients. However, you can bypass the automatic selection and specify a preferred encoding for outgoing
messages at File > Options > Advanced > International options.
Configure the message format to plain text or HTML as you're composing the message by clicking More
options , and selecting Switch to plain text (if the current format is HTML ) or Switch to HTML (if the
current format is plain text).
Remote domain MIME character set and non-MIME The specified MIME and non-MIME
character set character sets (which can be the same).
Notes:
When you configure the non-MIME character set for a remote domain, the character set is assigned to
incoming or outgoing messages to and from the remote domain that don't contain a specified character set.
The value of the Windows ANSI code page for the Exchange server is used to assign a character set to these
types of messages:
Internal messages that don't contain a specified character set.
Internal messages that contain a specified character set, but don't contain a specified server code
page.
If a message contains a specified but invalid character set, the Exchange server tries to replace the invalid
character set with a valid one.
Order of precedence for plain text message encoding options
The following table describes the order of precedence from highest priority to lowest priority for plain text
message encoding options.
Note: Only plain text message settings are included here (not plain text settings for MIME encoded messages).
Mail contact or mail user Use the preferred message format If the value $true , the plain text
message encoding settings for the mail
contact or mail user override the
corresponding settings in Outlook.
If the value is $false , the plain text
message encoding settings for the mail
contact or mail user are ignored (the
corresponding settings in Outlook are
used).
Outlook 2010 or earlier Internet recipient message format Send plain text only
(settings on a specific contact) Open a contact in the Contacts folder >
double-click the email address > click
View more options for interacting
with this person > select Outlook
properties, In the E-mail Properties
dialog that opens, select Send Plain
Text only in the Internet format field.
Outlook Internet message format Plain text options for external messages
at File > Options > Mail > Message
format:
Encode attachments in UUENCODE
format when sending plain-text
messages (not selected by default)
Automatically wrap text at nn
characters (the default value is 76).
Remote domain Line wrap size 132 characters or less, or the value
Unlimited . The default value is
Unlimited .
Order of precedence for MIME message encoding options
The following table describes the order of precedence from highest priority to lowest priority for MIME message
encoding options.
Mail contact or mail user Use the preferred message format If the value $true , the MIME message
encoding settings for the mail contact
or mail user override the corresponding
settings in Outlook.
If the value is $false , the MIME text
message encoding settings for the mail
contact or mail user are ignored (the
corresponding settings in Outlook,
Outlook on the web, or remote
domains are used).
Mail contact or mail user Message body format Text, HTML, or TextAndHtml (the
default value is TextAndHtml ).
TNEF, also known as the Transport Neutral Encapsulation Format, Outlook Rich Text Format, or Exchange Rich
Text Format, is a Microsoft-specific format for encapsulating MAPI message properties. All versions of Outlook
fully support TNEF. Outlook on the web (formerly known as Outlook Web App) translates TNEF into MAPI and
displays the formatted messages. Other email clients that don't support TNEF typically display TNEF formatted
messages as plain text messages with Winmail.dat or Win.dat attachments. For more information about TNEF, see
Exchange and Outlook message formats.
Administrators can specify whether TNEF should be preserved or removed from messages that leave their
Exchange organization. You can specify TNEF conversion options in the following locations:
Remote domain settings
Mail contact and mail user settings
Outlook settings:
Message format
Internet message format
Internet recipient message format (Outlook 2010 or earlier)
Typically, the default TNEF conversion options will work fine (by default, TNEF messages are converted to HTML
for external recipients). However, you might need to force plain text conversion for recipients that are using older
email clients or messaging systems. They'll likely tell you if TNEF messages from your Exchange environment
appear to have formatting issues.
For more information about other content conversion in Exchange, see Content conversion.
You can apply limits to messages that move through your organization. You can set the maximum size of an
entire message as a whole, or the size of individual parts of a message, or both. For example, you could restrict
the maximum size of the message header or attachments, or set a maximum number of recipients that can be
added to the message. You can apply these limits to your entire Exchange organization, to specific mail transport
connectors, specific servers, and to individual mailboxes.
This topic only talks about message and recipient size limits. If you want to know more about how to control how
many messages are sent over time, how many connections are allowed over time, and how long Exchange will
wait before closing a connection, see Message rate limits and throttling.
As you plan the message size limits for your Exchange organization, consider the following questions:
What size limits should I impose on all incoming messages?
What size limits should I impose on all outgoing messages?
What is the mailbox quota for my organization, and how do the message size limits that I have chosen
relate to the mailbox quota size?
Are there users in my organization who need to send or receive messages that are larger than the
maximum allowed size?
Does my organization include other messaging systems or separate business units that require different
message size limits?
This topic provides guidance to help you answer these questions and to apply the appropriate message size limits
in the appropriate locations.
Scope of limits
The following tables show the message limits at the Organization, Connector, Server, and Mailbox levels,
including information about how to configure the limits in the Exchange admin center (EAC ) or the Exchange
Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange
organization, see Open the Exchange Management Shell.
Organizational limits
Organizational limits apply to all Exchange 2019 servers, Exchange 2016 servers, Exchange 2013 Mailbox
servers, and Exchange 2010 Hub Transport servers that exist in your organization. On Edge Transport servers,
any organizational limits that you configure are applied to the local server.
Note:
Organizational limits also apply to external senders and external recipients (anonymous or unauthenticated
senders or recipients):
For inbound messages from external senders, Exchange applies the organizational maximum send
message size limit (the maximum receive message size limit as described in the Recipient limits section is
applied to the internal recipient).
For outbound messages to external recipients, Exchange applies the organization maximum receive
message size limit (the maximum send message size limit as described in the Recipient limits section is
applied to the internal sender).
Therefore, a message size must be within the message size limits for both the sender and the recipient. This
concept is also explained in the Order of precedence and placement of message size limits section later in this
topic.
EXCHANGE MANAGEMENT
SIZE LIMIT DEFAULT VALUE EAC CONFIGURATION SHELL CONFIGURATION
Maximum attachment size Not configured Mail flow > Rules > Add Cmdlets: New-
for a message that matches > Create a new rule, or TransportRule, Set-
the conditions of the mail select an existing rule, and TransportRule
flow rule (also known as a then click Edit . Parameter:
transport rule) Click More options. AttachmentSizeOver
Use the condition Apply
this rule if > Any
attachment > size is
greater than or equal to,
and enter a value in
kilobytes (KB).
Maximum message size for Not configured Mail flow > Rules > Add Cmdlets: New-
a message that matches the > Create a new rule, or TransportRule, Set-
conditions of the mail flow select an existing rule, and TransportRule
rule then click Edit . Parameter:
Click More options. MessageSizeOver
Use the condition Apply
this rule if > The message
> size is greater than or
equal to, and enter a value
in kilobytes (KB).
To see the values of these organizational limits, run the following commands in the Exchange Management Shell:
Get-TransportRule | where {($_.MessageSizeOver -ne $null) -or ($_.AttachmentSizeOver -ne $null)} | Format-
Table Name,MessageSizeOver,AttachmentSizeOver
Connector limits
Connector limits apply to any messages that use the specified Send connector, Receive connector, Delivery Agent
connector, or Foreign connector for message delivery.
You can assign specific message size limits to the Active Directory site links in your organization. The Transport
service on Mailbox servers uses Active Directory sites, and the costs that are assigned to the Active Directory IP
site links as one of the factors to determine the least-cost routing path between Exchange servers in the
organization.
You can assign specific message size limits to the Delivery Agent connectors and Foreign connectors that are
used to send non-SMTP messages in your organization.
EXCHANGE MANAGEMENT
SIZE LIMIT DEFAULT VALUE EAC CONFIGURATION SHELL CONFIGURATION
Server limits
Server limits apply to specific Mailbox servers or Edge Transport servers. You can set these message size limits
independently on each Mailbox server or Edge Transport server.
EXCHANGE MANAGEMENT
SIZE LIMIT DEFAULT VALUE EAC CONFIGURATION SHELL CONFIGURATION
The pickup directory that's available on Edge Transport servers and Mailbox servers also has messages size limits
that you can configure. Typically, the pickup directory isn't used in everyday mail flow. It's is used by
administrators for mail flow testing, or by applications that need to create and submit their own messages files.
For more information, see Configure the Pickup Directory and the Replay Directory.
Maximum size of all header fields in a message file placed in the pickup directory: 64 KB.
Maximum number of recipients in a message file placed in the pickup directory: 100.
Recipient limits
Recipient limits apply to a specific user object, such as a mailbox, mail contact, mail user, distribution group, or a
mail-enabled public folder.
EXCHANGE MANAGEMENT
SIZE LIMIT DEFAULT VALUE EAC CONFIGURATION SHELL CONFIGURATION
EXCHANGE MANAGEMENT
SIZE LIMIT DEFAULT VALUE EAC CONFIGURATION SHELL CONFIGURATION
To see the values of these limits, run the corresponding Get- cmdlet for the recipient type in the Exchange
Management Shell.
For example, to see the limits that are configured on a specific mailbox, run the following command:
Get-Mailbox <MailboxIdentity> | Format-List MaxReceiveSize,MaxSendSize,RecipientLimits
To see the limits that are configured on all user mailboxes, run the following command:
$mb= Get-Mailbox -ResultSize unlimited; $mb | where {$_.RecipientTypeDetails -eq 'UserMailbox'} | Format-
Table Name,MaxReceiveSize,MaxSendSize,RecipientLimits
Message throttling refers to a group of limits that are set on the number of messages and connections that can be
processed by an Exchange server. These limits include message processing rates, SMTP connection rates, and
SMTP session timeout values. These limits work together to protect an Exchange server from being overwhelmed
by accepting and delivering messages. Although a large backlog of messages and connections may be waiting to
be processed, the message throttling limits enable the Exchange server to process the messages and connections
in an orderly manner.
NOTE
Back pressure is another feature that helps to avoid overwhelming the system resources of an Exchange server. Key
resources, such as available hard disk space and memory utilization are monitored, and when the utilization level exceeds the
specified threshold, the server gradually stops accepting new connections and messages. For more information, see
Understanding back pressure. There are also static limits that are available on messages, such as the maximum message size,
the size of individual attachments, and the number of recipients. For more information about message size limits, see
Message size limits in Exchange Server.
You can set the message rate limits and throttling options in the following locations:
Mailbox servers and Edge Transport servers. Collectively, we'll refer to these as transport servers.
Send connectors
Receive connectors
Users
EXCHANGE MANAGEMENT
RATE LIMIT DEFAULT VALUE SHELL CONFIGURATION EAC CONFIGURATION
To see the values of these server message throttling settings, run the following command in the Exchange
Management Shell:
NOTE
The Pickup directory and the Replay directory that are available on Edge Transport servers and Mailbox servers also have
messages rate limits that you can configure. Typically, the Pickup directory and the Replay directory aren't used in everyday
mail flow. For more information, see Configure the Pickup Directory and the Replay Directory. The maximum number of
message files per minute that can be processed by the Pickup directory and the Replay directory is 100. Each directory can
independently process message files at this rate.
Connection inactivity time 00:10:00 (10 minutes) Cmdlet: New- Not available
out: The maximum amount SendConnector and Set-
of time that an open SMTP SendConnector
connection with a source Parameter:
messaging server can ConnectionInactivityTimeO
remain idle before the ut
connection is closed.
To see the values of these Send connector throttling settings, run the following command in the Exchange
Management Shell:
EXCHANGE MANAGEMENT
RATE LIMIT DEFAULT VALUE SHELL CONFIGURATION EAC CONFIGURATION
Connection time out: The 00:10:00 (10 minutes) for Cmdlet: New- Not available
maximum amount of time Receive connectors on ReceiveConnector and
that an SMTP connection Mailbox servers. Set-ReceiveConnector
with a source messaging 00:05:00 (1 minute) for Parameter:
server can remain open, Receive connectors on Edge ConnectionTimeout
even when the source Transport servers.
messaging server is This value must be greater
transmitting data. than the
ConnectionInactivityTimeO
ut value.
Connection inactivity time 00:05:00 (5 minutes) for Cmdlet: New- Not available
out: The maximum amount Receive connectors on ReceiveConnector and
of time that an open SMTP Mailbox servers. Set-ReceiveConnector
connection with a source 00:01:00 (1 minute) for Parameter:
messaging server can Receive connectors on Edge ConnectionInactivityTimeO
remain idle before the Transport servers. ut
connection is closed. This value must be less than
the ConnectionTimeout
value.
EXCHANGE MANAGEMENT
RATE LIMIT DEFAULT VALUE SHELL CONFIGURATION EAC CONFIGURATION
Maximum inbound 100 percent on the default Cmdlet: New- Not available
connection percentage Receive connector named ReceiveConnector and
per source: The maximum Default <ServerName> in Set-ReceiveConnector
percentage of inbound the Transport service on Parameter:
SMTP connections that are Mailbox servers. MaxInboundConnectionPerc
allowed from a source 2 percent on other Receive entagePerSource
messaging server at the connectors on Mailbox
same time. servers and Edge Transport
servers.
Message rate limit: The unlimited on the Cmdlet: New- Not available
maximum number of following default Receive ReceiveConnector and
messages per minute that connectors: Set-ReceiveConnector
can be sent by a single • Default <ServerName> in Parameter:
source. the Transport service on MessageRateLimit
Mailbox servers.
• Default Frontend
<ServerName> in the Front
End Transport service on
Mailbox servers.
• Outbound Proxy Frontend
<ServerName> in the Front
End Transport service on
Mailbox servers.
5 on the following default
Receive connectors:
• Client Proxy
<ServerName> in the
Transport service on Mailbox
servers.
• Client Frontend
<ServerName> in the Front
End Transport service on
Mailbox servers.
600 on the default Receive
connector named Default
internal Receive connector
<ServerName> on Edge
Transport servers.
EXCHANGE MANAGEMENT
RATE LIMIT DEFAULT VALUE SHELL CONFIGURATION EAC CONFIGURATION
Message rate source: This IPAddress on the Cmdlet: New- Not available
indicates how the message following default Receive ReceiveConnector and
submission rate is calculated. connectors: Set-ReceiveConnector
Valid values are: • Default <ServerName> in Parameter:
User : The rate is calculated the Transport service on MessageRateSource
for sending users (specified Mailbox servers.
with the MAIL FROM SMTP • Default Frontend
command). <ServerName> in the Front
• IPAddress : The rate is End Transport service on
calculated for sending hosts. Mailbox servers.
• All : The rate is • Outbound Proxy Frontend
calculated for both sending <ServerName> in the Front
users and sending hosts. End Transport service on
Mailbox servers.
• Default internal Receive
connector <ServerName>
on Edge Transport servers.
User on the following
default Receive connectors:
• Client Proxy
<ServerName> in the
Transport service on Mailbox
servers.
• Client Frontend
<ServerName> in the Front
End Transport service on
Mailbox servers.
Tarpit interval: The amount 00:00:05 (5 seconds) Cmdlet: New- Not available
of time to artificially delay ReceiveConnector and
SMTP responses to Set-ReceiveConnector
unauthenticated remote Parameter: TarpitInterval
servers that appear to be
abusing the connection.
Authenticated connections
are never delayed in this
manner.
To see the values of these Receive connector message throttling settings, run the following command in the
Exchange Management Shell:
Back pressure is a system resource monitoring feature of the Microsoft Exchange Transport service that exists on
Mailbox servers and Edge Transport servers. Back pressure detects when vital system resources, such as hard
drive space and memory, are overused, and takes action to prevent the server from becoming completely
overwhelmed and unavailable. For example, when a system resource utilization level on the Exchange server is
determined to be too high, the server delays accepting new messages. If the resource utilization gets worse, the
server stops accepting new messages to work exclusively on processing all existing messages, and might even
stop processing outgoing messages. When the system resource utilization returns to an acceptable level, the
Exchange server resumes normal operation by accepting new messages and processing outgoing messages.
Monitored resources
The following system resources are monitored by back pressure:
DatabaseUsedSpace[%ExchangeInstallPath%TransportRoles\data\Queue]: Hard drive utilization for
the drive that holds the message queue database.
PrivateBytes: The memory that's used by the EdgeTransport.exe process.
QueueLength[SubmissionQueue]: The number of messages in the Submission queue.
SystemMemory: The memory that's used by all other processes.
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data\Queue]: Hard drive utilization for the
drive that holds the message queue database transaction logs.
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data]: Hard drive utilization for the drive
that's used for content conversion.
UsedVersionBuckets[%ExchangeInstallPath%TransportRoles\data\Queue\mail.que]: The number
of uncommitted message queue database transactions that exist in memory.
For each monitored system resource on a Mailbox server or Edge Transport server, the following levels of resource
utilization or pressure are defined:
Low or Normal: The resource isn't overused. The server accepts new connections and messages.
Medium: The resource is slightly overused. Back pressure is applied to the server in a limited manner. Mail
from senders in the organization's authoritative domains can flow. However, depending on the specific
resource under pressure, the server uses tarpitting to delay server response or rejects incoming MAIL
FROM commands from other sources.
High: The resource is severely overused. Full back pressure is applied. All message flow stops, and the
server rejects all new incoming MAIL FROM commands.
Transition levels define the low, medium and high resource utilization values depending on whether the resource
pressure is increasing or decreasing. Typically, a resource utilization level that's lower than the original level is
required as the resource utilization decreases. In other words, there really isn't a static value for low, medium and
high resource pressure. You need to know if the utilization is increasing or decreasing before you can determine
the next change in resource utilization level.
The following sections explain how Exchange handles the situation when a specific resource is under pressure.
Hard drive utilization for the drive that holds the message queue database
Resource: DatabaseUsedSpace[%ExchangeInstallPath%TransportRoles\data\Queue]
Description: Monitors the percentage of total drive space that's consumed by all files on the drive that holds the
message queue database. Note that the message queue database file contains unused space, so an accurate
description of the total drive space that's consumed by all files is drive size - free disk space - free space in the
database.
To change the default location of the message queue database, see Change the location of the queue database.
Pressure transitions (%):
LowToMedium: 96
MediumToHigh: 99
HighToMedium: 97
MediumToLow: 94
Comments::
The default high level of hard drive utilization is calculated by using the following formula:
100 * (<hard drive size in MB> - 500 MB ) / <hard drive size in MB>
This formula accounts for the fact that there's unused space in the message queue database
1 GB = 1024 MB. The result is rounded down to the nearest integer.
For example, if your message queue database is located on a 1 terabyte (TB ) drive (1048576 MB ), the high level of
utilization is 100*(1048576-500)/1048576) or 99%.
As you can see from the formula and the rounding down behavior, the hard drive needs to be very small before
the formula calculates a high utilization value that's less than 99%. For example, a 98% value for high utilization
requires a hard drive of approximately 25 GB or less.
Memory used by the EdgeTransport.exe process
Resource: PrivateBytes
Description: Monitors the percentage of memory that's used by the EdgeTransport.exe process that's part of the
Microsoft Exchange Transport service. This doesn't include virtual memory in the paging file, or memory that's
used by other processes.
Pressure transitions (%):
LowToMedium: 72
MediumToHigh: 75
HighToMedium: 73
MediumToLow: 71
Comments:
By default, the high level of memory utilization by the EdgeTransport.exe process is 75 percent of the total physical
memory or 1 terabyte, whichever is less. The results are always rounded down to the nearest integer.
Exchange keeps a history of the memory utilization of the EdgeTransport.exe process. If the utilization doesn't go
down to low level for a specific number of polling intervals, known as the history depth, Exchange rejects incoming
messages until the resource utilization goes back to the low level. By default, the history depth for
EdgeTransport.exe memory utilization s 30 polling intervals.
Number of messages in the Submission queue
Resource: QueueLength[SubmissionQueue]
Description: Monitors the number of messages in the Submission queue. Typically, message enter the
Submission queue from Receive connectors. For more information, see Mail flow and the transport pipeline. A
large number of messages in the Submission queue indicates the categorizer is having difficulty processing
messages.
Pressure transitions:
LowToMedium: 9999
MediumToHigh: 15000
HighToMedium: 10000
MediumToLow: 2000
Comments:
When the Submission queue is under pressure, the Exchange throttles incoming connections by delaying
acknowledgement of incoming messages. Exchange reduces the rate of incoming message flow by tarpitting,
which delays the acknowledgment of the SMTP MAIL FROM command to the sending server. If the pressure
condition continues, Exchange gradually increases the tarpitting delay. After the Submission queue utilization
returns to the low level, Exchange reduces the acknowledgment delay and eases back into normal operation. By
default, Exchange delays message acknowledgments for 10 seconds when under Submission queue pressure. If
the resource pressure continues, the delay is increased in 5-second increments up to 55 seconds.
Exchange keeps a history of Submission queue utilization. If the Submission queue utilization doesn't go down to
the low level for a specific number of polling intervals, known as the history depth, Exchange stops the tarpitting
delay and rejects incoming messages until the Submission utilization goes back to the low level. By default, the
history depth for the Submission queue is in 300 polling intervals.
Memory used by all processes
Resource: SystemMemory
Description: Monitors the percentage of memory that's used by all processes on the Exchange server. This
doesn't include virtual memory in the paging file.
Pressure transitions (%):
LowToMedium: 88
MediumToHigh: 94
HighToMedium: 89
MediumToLow: 84
Comments:
When the server reaches the high level of memory utilization, message dehydration occurs. Message dehydration
removes unnecessary elements of queued messages that are cached in memory. Typically, complete messages are
cached in memory for increased performance. Removal of the MIME content from these cached messages reduces
the amount of memory that's used at the expense of higher latency, because the messages are now read directly
from the message queue database. By default, message dehydration is enabled.
Hard drive utilization for the drive that holds the message queue database transaction logs
Resource: UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data\Queue]
Description: Monitors the percentage of total drive space that's consumed by all files on the drive that holds the
message queue database transaction logs. To change the default location, see Change the location of the queue
database.
Pressure transitions (%):
LowToMedium: 89
MediumToHigh: 99
HighToMedium: 90
MediumToLow: 80
Comments::
The default high level of hard drive utilization is calculated by using the following formula:
100 * (<hard drive size in MB> - 1152 MB ) / <hard drive size in MB>
1 GB = 1024 MB. The result is rounded down to the nearest integer.
For example, if your queue database is located on a 1 terabyte (TB ) drive (1048576 MB ), the high level of
utilization is 100*(1048576-1152)/1048576) or 99%.
As you can see from the formula and the rounding down behavior, the hard drive needs to be fairly small before
the formula calculates a high utilization value that's less than 99%. For example, a 98% value for high utilization
requires a hard drive of approximately 56 GB or less.
The %ExchangeInstallPath%Bin\EdgeTransport.exe.config application configuration file contains the
DatabaseCheckPointDepthMax key that has the default value 384MB . This key controls the total allowed size of all
uncommitted transaction logs that exist on the hard drive. The value of this key is used in the formula that
calculates high utilization. If you customize this value, the formula becomes:
100 * (<hard drive size in MB> - Min(5120 MB, 3* DatabaseCheckPointDepthMax)) / <hard drive size in MB>
NOTE
The value of the DatabaseCheckPointDepthMax key applies to all transport-related Extensible Storage Engine (ESE)
databases that exist on the Exchange server. On Mailbox servers, this includes the message queue database, and the sender
reputation database. On Edge Transport servers, this includes the message queue database, the sender reputation database,
and the IP filter database that's used by the Connection Filtering agent.
Hard drive utilization for the drive that's used for content conversion
Resource: UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data]
Description: Monitors the percentage of total drive space that's consumed by all files on the drive that's used for
content conversion. The default location of the folder is %ExchangeInstallPath%TransportRoles\data\Temp and is
controlled by the TemporaryStoragePath key in the %ExchangeInstallPath%Bin\EdgeTransport.exe.config
application configuration file.
Pressure transitions (%):
LowToMedium: 89
MediumToHigh: 99
HighToMedium: 90
MediumToLow: 80
Comments:
The default high level of hard drive utilization is calculated by using the following formula:
100 * (<hard drive size in MB> - 500 MB ) / <hard drive size in MB>
1 GB = 1024 MB. The result is rounded down to the nearest integer.
For example, if your message queue database is located on a 1 terabyte (TB ) drive (1048576 MB ), the high level of
utilization is 100*(1048576-500)/1048576) or 99%.
As you can see from the formula and the rounding down behavior, the hard drive needs to be very small before
the formula calculates a high utilization value that's less than 99%. For example, a 98% value for high utilization
requires a hard drive of approximately 25 GB or less.
Number of uncommitted message queue database transactions in memory
Resource: UsedVersionBuckets[%ExchangeInstallPath%TransportRoles\data\Queue\mail.queue]
Description: Monitors the number of uncommitted transactions for the message queue database that exist in
memory.
Pressure transitions:
LowToMedium: 999
MediumToHigh: 1500
HighToMedium: 1000
MediumToLow: 800
Comments::
A list of changes that are made to the message queue database is kept in memory until those changes can be
committed to a transaction log. Then the list is committed to the message queue database itself. These outstanding
message queue database transactions that are kept in memory are known as version buckets. The number of
version buckets may increase to unacceptably high levels because of an unexpectedly high volume of incoming
messages, spam attacks, problems with the message queue database integrity, or hard drive performance.
When version buckets are under pressure, the Exchange server throttles incoming connections by delaying
acknowledgment of incoming messages. Exchange reduces the rate of incoming message flow by tarpitting, which
delays the acknowledgment of the SMTP MAIL FROM command to the sending server. If the resource pressure
condition continues, Exchange gradually increases the tarpitting delay. After the resource utilization returns to
normal, Exchange gradually reduces the acknowledgement delay and eases back into normal operation. By default,
Exchange delays message acknowledgments for 10 seconds when under resource pressure. If the pressure
continues, the delay is increased in 5-second increments up to 55 seconds.
When the version buckets are under high pressure, the Exchange server also stops processing outgoing messages.
Exchange keeps a history of version bucket resource utilization. If the resource utilization doesn't go down to the
low level for a specific number of polling intervals, known as the history depth, Exchange stops the tarpitting delay
and rejects incoming messages until the resource utilization goes back to the low level. By default, the history
depth for version buckets is in 10 polling intervals.
To see the values on the local server, you can omit the Server parameter.
These settings are listed only as a reference for the default values. We strongly discourage any modifications to the
back pressure settings in the EdgeTransport.exe.config file. Modifications to these settings might result in poor
performance or data loss. We recommend that you investigate and correct the root cause of any back pressure
events that you may encounter.
General back pressure settings
DehydrateMessagesUnderMemoryPressure true
DatabaseUsedSpace settings
DatabaseUsedSpace.LowToMedium 96
DatabaseUsedSpace.MediumToHigh 99
DatabaseUsedSpace.HighToMedium 97
DatabaseUsedSpace.MediumToLow 94
PrivateBytes settings
PrivateBytes.LowToMedium 72
PrivateBytes.MediumToHigh 75
PrivateBytes.HighToMedium 73
PrivateBytes.MediumToLow 71
PrivateBytesHistoryDepth 30
QueueLength[SubmissionQueue] settings
QueueLength[SubmissionQueue].LowToMedium 9999
QueueLength[SubmissionQueue].MediumToHigh 15000
QueueLength[SubmissionQueue].HighToMedium 10000
QueueLength[SubmissionQueue].MediumToLow 2000
SystemMemory settings
SystemMemory.LowToMedium 88
SystemMemory.MediumToHigh 94
SystemMemory.HighToMedium 89
SystemMemory.MediumToLow 84
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data\ 89
Queue].LowToMedium
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data\ 99
Queue].MediumToHigh
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data\ 90
Queue].HighToMedium
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data\ 80
Queue].MediumToLow
NOTE
Values that contain only UsedDiskSpace (for example, UsedDiskSpace.MediumToHigh ) apply to the message queue
database transaction logs and to content conversion.
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data]. 89
LowToMedium
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data]. 99
MediumToHigh
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data]. 90
HighToMedium
UsedDiskSpace[%ExchangeInstallPath%TransportRoles\data]. 80
MediumToLow
TemporaryStoragePath %ExchangeInstallPath%TransportRoles\data\Temp
UsedVersionBuckets settings
UsedVersionBuckets.LowToMedium 999
UsedVersionBuckets.MediumToHigh 1500
UsedVersionBuckets.HighToMedium 1000
UsedVersionBuckets.MediumToLow 800
VersionBucketsHistoryDepth 10
You can use Telnet to test Simple Mail Transfer Protocol (SMTP ) communication between messaging servers.
SMTP is the protocol that's used to send email messages from one messaging server to another. Using Telnet can
be helpful if you're having trouble sending or receiving messages because you can manually send SMTP
commands to a messaging server. In return, the server will reply with responses that would be returned in a
typical connection. These results can sometimes help you to figure out why you can't send or receive messages.
You can use Telnet to test SMTP communication to:
Test mail flow from the Internet into your Exchange organization.
Test mail flow from your Exchange to another messaging server on the Internet.
TIP
Did you know that, instead of using Telnet to test SMTP connectivity, you can use the Microsoft Remote Connectivity
Analyzer at https://testconnectivity.microsoft.com/? With the Remote Connectivity Analyzer, you can choose the
connectivity test you want to do, in this case Inbound SMTP Email, and follow the instructions shown. It'll step you
through the information you need to enter, run the test for you, and then give you the results. Give it a try!
NOTE
Network policies might prevent you from using the Nslookup tool to query public DNS servers on the Internet. As an
alternative, you can use one of the freely-available DNS lookup or MX record lookup web sites on the Internet.
1. At a command prompt, type nslookup, and then press Enter. This command opens the Nslookup session.
2. Type set type=mx, and then press Enter.
3. Type the name of the domain for which you want to find the MX record. For example, to find the MX
record for the fabrikam.com domain, type fabrikam.com., and then press Enter.
NOTE
When you use a trailing period ( . ), you prevent any default DNS suffixes from being unintentionally added to the
domain name.
You can use any of the host names or IP addresses that are associated with the MX records as the destination
SMTP server. A lower value for preference (preference = 10 vs. 20) indicates a preferred SMTP server.
Multiple MX records and different values of preference are used for load balancing and fault tolerance.
4. When you're ready to end the Nslookup session, type exit, and then press Enter.
TIP
The commands in the Telnet Client aren't case-sensitive. The SMTP command verbs in this example are capitalized for clarity.
You can't use the backspace key in the Telnet session after you connect to the destination SMTP server. If you make a
mistake as you type an SMTP command, you need to press Enter, and then type the command again. Unrecognized SMTP
commands or syntax errors result in an error message that looks like this: 500 5.3.3 Unrecognized command
1. Open a Command Prompt window, type telnet , and then press Enter.
This command opens the Telnet session.
2. Type set localecho , and then press Enter.
This optional command lets you view the characters as you type them, and it might be required for some
SMTP servers.
3. Type set logfile <filename> , and then press Enter.
This optional command enables logging and specifies the log file for the Telnet session. If you only specify
a file name, the log file is located in the current folder. If you specify a path and file name, the path needs to
be on the local computer, and you might need to enter the path and file name in the Windows DOS 8.3
format (short name with no spaces). The path needs to exist, but the log file is created automatically.
4. Type OPEN mail1.fabrikam.com 25 , and then press Enter.
5. Type EHLO contoso.com , and then press Enter.
6. Type MAIL FROM:<chris@contoso.com> , and then press Enter.
7. Type RCPT TO:<kate@fabrikam.com> NOTIFY=success,failure , and then press Enter.
The optional NOTIFY command specifies the particular delivery status notification (DSN ) messages (also
known as bounce messages, nondelivery reports, or NDRs) that the SMTP is required to provide. In this
example, you're requesting a DSN message for successful or failed message delivery.
8. Type DATA , and then press Enter.
9. Type Subject: Test from Contoso , and then press Enter.
10. Press Enter again.
A blank line is needed between the Subject: field and the message body.
11. Type This is a test message , and then press Enter.
12. Type a period ( . ), and then press Enter.
13. To disconnect from the SMTP server, type QUIT , and then press Enter.
14. To close the Telnet session, type quit , and then press Enter.
Here's what a successful session using the steps above looks like:
C:\Windows\System32> telnet
Microsoft Telnet> set localecho
Microsoft Telnet> set logfile c:\TelnetTest.txt
Microsoft Telnet> OPEN mail1.fabrikam.com 25
220 mail1.fabrikam.com Microsoft ESMTP MAIL Service ready at Fri, 5 Aug 2016 16:24:41 -0700
EHLO contoso.com
250-mail1.fabrikam.com Hello [172.16.0.5]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
MAIL FROM: <chris@contoso.com>
250 2.1.0 Sender OK
RCPT TO: <kate@fabrikam.com> NOTIFY=success,failure
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with <CRLF>.<CRLF>
Subject: test
NOTE
The three-digit SMTP response codes that are defined in RFC 5321 are the same for all SMTP messaging servers, but the
text descriptions in the responses might be slightly different.
3.y.z The command was accepted but the remote server needs
more information before the operation can be completed. The
sending server needs to send a new command with the
needed information.
The table above is based on information provided by RFC 5321 (Simple Mail Transfer Protocol), section 4.2.1.
Additional information, including descriptions of the second (Y ) and third (Z ) digits of SMTP reply codes is
included in this section, and in sections 4.2.2 and 4.2.3.
OPEN command
Successful response: 220 mail1.fabrikam.com Microsoft ESMTP MAIL Service ready at <day-date-time>
Failure response:
Connecting to mail1.fabrikam.com...Could not open connection to the host, on port 25: Connect failed
Possible reasons for failure: A syntax error in the sender's e-mail address.
Failure response: 530 5.7.1 Client was not authenticated
Possible reasons for failure: The destination server doesn't accept anonymous message submissions. You
receive this error if you try to use Telnet to submit a message directly to a Mailbox server that doesn't have a
Receive connector that's configured to accept anonymous connections.
RCPT TO command
Successful response: 250 2.1.5 Recipient OK
Exchange Server provides the following rich features that can help your end users collaborate in email:
Site mailboxes (deprecated in SharePoint 2019)
Public folders
Shared mailboxes
Distribution groups
Each of these features has a different user experience and feature set and should be used based on what the user
needs to accomplish and what your organization can provide. For example, site mailboxes provide great
documentation collaboration features. However site mailboxes rely on SharePoint Server, so if you aren't planning
on deploying SharePoint, you should use public folders to share documents.
This topic compares these collaboration features to help you decide which features to offer your users.
Site mailboxes
A site mailbox is functionally comprised of a SharePoint 2013 or later site membership (owners and members),
shared storage through an Exchange 2016 or later mailbox for email messages, and a SharePoint site to store and
share information. Essentially, site mailboxes bring Exchange email and SharePoint documents together. For users,
a site mailbox serves as a central filing cabinet for the project, providing a place to file project email and documents
that can be accessed and edited only by site members. In addition, site mailboxes have a specified lifecycle and are
optimized to be used for projects that have set start and end dates. To fully implement site mailboxes, end users
must use Outlook 2013 or later.
To learn more, see Site mailboxes.
Public folders
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization.
Public folders organize content in a deep hierarchy that's easy to browse. Users discover interesting and relevant
content by browsing through branches of the hierarchy that are relevant to them. Users always see the full
hierarchy in their Outlook folder view. Public folders are a great technology for distribution group archiving. A
public folder can be mail-enabled and added as a member of the distribution group. Email sent to the distribution
group is automatically added to the public folder for later reference. Public folders also provide simple document
sharing and don't require SharePoint Server to be installed in your organization. Finally, end users can use public
folders with Outlook 2007 or later.
To learn more, see Public folders.
Shared mailboxes
A shared mailbox is a mailbox that multiple designated users can access to read and send email messages and to
share a common calendar. Shared mailboxes can provide a generic email address (such as info@contoso.com or
sales@contoso.com) that customers can use to inquire about your company. If the shared mailbox has the Send As
permission assigned when a delegated user responds to the email message, it can appear as though the mailbox
(for example, sales@contoso.com) is responding, not the actual user.
To learn more, see Shared mailboxes.
Groups
Groups (also called distribution groups) are a collection of two or more recipients that appears in the shared
address book. When an email message is sent to a group, it's received by all members of the group. Distribution
groups can be organized by a particular discussion subject (such as "Dog Lovers") or by users who share a
common work structure that requires them to communicate frequently.
To learn more, see Recipients.
Type of group Users who work With the proper Delegates working on Users who need to
together as a team on permissions, everyone behalf of a virtual send email to a group
a specific project with in your organization identity, and they can of recipients with a
definitive start and can access and search respond to email as common interest or
end dates. public folders. Public that shared mailbox characteristic.
folders are ideal for identity. Example:
maintaining history or support@tailspintoys.
distribution group com
conversations.
Access Site mailbox owners Accessible by anyone Users can be granted For distribution
and members. in your organization. Full Access and/or groups, members,
Send As permissions. must be manually
If granted Full Access added. For dynamic
permissions, users distribution groups,
must also add the members are added
shared mailbox to based on filtering
their Outlook profile criteria.
to access the shared
mailbox.
Email arrives in No. Email arrives in No. Email arrives in No. Email arrives in Yes. Email arrives in
user's personal the site mailbox. the public folder. the Inbox of the the Inbox of a
Inbox? shared mailbox. distribution group
member.
Supported clients Outlook 2013 or later Outlook 2007 or later Outlook 2007 or later Outlook 2007 or later
SharePoint 2013 Outlook Web App Outlook Web App
Site mailboxes
8/23/2019 • 4 minutes to read • Edit Online
Email and documents are traditionally kept in two unique and separate data repositories. Most organizations
collaborate using both mediums. The challenge is that both email and documents are accessed using different
clients. This usually results in a reduction in user productivity and a degraded user experience.
The site mailbox, first introduced in Exchange 2013, is a solution for this problem. Site mailboxes improve
collaboration and user productivity by allowing access to both Microsoft SharePoint 2013 documents and
Exchange email using the same client interface. A site mailbox is functionally comprised of SharePoint 2013 site
membership (owners and members), shared storage through an Exchange 2016 or Exchange 2019 mailbox for
email messages and a SharePoint 2013 site for documents, and a management interface that addresses
provisioning and lifecycle needs.
Site mailboxes require Exchange 2016 or later and SharePoint Server 2013 integration and configuration. For
more information about how to configure your Exchange Server organization to work with your SharePoint
Server 2013 organization, see the following topics:
Configure site mailboxes in SharePoint Server 2013.
Plan Exchange 2016 integration with SharePoint and Skype for Business
For more information about collaboration features in Exchange Server, see Collaboration.
For more information about how to configure site mailbox provisioning policies, see Manage site mailbox
provisioning policies.
Site mailboxes don't support retention at the item-level. Retention works on a project-level for site mailboxes, so
when the entire site mailbox is deleted, the retained items will be deleted.
Compliance
Using the eDiscovery Console in SharePoint, site mailboxes can be part of the In-Place eDiscovery scope as you
can do keyword searches against user mailboxes or site mailboxes. In addition, you can put a site mailbox on legal
hold. For more info, see In-Place eDiscovery in Exchange Server.
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization. Public folders help make content in a deep
hierarchy easier to browse. Users will see the full hierarchy in Outlook, which makes it easy for them to find the
content they're interested in.
Public folders are available in the following Outlook clients:
Outlook on the web (formerly known as Outlook Web App) for Exchange 2016 or later
Supported versions of Outlook for Exchange Server.
Outlook for Mac 2016 and Outlook for Mac for Office 365.
Public folders can also be used as an archiving method for distribution groups. When you mail-enable a public
folder and add it as a member of the distribution group, email sent to the group is automatically added to the
public folder for later reference.
Public folders aren't designed to do the following:
Data archiving: Users who have mailbox limits sometimes use public folders instead of mailboxes to
archive data. This practice isn't recommended because it affects storage in public folders and undermines
the goal of mailbox limits. Instead, we recommend that you use In-Place Archiving in Exchange 2016 as
your archiving solution.
Document sharing and collaboration: Public folders don't provide versioning or other document
management features, such as controlled check-in and check-out functionality and automatic notifications
of content changes. Instead, we recommend that you use SharePoint as your documentation sharing
solution.
To learn more about public folders and other collaboration methods in Exchange, see Collaboration.
To browse some frequently asked questions about public folders in Exchange, see FAQ: Public folders.
For more information about the limits and quotas for public folders, see Limits for public folders.
NOTE
Retention policies aren't supported for public folder mailboxes.
There are two ways you can manage public folder mailboxes:
In the Exchange admin center (EAC ), navigate to Public folders > Public folder mailboxes.
In the Exchange Management Shell, use the *-Mailbox set of cmdlets. The following parameters have
been added to the New -Mailbox cmdlet to support public folder mailboxes:
PublicFolder: This parameter is used with the New-Mailbox cmdlet to create a public folder
mailbox. When you create a public folder mailbox, a new mailbox is created with the mailbox type of
PublicFolder . For more information, see Create a public folder mailbox.
HoldForMigration: This parameter is used only if you're migrating public folders from Exchange
2010 to Exchange 2016. For more information, see Migrate public folders later in this topic.
IsHierarchyReady: This parameter indicates whether the public folder mailbox is ready to serve the
public folder hierarchy to users. It's set to $True only after the entire hierarchy has been synced to
the public folder mailbox. If the parameter is set to $False, users won't use it to access the hierarchy.
However, if you set the DefaultPublicFolderMailbox property on a user mailbox to a specific public
folder mailbox, the user will still access the specified public folder mailbox even if the
IsHierarchyReady parameter is set to $False .
IsExcludedFromServingHierarchy: This parameter prevents users from accessing the public folder
hierarchy on the specified public folder mailbox. For load-balancing purposes, users are equally
distributed across public folder mailboxes by default. When this parameter is set on a public folder
mailbox, that mailbox isn't included in this automatic load balancing and won't be accessed by users
to retrieve the public folder hierarchy. However, if you set the DefaultPublicFolderMailbox property
on a user mailbox to a specific public folder mailbox, the user will still access the specified public
folder mailbox even if the IsExcludedFromServingHierarchy parameter is set for that public folder
mailbox.
A secondary hierarchy mailbox will serve only public folder hierarchy information to users if it's specified
explicitly on the users' mailboxes using the DefaultPublicFolderMailbox property, or if the following conditions
are met:
The IsHierarchyReady property on the public folder mailbox is set to $True .
The IsExcludedFromServingHierarchy property on the public folder mailbox is set to $False .
Public folder hierarchy
The public folder hierarchy contains the folders' properties and organizational information, including tree
structure. Each public folder mailbox contains a copy of the public folder hierarchy. There's only one writeable
copy of the hierarchy, which is in the primary public folder mailbox. For a specific folder, the hierarchy information
is used to identify the following:
Permissions on the folder
The folder's position in the public folder tree, including its parent and child folders
NOTE
The hierarchy doesn't store information about email addresses for mail-enabled public folders. The email addresses are
stored on the directory object in Active Directory.
Hierarchy synchronization
The public folder hierarchy synchronization process uses Incremental Change Synchronization (ICS ), which
provides a mechanism to monitor and synchronize changes to an Exchange store hierarchy or content. The
changes include creating, modifying, and deleting folders and messages. When users are connected to and using
content mailboxes, synchronization occurs every 15 minutes. If no users are connected to content mailbox,
synchronization will be triggered less often (every 24 hours).If a write operation such as a creating a folder is
performed on the primary hierarchy, synchronization is triggered immediately (synchronously) to the content
mailbox.
IMPORTANT
Because there's only one writeable copy of the hierarchy, folder creation is proxied to the hierarchy mailbox by the content
mailbox users are connected to.
In a large organization, when you create a new public folder mailbox, the hierarchy must synchronize to that
public folder before users can connect to it. Otherwise, users may see an incomplete public folder structure when
connecting with Outlook. To allow time for this synchronization to occur without users attempting to connect to
the new public folder mailbox, set the IsExcludedFromServingHierarchy parameter on the New-Mailbox cmdlet
when creating the public folder mailbox. This parameter prevents users from connecting to the newly created
public folder mailbox. When synchronization is complete, run the Set-Mailbox cmdlet with the
IsExcludedFromServingHierarchy parameter set to false , indicating that the public folder mailbox is ready to be
connected to. You can use also the Get-PublicFolderMailboxDiagnostics cmdlet to view the sync status by the
SyncInfo and the AssistantInfo properties.
For more information, see Create a public folder.
Public folder content
Public folder content can include email messages, posts, documents, and eForms. The content is stored in the
public folder mailbox but isn't replicated across multiple public folders mailboxes. All users access the same public
folder mailbox for the same set of content. Although a full text search of public folder content is available, public
folder content isn't searchable across public folders and the content isn't indexed by Exchange Search.
NOTE
Outlook on the web is supported, but with limitations. You can add and remove public folders to your Favorites through
Outlook, and then perform item-level operations such as creating, editing, deleting posts, and replying to posts through
Outlook on the web. However, you can't create or delete public folders from Outlook on the web. Also, only Mail, Post,
Calendar, and Contact public folders can be added to the Favorites list in Outlook on the web.
Disaster recovery
Public folders are built on mailbox infrastructure and use the same mechanisms for availability and redundancy.
Every public folder mailbox can have multiple redundant copies with automatic failover, just like regular
mailboxes. To learn more, see Plan for high availability and site resilience.
In addition to the overall disaster recovery scenario, you can also restore public folders in the following situations:
Soft-deleted public folder restore: The public folder was deleted but is still within the retention period.
Soft-deleted public folder mailbox restore: The public folder mailbox was deleted and is still within the
mailbox retention period.
Public folder mailbox restore from a recovery database: You can recover an individual public folder
mailbox from backup when the deleted mailbox retention period has elapsed. You then extract data from
the restored mailbox and copy it to a target folder or merge it with another mailbox.
In all of these situations, the public folder or public folder mailbox is recoverable by using the
MailboxRestoreRequest cmdlets.
For more information, see Restore public folders and public folder mailboxes from failed moves.
FAQ: Public folders
8/23/2019 • 7 minutes to read • Edit Online
Resume-PublicFolderMigrationRequest \PublicFolderMigration
NOTE
You can only create public folder rules that contain the element reply using a specific template in mail-enabled public
folders. It is possible that pre-existing rules containing reply using a specific template will continue to work on non-mail-
enabled public folders, but on those folders you cannot create new rules with this template element, or edit existing rules
with this element.
In a hybrid scenario, Outlook on the web isn't supported for cross-premises public folders. Users must be in the
same location as the public folders to access them with Outlook on the web. Outlook 2016 for Mac users can
access public folders in a hybrid scenario if the following conditions are true:
You've followed the procedures at Hybrid Deployment procedures.
The April 2016 update for Outlook 2016 for Mac has been installed on all clients.
How can I create content mailboxes for public folders using Exchange
Management Shell cmdlets?
Run the following command to create the first master hierarchy public folder mailbox and the secondary hierarchy
mailboxes.
What are the limits on public folders? What are the recommendations?
For more information about public folder limits, see Limits for public folders.
Can you specify which users can use a specific public folder mailbox?
In Exchange 2010, you could specify which users had access to specific public folders. In Exchange 2013 or later,
you can set the default public folder mailbox per user. To do so, run the Set-Mailbox cmdlet with the
DefaultPublicFolderMailbox parameter. For example:
Can you change which public folder mailbox is the master hierarchy
mailbox?
No. If you try to change the master hierarchy mailbox, you'll receive an error.
In Exchange Server, public folders are based on a mailbox architecture that allows public folders to benefit from
things such as the resiliency of a Database Availability Group (DAG ) and other mailbox enhancements. However,
there are limits and performance considerations that should be taken into account.
Limits
The following table lists the limits for public folders in on-premises Exchange Server. Unless the limits are
specifically stated as recommended, the values listed in this table are the supported limits for public folders.
IMPORTANT
Looking for Exchange Online limits for Office 365? See Exchange Online Limits.
Total number of public folder mailboxes 1,000 1,000 is the limit for Exchange Server
2016 CU2 or later. Although you can
create more than 1,000 public folder
mailboxes, it isn't supported. Create a
public folder mailbox
Total public folders in hierarchy 1,000,000 Although you can create more than
1,000,000 public folders, it isn't
supported. For any deployment of
100,000 or more public folders, we
recommend reading Considerations
when deploying public folders.
Sub-folders under the parent folder 10,000 While you can create more than 1,000
sub-folders under a parent folder, we
don't recommend that you do
so.FolderHierarchyChildrenCountRecei
veQuota parameter on the Set-Mailbox
cmdlet.
Maximum individual public folder size 10 GB This limit doesn't include subfolders
beneath a single folder.Configure
storage quotas for a mailbox
ITEM LIMITS NOTES
Public folder mailbox size 100 GB Configure storage quotas for a mailbox
Number of user logons per public 2,000 concurrent user logons We recommend that you configure
folder mailbox your hierarchy so that you have no
more than 2,000 users per public folder
mailbox. For example, if you have
20,000 users, you should have 10
public folder mailboxes.
Age limit We recommend that you set this as the These settings can be set at the
same default that you use for regular following levels:Organizational level:
mailboxes. The DefaultPublicFolderAgeLimit
parameter on the Set-
OrganizationConfig cmdlet.Folder
level: The AgeLimit parameter on the
Set-PublicFolder cmdlet.
Deleted item retention We recommend that you set this as the These settings can be set at the
same default that you use for regular following levels:Organizational level:
mailboxes. The
DefaultPublicFolderMovedItemRetenti
on parameter on the Set-
OrganizationConfig cmdlet.Mailbox
level: The RetainDeletedItemsFor on
the Set-Mailbox cmdlet.Folder level::
The RetainDeleteItemsFor parameter
on the Set-PublicFolder cmdlet.
Maximum number of public folders 500,000 This is the maximum number of public
that can be migrated from Exchange folders you can move to Exchange from
2010 to Exchange 2016 Exchange 2010 in a single migration.
For details on migrating public folders,
see Use batch migration to migrate
public folders from Exchange 2010 to
Exchange 2016.
Considerations when deploying public folders
8/23/2019 • 2 minutes to read • Edit Online
Although there are many advantages to using Exchange public folders, there are some things to consider before
implementing them in your organization.
This article provides a comparison of public folders and Office 365 Groups, and how one or the other might be the
best solution for your organization. Public folders have been around as long as Exchange, whereas Groups were
introduced more recently. If you want to migrate some or all of your public folders to Groups, this article describes
how the process works, and provides links to the articles that walk you through the process, step by step.
NOTE
When you finish migrating a mail-enabled public folder to a particular group in Office 365, all the emails addressed to the
public folder will at that point be received by the group.
Use one or more of the procedures listed below to get your public folder infrastructure up and running, and to
perform other necessary tasks for managing public folders.
Set up public folders in a new organization
Configure legacy on-premises public folders for a hybrid deployment
Use batch migration to migrate Exchange 2010 public folders to Exchange 2016
Use batch migration to migrate legacy public folders to Office 365 and Exchange Online
Use batch migration to migrate Exchange Server public folders to Exchange Online
Migrate public folders from Exchange 2013 to Exchange 2016 or Exchange 2019
Configure legacy public folders where user mailboxes are on Exchange 2016 servers
Create a public folder mailbox
Create a public folder
Using favorite public folders in Outlook on the web
Mail-enable or mail-disable a public folder
Update the public folder hierarchy
Remove a public folder
Move a public folder mailbox to a different mailbox database
Move a public folder to a different public folder mailbox
Restore public folders and public folder mailboxes from failed moves
View statistics for public folders and public folder items
Configure legacy on-premises public folders for a
hybrid deployment
8/23/2019 • 8 minutes to read • Edit Online
In a hybrid deployment, your users can be in Exchange Online, Exchange on-premises, or both, and your public
folders are either in Exchange Online or Exchange on-premises. Public folders can only reside in one place, so you
must decide whether your public folders will be in Exchange Online or on-premises. They can't be in both
locations. Public folder mailboxes are synchronized to Exchange Online by the Directory Synchronization service.
However, mail-enabled public folders aren't synchronized across premises.
This article describes how to synchronize mail-enabled public folders when your users are in Office 365 and your
Exchange 2010 SP3 or later version public folders are on-premises. However, an Office 365 user who is not
represented by a MailUser object on-premises (local to the target public folder hierarchy) won't be able to access
legacy or Exchange on-premises public folders.
NOTE
This topic refers to the Exchange 2010 SP3 or later servers as the legacy Exchange server.
You will use the following scripts to sync your mail-enabled public folders. The scripts are initiated by a Windows
task that runs in the on-premises environment:
Sync-MailPublicFolders.ps1 : This script synchronizes mail-enabled public folder objects from your local
Exchange on-premises deployment with Office 365. It uses the local Exchange on-premises deployment as
master to determine what changes need to be applied to O365. The script will create, update, or delete mail-
enabled public folder objects on O365 Active Directory based on what exists in the local on-premises
Exchange deployment.
SyncMailPublicFolders.strings.psd1 : This is a support file used by the preceding synchronization script and
should be copied to the same location as the preceding script.
When you complete this procedure your on-premises and Office 365 users will be able to access the same on-
premises public folder infrastructure.
On-Premises Exchange 2010 Hybrid not applicable Hybrid not applicable Supported
Public Folders
A hybrid configuration with Exchange 2003 public folders is not supported. If you're running Exchange 2003 in
your organization, you must move all public folder databases and replicas to Exchange 2010 SP3 or later. No
public folder replicas can remain on Exchange 2003.
NOTE
This server doesn't have to be part of the Client Access load balancing. For more information, see Understanding
Load Balancing in Exchange 2010.
For Exchange 2007, run the following command in the Exchange Management Shell:
NOTE
We recommend that the only mailbox that you add to this database is the proxy mailbox that you'll create in the next
step. No other mailboxes should be created on this mailbox database.
3. Create a proxy mailbox within the new mailbox database, and hide the mailbox from the address book. The
SMTP of this mailbox will be returned by AutoDiscover as the DefaultPublicFolderMailbox SMTP, so that
by resolving this SMTP the client can reach the legacy exchange server for public folder access.
4. For Exchange 2010, enable Autodiscover to return the proxy public folder mailboxes.
5. Repeat the preceding steps for every public folder server in your organization.
SyncMailPublicFolders.strings.psd1
2. Save the files to the local computer on which you'll be running PowerShell. For example, C:\PFScripts.
NOTE
Synchronized mail-enabled public folders will appear as mail contact objects for mail flow purposes and will not be viewable in
the Exchange admin center. See the Get-MailPublicFolder command. To recreate the SendAs permissions in the cloud, use the
Add-RecipientPermission command.
1. On the legacy Exchange server, run the following command to synchronize mail-enabled public folders from
your local on-premises Active Directory to O365.
Where Credential is your Office 365 user name and password, and CsvSummaryFile is the path to where
you would like to log synchronization operations and errors, in .csv format.
NOTE
Before running the script, we recommend that you first simulate the actions that the script would take in your environment
by running it as described above with the -WhatIf parameter. We also recommend that you run this script daily to
synchronize your mail-enabled public folders.
You must wait until Active Directory synchronization has completed to see the changes. This process can take up to
3 hours to complete. If you don't want to wait for the recurring synchronizations that occur every three hours, you
can force directory synchronization at any time. For detailed steps to force directory synchronization, see Force
directory synchronization. Office 365 randomly selects one of the public folder mailboxes that's supplied in this
command.
IMPORTANT
An Office 365 user who is not represented by a MailUser object on-premises (local to the target public folder hierarchy) won't
be able to access legacy, Exchange 2016, or Exchange 2019 on-premises public folders. See the Knowledge Base article
Exchange Online users can't access legacy on-premises public folders for a solution.
Migrate your public folders from Exchange Server 2010 SP3 RU8 to Microsoft Exchange Server 2016 or later
within the same forest.
We refer to the Exchange 2010 SP3 RU8 or later server as the legacy Exchange server. References to Exchange
Server 2016 apply equally to Exchange Server 2016 or Exchange Server 2019.
NOTE
The batch migration method described in this article is the only supported method for migrating legacy public folders to
Exchange Server. The old serial migration method for migrating public folders is being deprecated and is no longer
supported by Microsoft.
You'll perform the migration by using the *MigrationBatch cmdlets, and the *PublicFolderMigrationRequest
cmdlets for troubleshooting. In addition, you'll use the following PowerShell scripts:
Export-PublicFolderStatistics.ps1 : This script creates the folder name-to-folder size mapping file.
: This support file is used by the Export-PublicFolderStatistics.ps1
Export-PublicFolderStatistics.psd1
script and should be downloaded to the same location.
PublicFolderToMailboxMapGenerator.ps1 : This script creates the public folder-to-mailbox mapping file.
: This support file is used by the
PublicFolderToMailboxMapGenerator.strings.psd1
PublicFolderToMailboxMapGenerator.ps1 script and should be downloaded to the same location.
Create-PublicFolderMailboxesForMigration.ps1 : This script creates the target public folder mailboxes for the
migration. In addition, this script calculates the number of mailboxes necessary to handle the estimated
user load, based on the guidelines for the number of user logons per public folder mailbox recommended
in Limits for public folders.
: This support file is used by the Create-
Create-PublicFolderMailboxesForMigration.strings.psd1
PublicFolderMailboxesForMigration.ps1 script and should be downloaded to the same location.
The Step 1: Download the migration scripts section provides details about where to download these scripts. Be
sure to download all scripts to the same location.
For additional management tasks related to public folders, see Public folder procedures.
IMPORTANT
Before you begin your migration, make sure you migrate your arbitration mailbox to the target Exchange server. Otherwise,
your migration batch will hang in the Starting state. To identify your migration arbitration mailbox, run the following
cmdlet:
Get-Mailbox -Arbitration -Identity Migration.*
Run the following command to take a snapshot of public folder statistics such as item count, size,
and owner:
2. If the name of a public folder contains a backslash ( \ ), migration will create the migrated public folders in
the parent public folder. Before you migrate, we recommend that you rename any public folders that have a
backslash in the name.
To locate public folders in Exchange 2010 that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {($_.Name -like "*\*") -or ($_.Name -like
"*/*") } | Format-List Name, Identity
If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>
3. Make sure there isn't a record of a previously successful migration by running the following command:
For detailed syntax and parameter information, see the following topics:
Get-PublicFolder
Get-PublicFolderDatabase
Set-PublicFolder
Get-PublicFolderStatistics
Get-PublicFolderClientPermission
Get-OrganizationConfig
Set-OrganizationConfig
Prerequisite steps on the Exchange 2016 server
1. Make sure there are no existing public folder migration requests. If there are, clear them or your own
migration request will fail. This step isn't required in all cases; it's only required if you think there may be an
existing migration request in the pipeline.
An existing migration request can be one of two types: batch migration or serial migration. The commands
for detecting requests for each type and for removing requests of each type are described below.
IMPORTANT
Before removing a migration request, it is important to understand why there was an existing one. Running the
following commands will determine when a previous request was made and help you diagnose any problems that
may have occurred. You may need to communicate with other administrators in your organization to determine why
the change was made.
Run the following command to discover any existing serial migration requests:
Run the following command to remove any existing public folder serial migration requests:
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest
Run the following command to discover any existing batch migration requests:
Run the following command to remove any existing public folder batch migration requests.
2. Make sure no public folders or public folder mailboxes exist on the Exchange 2016 servers by running the
following command:
Get-Mailbox -PublicFolder
If the command didn't return any public folder mailboxes, continue to Step 3: Generate the .csv files. If the
command returned any public folders, run the following command to see if any public folders exist:
Get-PublicFolder
If you have any public folders, run the following commands to remove them. Make sure you've saved any
information that was in the public folders.
NOTE
All information contained in the public folders will be permanently deleted when you remove them.
For detailed syntax and parameter information, see the following topics:
Get-MigrationBatch
Get-PublicFolderMigrationRequest
Remove-PublicFolderMigrationRequest
Get-Mailbox
Get-PublicFolder
Get-MailPublicFolder
Disable-MailPublicFolder
Remove-PublicFolder
Remove-Mailbox
FQDN of source server equals the fully qualified domain name of the Mailbox server where the
public folder hierarchy is hosted.
Folder to size map path equals the file name and path on a network shared folder where you want
the .csv file saved. Later in this topic, you'll need to access this file from the Exchange 2016 server. If
you specify only the file name, the file will be generated in the current PowerShell directory on the
local computer.
2. Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file.
This file is used to calculate the correct number of public folder mailboxes on the Exchange 2016 server.
NOTE
If the name of a public folder contains a backslash ****, the public folders will be created in the parent public folder.
We recommend that you review the .csv file and edit any names that contain a backslash.
Maximum mailbox size in bytes equals the maximum size you want to set for the new public folder
mailboxes. When specifying this setting, be sure to allow for expansion so the public folder mailbox
has room to grow.
Folder to size map path equals the file path of the .csv file you created when running the
Export-PublicFolderStatistics.ps1 script.
Folder to mailbox map path equals the file name and path of the folder-to-mailbox .csv file that
you'll create with this step. If you specify only the file name, the file will be generated in the current
PowerShell directory on the local computer.
Mapping.csv is the file generated by the PublicFoldertoMailboxMapGenerator.ps1 script in Step 3. The estimated
number of simultaneous user connections browsing a public folder hierarchy is usually less than the total number
of users in an organization.
Start-MigrationBatch PFMigration
In the EAC:
a. Log into Exchange Online and open the EAC.
b. Go to Recipients > Migration.
c. Select the migration batch you just created, and then click the start button.
In the EAC, the Status column will show the initial batch status as Created. The status changes to
Syncing during migration. When the migration request is complete, the status will be Synced. You
can double-click a batch to view the status of individual mailboxes within the batch. Mailbox jobs
begin with a status of Queued. When the job begins the status is Syncing, and once InitialSync is
complete, the status will show Synced.
You can view and manage the progress and completion of the migration in the Recipients > Migration tab in
the EAC.
Because the New-MigrationBatch cmdlet initiates a mailbox migration request for each public folder mailbox,
you can view the status of these requests using the mailbox migration page in the EAC, and you can create
migration reports that can be emailed to you.
1. Log into Exchange Online and open the EAC.
2. Go to Recipients > Migration.
3. Select the migration request that you just created and then click View Details in the Details pane.
For detailed syntax and parameter information, see the following topics:
New -PublicFolderMigrationRequest
Get-PublicFolderDatabase
Get-PublicFolderMigrationRequest
Get-PublicFolderMigrationRequestStatistics
Step 6: Lock down the public folders on the Exchange 2010 server for
final migration (downtime required)
Until this point in the migration, users have been able to access public folders. The next steps will log users off
from the Exchange 2010 public folders and lock the folders while the migration completes its final
synchronization. Users won't be able to access public folders during this process. Also, any mail sent to mail-
enabled public folders will be queued and won't be delivered until the public folder migration is complete.
Before you run the PublicFoldersLockedForMigration command as described below, make sure that all jobs are in
the Synced state. You can do this by running the Get-PublicFolderMailboxMigrationRequest command. Continue
with this step only after you've verified that all jobs are in the Synced state.
On the Exchange 2010 server, run the following command to lock the public folders for finalization.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
Once that is done, you can complete the public folder migration by running the following command:
Complete-MigrationBatch PFMigration
Or, in EAC, you can complete the migration by clicking Complete this migration batch.
When you complete the migration, Exchange will perform a final synchronization between the Exchange 2010
server and Exchange 2016. If the final synchronization is successful, the public folders on the Exchange 2016
server will be unlocked and the status of the migration batch will change to Completing, and then Completed. It
is common for the migration batch to take a few hours before its status changes from Synced to Completing, at
which point the final synchronization will begin.
NOTE
If for any reason the migration batch file does not finalize (the PublicFolderMigrationComplete property value is False )
restart the Information Store (IS) on the Exchange 2010 server.
2. Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the
following public folder tests:
View the hierarchy.
Check permissions.
Create and delete public folders.
Post content to and delete content from a public folder.
3. If you run into any issues, see Roll back the migration later in this topic. If the public folder content and
hierarchy is acceptable and functions as expected, run the following command to unlock the public folders
for all other users.
Get-Mailbox -PublicFolder | Set-Mailbox -PublicFolder -IsExcludedFromServingHierarchy $false
IMPORTANT
Don't use the IsExcludedFromServingHierarchy parameter after initial migration validation is complete as this
parameter is used by the automated storage management service for Exchange Online.
4. On the Exchange 2010 server, run the following command to indicate that the public folder migration is
complete:
Set-OrganizationConfig -PublicFolderMigrationComplete:$true
5. After you've verified that the migration is complete, on the Exchange 2016 server, run the following
command:
6. Finally, if you want external senders to send mail to the migrated mail-enabled public folders, the
Anonymous user needs to be granted at least the Create Items permission. If you don't do this, external
senders will receive a delivery failure notification and the messages won't be delivered to the migrated
mail-enabled public folder.
You can use the Exchange Management Shell or Outlook to set the permissions on the Anonymous user. To
read more about how to set permissions on the Anonymous user, see Mail-enable or mail-disable a public
folder.
2. Run the following command to take a snapshot of the public folder statistics such as item count, size, and
owner.
IMPORTANT
Since all of your mailboxes have been migrated to Office 365 prior to the public folder migration, we strongly recommend
that you route the traffic through Office 365 (decentralized mail flow) instead of centralized mail flow through your on-
premises environment. If you choose to keep mail flow centralized, it could cause delivery issues to your public folders, since
you've removed the public folder mailbox databases from your on-premises organization.
For details about how to remove public folder databases from Exchange 2010 servers, see Remove Public Folder
Databases.
If you roll your migration back to the Exchange 2010 servers, you will lose any email that was sent to mail-
enabled public folders or content that was posted to public folders in Exchange 2016 after the migration. To save
this content, you need to export the public folder content to a .pst file and then import it to the Exchange 2010
public folders when the rollback is complete.
1. On the Exchange 2010 server, run the following command to unlock the migrated public folders. This
process may take several hours.
2. On the Exchange 2016 server, run the following commands to remove the public folder mailboxes.
3. On the Exchange 2010 server, run the following command to set the PublicFolderMigrationComplete
property value to False .
Applies to: Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019
Migrating your Exchange Server public folders to Exchange Online requires Exchange Server 2013 CU15 or later,
or Exchange Server 2016 CU4 or later, to be running in your on-premises environment. All versions of Exchange
Server 2019 are supported for batch migrations of public folders.
If you have a mixed environment of both Exchange 2013 and Exchange 2016/2019 public folders in your
organization, and you want to move them all to Exchange Online, the instructions in this article will work for you,
provided your Exchange 2013 servers have CU15 or later installed.
For instructions on migrating Exchange Server 2010 public folders to Exchange Online, see Use batch migration
to migrate legacy public folders to Exchange Online.
NOTE
If your current public folder quotas in Exchange Online are less than 25 GB, you can use the Set-OrganizationConfig
cmdlet to increase them with the DefaultPublicFolderIssueWarningQuota and DefaultPublicFolderProhibitPostQuota
parameters.
In Office 365 and Exchange Online, you can create a maximum of 1000 public folder mailboxes.
If you intend to migrate users to Office 365, you should complete your user migration prior to migrating
your public folders. For more information, see Ways to migrate multiple email accounts to Office 365.
MRS Proxy needs to be enabled on at least one Exchange server, a server that is also hosting public folder
mailboxes. See Enable the MRS Proxy endpoint for remote moves for details.
To perform the migration procedures in this article, you can't use the Exchange admin center (EAC ). Instead,
you need to use the Exchange Management Shell on your Exchange servers. In Exchange Online, you need
to use Exchange Online PowerShell. For more information, see Connect to Exchange Online PowerShell.
Skipping the migration of deleted items and deleted folders from Exchange Server to Exchange Online is
supported. For more information, see the Exchange Team blog post about modern public folder migrations
without dumpster data.
You must use a single migration batch to migrate all of your public folder data. Exchange allows creating
only one migration batch at a time. If you attempt to create more than one migration batch simultaneously,
the result will be an error. Also note that once the migration batch has a status of "Completed," no more
data can be copied over from the source environment.
We recommend that you don't use Outlook's PST export feature to migrate public folders to Office 365 or
Exchange Online. Public folder mailbox growth in Exchange Online is managed using an auto-split feature
that splits the public folder mailbox when it exceeds size quotas. Auto-split can't handle the sudden growth
of public folder mailboxes when you use PST export to migrate your public folders, and you may have to
wait for up to two weeks for auto-split to move the data from the primary mailbox. We recommend that
instead you use the cmdlet-based instructions in this article to migrate your public folders. If you still decide
to migrate public folders using PST export, see Migrate Public Folders to Office 365 by using Outlook PST
export later in this article.
Before you begin, please read this article in its entirety. For some steps there is downtime required. During
this downtime, public folders will not be accessible by anyone.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Example:
To check if the accepted domain is already present in your on-premises environment, run the following:
NOTE
If you're expecting your mail-enabled public folders in Exchange Online to receive external emails from the Internet,
you have to disable Directory Based Edge Blocking (DBEB) in Exchange Online and Exchange Online Protection (EOP).
See Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients for more information.
2. If the name of a public folder contains a backslash \ or a forward slash /, it may not get migrated to its
designated mailbox during the migration process. Before you migrate, rename any such folders to remove
these characters.
a. To locate public folders that have a backslash in the name, run the following command:
Get-PublicFolder -Recurse -ResultSize Unlimited | Where {$_.Name -like "*\*" -or $_.Name -like "*/*"} |
Format-List Name, Identity, EntryId
b. If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity "<public folder EntryId>" -Name "<new public folder name>"
3. (This step is only required only if you are re-doing a previous migration attempt for some reason. If this is
not the case, skip to the next step.) Run the following cmdlets to confirm there isn't a record of a previous,
successful migration in your organization. If there is, you need to set that value to $false .
Before changing the values, please confirm that the previous migration attempt can be discarded so that
you don't accidentally perform a second migration.
a. Run the following command to check for any previous migrations, and the status of those migrations:
b. If any of the above is returned with a value set to $true , make them $false by running:
Set-OrganizationConfig -PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false
4. For the purpose of verifying the success of the migration upon its completion, we recommend that you run
the following commands on all appropriate Exchange 2016 or Exchange 2019 servers. This will take
snapshots of your current public folder deployment that you can later use to compare with your newly
migrated public folders.
NOTE
Depending on the size of your Exchange organization, it could take some time for these commands to run.
Run the following command to take a snapshot of the original source folder structure.
Run the following command to take a snapshot of public folder statistics such as item count, size,
and owner.
Run the following command to take a snapshot of your mail-enabled public folders:
Save the files generated from the preceding commands in a safe place in order to make a
comparison at the end of the migration.
5. If you're using Microsoft Azure Active Directory Connect (Azure AD Connect) to synchronize your on-
premises directories with Azure Active Directory, you need to do the following (if you aren't using Azure
AD Connect, you can skip this step):
a. On an on-premises computer, open Microsoft Azure Active Directory Connect, and then select
Configure.
b. On the Additional tasks screen, select Customize synchronization options, and then click Next.
c. On the Connect to Azure AD screen, enter the appropriate credentials, and then click Next. Once
connected, keep clicking Next until you're on the Optional Features screen.
d. Make sure that Exchange Mail Public Folders is not selected. If it isn't selected, you can continue
to the next section, Prerequisite steps in Exchange Online. If it is selected, click to clear the check box,
and then click Next.
NOTE
If you don't see Exchange Mail Public Folders as an option on the Optional Features screen, you can exit
Microsoft Azure Active Directory Connect and proceed to the next section, Prerequisite steps in Exchange
Online.
e. After you have cleared the Exchange Mail Public Folders selection, keep clicking Next until you're
on the Ready to configure screen, and then click Configure.
Prerequisite steps in Exchange Online
In Exchange Online PowerShell, do the following:
1. Make sure there are no existing public folder migration requests. If there are, clear them or your own
migration request will fail. This step is only required if you think there may be an existing migration request
in the pipeline (one that has failed or that you wish to abort).
An existing migration request can be one of two types: batch migration or serial migration. The commands
for detecting, and removing, each type of request are as follows.
The following example will discover any existing serial migration requests:
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics
The following example removes any existing public folder serial migration requests:
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest
The following example will discover any existing batch migration requests:
The following example removes any existing public folder batch migration requests:
2. Make sure there aren't any existing public folders or public folder mailboxes in Exchange Online. If you do
discover public folders in Exchange Online after following the steps below, it's important to determine why
they are there and who in your organization started a public folder hierarchy before you begin removing
any public folders and public folder mailboxes.
a. In Office 365 or Exchange Online PowerShell, run the following command to see if any public folders
mailboxes exist.
Get-Mailbox -PublicFolder
b. If the command doesn't return any public folder mailboxes, continue to Step 3: Generate the .csv files. If
the command does return any public folders mailboxes, run the following command to see if any public
folders exist:
Get-PublicFolder -Recurse
3. If you do have any public folders in Office 365 or Exchange Online, run the following PowerShell command
to remove them (after confirming that they are not needed). Make sure that you've saved any information
within these public folders before deleting them, because all information will be permanently deleted when
you remove the public folders.
4. After the public folders are removed, run the following commands to remove all public folder mailboxes:
$hierarchyMailboxGuid = $(Get-OrganizationConfig).RootPublicFolderMailbox.HierarchyMailboxGuid
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -ne $hierarchyMailboxGuid} | Remove-Mailbox -
PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder | Where-Object {$_.ExchangeGuid -eq $hierarchyMailboxGuid} | Remove-Mailbox -
PublicFolder -Confirm:$false -Force
Get-Mailbox -PublicFolder -SoftDeletedMailbox | % {Remove-Mailbox -PublicFolder $_.PrimarySmtpAddress -
PermanentlyDelete:$true -force}
Example:
.\Export-ModernPublicFolderStatistics.ps1 stats.csv
2. Run the ModernPublicFolderToMailboxMapGenerator.ps1 script to create a .csv file that maps source public
folders to public folder mailboxes in your Exchange Online destination. This file is used to calculate the
correct number of public folder mailboxes in Exchange Online.
Note that the file generated by ModernPublicFolderToMailboxMapGenerator.ps1 will not contain the name of every
public folder in your organization. It will contain references to the parent folders of larger folder trees, or the
names of folders which themselves are significantly large. You can think of this file as an "exception" file used to
make sure certain folder trees and larger folders get placed into specific public folder mailboxes. It is normal to not
see every one of your public folders in this file. Child folders of any folder listed in this mapping file will also be
migrated to the same public folder mailbox as their parent folder (unless explicitly mentioned on another line
within the mapping file that directs them to a different public folder mailbox).
Maximum mailbox size in bytes is the maximum amount of data you want to migrate into any single public
folder mailbox in Exchange Online. The maximum size of this field is currently 50 GB, but we recommend
you use a smaller size, such as 50% of maximum size, to allow for future growth.
Maximum mailbox recoverable items size in bytesis the recoverable items quota on your Exchange Online
mailboxes. The maximum size of public folder mailboxes In Exchange Online is currently 50 GB. We
recommend setting RecoverableItemsQuota to 15 GB or less.
Folder-to-size map path is the file path of the .csv file you created when you ran the
Export-ModernPublicFolderStatistics.ps1 script.
Folder-to-mailbox map path is the file path of the folder-to-mailbox .csv file that you're creating in this step.
If you only specify a file name, the file will be generated in the current PowerShell directory on the local
computer.
Example:
NOTE
We don't support the migration of public folders to Exchange Online when there are more than 100 unique public folder
mailboxes in Exchange Online. During migration you can have up to 100 public folder mailboxes enabled to serve hierarchy.
Folder-to-mailbox map path is the file path of the folder-to-mailbox.csv file that was generated by the
ModernPublicFoldertoMailboxMapGenerator.ps1 script in Step 3: Generate the .csv files.
b. Take the MRS Proxy Server information from the Exchange Server environment that you found in step 2
above and pass it into the variable:
4. In Exchange Online PowerShell, run the following commands to create the public folder migration endpoint
and the public folder migration request:
NOTE
Separate multiple email addresses with commas.
Where folder_mapping.csv is the map file that was generated in Step 3: Create the .csv files. Be sure to
provide the full file path. If the map file was moved for any reason, be sure to use the new location.
5. Finally, start the migration using the following command in Exchange Online PowerShell:
Start-MigrationBatch PublicFolderMigration
While batch migrations need to be created using the New-MigrationBatch cmdlet in Exchange Online PowerShell,
the progress and completion of the migration can be viewed and managed in the EAC or by running the Get-
MigrationBatch cmdlet. The New-MigrationBatch cmdlet initiates a mailbox migration request for each public
folder mailbox, and you can view the status of these requests using the mailbox migration page.
To go to the mailbox migration page:
1. Log on to Exchange Online and open the EAC.
2. Navigate to Recipients, and then select Migration.
3. Select the migration request that was just created and then, on the Details pane, select View Details.
Before moving on to Step 6: Lock down the public folders on the Exchange on-premises server, verify that all data
has been copied and that there are no errors in the migration. Once you have confirmed that the batch has moved
to the state of Synced, run the commands mentioned in Step 2: Prepare for the migration, in the final step under
Prerequisite steps in the Exchange Server on-premises environment, to take a snapshot of the public
folders on-premises.
Once these commands have run, you can proceed to the next step. Note that these commands could take a while
to complete depending on the number of folders you have. The migration process will synchronize the data from
the source (on-premises) environment once every 24 hours.
You can use the following cmdlets to monitor your migration:
Get-PublicFolderMailboxMigrationRequest
Get-PublicFolderMailboxMigrationRequestStatistics
Get-MigrationBatch
NOTE
If you aren't able to access the -PublicFolderMailboxesLockedForNewConnections parameter, it could be because your
Active Directory was not prepared during the CU upgrade, as we advised above in What do you need to know before you
begin? See Prepare Active Directory and domains for more information. Also note that any users who need access to public
folders should be migrated first, before you migrate the public folders themselves.
If your organization has public folder mailboxes on multiple Exchange servers, you'll need to wait until Active
Directory replication is complete. Once complete, you can confirm that all public folder mailboxes have picked up
the PublicFolderMailboxesLockedForNewConnections flag, and that any pending changes users recently made to their
public folders have converged across the organization. All of this could take several hours.
Run the following command in your on-premises environment to ensure that public folders are locked:
Get-PublicFolder \
Next, to complete the public folder migration, run the following command in Exchange Online PowerShell:
Complete-MigrationBatch PublicFolderMigration
IMPORTANT
After a migration batch is completed, no additional data can be synchornized from Exchange servers on-premises and
Exchange Online.
When you run Complete-MigrationBatch PublicFolderMigration , Exchange will perform a final synchronization
between your Exchange on-premises organization and Exchange Online. During this period, the status of the
migration batch will change from Synced to Completing, and then finally to Completed. If the final
synchronization is successful, the public folders in Exchange Online will be unlocked. However, it is strongly
recommended that you complete Step 8 and Step 9 of this article before you open up public folders to your users.
It is common for the migration batch to take a few hours before its status changes from Synced to Completing,
at which point the final synchronization will begin.
Make sure that your test users have necessary permissions to create public folders.
2. Log on to Outlook with the test user you designated in the previous step, and then perform the following
public folder tests. Note that it may take 15 to 30 minutes for changes to take effect. Once Outlook is aware
of the changes, it might prompt you to restart a couple of times.
a. View the hierarchy.
b. Check permissions.
c. Create some public folders and then delete them.
d. Post content to, and delete content from, a public folder.
If you run into any issues and determine you aren't ready to switch your organization's public folders
entirely to Exchange Online, see Roll back a public folder migration from Exchange Server to Exchange
Online.
3. Run the following command in Exchange Online PowerShell to unlock your public folders in Exchange
Online. After you run the command, it may take approximately 15 to 30 minutes for the changes to take
effect. Once Outlook is aware of the changes, it might prompt your users to restart Outlook a couple of
times.
2. In your on-premises environment, run the following script to make sure all emails to mail-enabled public
folders are correctly routed to Exchange Online. The script will stamp mail-enabled public folders with an
ExternalEmailAddress that points them to their Exchange Online counterparts:
.\SetMailPublicFolderExternalAddress.ps1 -ExecutionSummaryFile:mepf_summary.csv
3. If your testing is successful, in your on-premises environment, run the following command to indicate that
the public folder migration is complete:
2. In Exchange Online PowerShell, run the following command to take a snapshot of the public folder
statistics, including item count, size, and owner:
3. In Exchange Online PowerShell, run the following command to take a snapshot of the permissions:
Known issues
The following are common public folder migration issues that you may encounter in your organization.
We don't support the migration of public folders to Exchange Online when there are more than 100 unique
public folder mailboxes in Exchange Online.
Permissions for the root public folder and the EFORMS REGISTRY folder will not be migrated to Exchange
Online, and you will have to manually apply them in Exchange Online. To do this, run the following
command in your Exchange Online PowerShell. Run the command once for each permission entry that is
present on-premises but missing in Exchange Online:
There is a known issue where some public folder migrations will fail if some public folder mailboxes are not
serving the public folder hierarchy. This means the IsExcludedFromServingHierarchy parameter on one or
more mailboxes is set to $true . To avoid this, set all mailboxes in Exchange Online to serve the hierarchy.
Send As and Send on Behalf permissions don't get migrated to Exchange Online. If this happens with
your migration, use the following commands in your on-premises environment to note who has these
permissions.
To see which public folders have Send As permissions on-premises:
To add Send As permission to a mail-enabled public folder in Exchange Online, in Exchange Online
PowerShell type:
Add-RecipientPermission -Identity <mail-enabled public folder primary SMTP address> -Trustee <name of
user to be assigned permission> -AccessRights SendAs
Example:
To add Send on Behalf permission to a mail-enabled public folder in Exchange Online, in Exchange Online
PowerShell type:
Set-MailPublicFolder -Identity <name of public folder> -GrantSendOnBehalfTo <user or comma-separated
list of users>
Example:
Having more than 10,000 folders under the "\NON_IPM_SUBTREE\DUMPSTER_ROOT" folder can cause
the migration to fail. Therefore, check the "\NON_IPM_SUBTREE\DUMPSTER_ROOT" folder to see if
there are more than 10,000 folders directly under it (immediate children). You can use the following
command to find the number of public folders in this location:
Exchange Online does not support more than 10,000 subfolders, which is why migrations of more than
10,000 folders will fail. We are currently developing a script to unblock such configurations. In the
meantime, we suggest waiting to migrate your public folders.
Migration jobs are not making progress or are stalled. This can happen if there are too many jobs running
in parallel, causing jobs to fail with intermittent errors. You can reduce the number of concurrent jobs by
modifying MaxConcurrentMigrations and MaxConcurrentIncrementalSyncs to a smaller number. Use the
following example to set these values:
Migration jobs fail with the error "Error: Dumpster of the Dumpster folder." If you see this error, it should be
resolved if you stop the batch and then restart it.
Migration jobs fail with the error "Request was quarantined because of the following error: The given key
was not present in the dictionary." This happens when a corrupt item is present in a folder which migration
jobs cannot copy. To work around this:
1. Stop the migration batch.
2. Identify the folder containing the bad item. The migration report should include references to the
folder that was being copied when the error occurred.
3. In your on-premises environment, move the affected folder to the primary public folder mailbox. You
can use the New-PublicFolderMoveRequest cmdlet to move folders.
4. Wait for the folder move to complete. After it is complete, remove the move request. Finally, re-start
the migration batch.
If you've already started a PST migration and have run into an issue where the primary mailbox is full, you have
two options for recovering the PST migration. The first option is to wait for the auto-split to move the data from
the primary mailbox. This may take up to two weeks. However, all the public folders in a completely filled public
folder mailbox won't be able to receive new content until the auto-split completes. Option two is to create a public
folder mailbox in Exchange Server and then use the [New-PublicFolder] cmdlet with the Mailbox parameter to
create the remaining public folders in the secondary public folder mailbox.
Roll back a public folder migration from Exchange
Server to Exchange Online
8/23/2019 • 2 minutes to read • Edit Online
If you run into issues with your public folder migration to Exchange Online, or for any other reason need to
reactivate your Exchange Server public folders, follow the steps below.
Set-OrganizationConfig -PublicFolderMailboxesLockedForNewConnections:$false -
PublicFolderMailboxesMigrationComplete:$false -PublicFoldersEnabled Local
2. In your Exchange on-premises environment, revert the ExternalEmailAddress of any mail-enabled public
folder that was updated by SetMailPublicFolderExternalAddress.ps1 (the script used in Step 8: Test and
unlock public folders in Exchange Online of Use batch migration to migrate Exchange Server public folders
to Exchange Online. You can refer to the summary file created by the script to identify the ones that were
modified, or use the file OnPrem_MEPF.xml file generated earlier in the same batch migration process to
get the original properties for all mail-enabled public folders.
3. In Exchange Online PowerShell, run the following commands to remove all Exchange Online public folders
and mailboxes:
4. Run the following command in your Exchange Online environment to redirect public folder traffic back to
on-premises (Exchange Server):
5. See Configure Exchange 2013 public folders for a hybrid deployment for instructions on reconfiguring
access to your on-premises public folders, so that your Exchange Online users can access them.
Use batch migration to migrate Exchange Server
public folders to Office 365 Groups
8/23/2019 • 19 minutes to read • Edit Online
Through a process known as batch migration, you can move some or all of your Exchange Server public folders to
Office 365 Groups. Groups is a new collaboration offering from Microsoft that offers certain advantages over
public folders. See Migrate your public folders to Office 365 Groups for an overview of the differences between
public folders and Groups, and reasons why your organization may or may not benefit from switching to Groups.
This article contains the step-by-step procedures for performing the actual batch migration of your Exchange
Server public folders.
NOTE
Make sure to save all scripts and files to the same location.
AddMembersToGroups.ps1. This script adds members and owners to Office 365 Groups based on
permission entries in the source public folders.
AddMembersToGroups.strings.psd1. This support file is used by the script AddMembersToGroups.ps1 .
LockAndSavePublicFolderProperties.ps1. This script makes public folders read-only to prevent any
modifications, and it transfers the mail-related public folder properties (provided the public folders are mail-
enabled) to the target groups, which will re-route emails from the public folders to the target groups. This
script also backs up the permission entries and the mail properties before modifying them.
LockAndSavePublicFolderProperties.strings.psd1: This support file is used by the script
LockAndSavePublicFolderProperties.ps1 .
WriteLog.ps1. This script enables the preceding three scripts to write logs.
RetryScriptBlock.ps1. This script enables the AddMembersToGroups , LockAndSavePublicFolderProperties , and
UnlockAndRestorePublicFolderProperties scripts to retry certain actions in the event of transient errors.
Get-MigrationConfig
If the output under Features lists PAW, then the feature is enabled and you can continue to Step 3: Create
the .csv file.
If PAW is not yet enabled for your tenant, it could be because you have some existing migration batches,
either public folder batches or user batches. These batches could be in any state, including Completed. If this
is the case, please complete and remove any existing migration batches until no records are returned when
you run Get-MigrationBatch . Once all existing batches are removed, PAW should get enabled automatically.
Note that the change may not reflect in Get-MigrationConfig immediately, which is okay. Once this step is
completed, you can continue creating new batches of user migrations.
An example .csv:
"FolderPath","TargetGroupMailbox"
"\Sales","sales@contoso.onmicrosoft.com"
"\Sales\APAC","apacsales@contoso.onmicrosoft.com"
"\Sales\EMEA","emeasales@contoso.onmicrosoft.com"
Note that a mail folder and a calendar folder can be merged into a single group in Office 365. However, any other
scenario of multiple public folders merging into one group isn't supported within a single migration batch. If you
do need to map multiple public folders to the same Office 365 group, you can accomplish this by running different
migration batches, which should be executed consecutively, one after another. You can have up to 500 entries in
each migration batch.
One public folder should be migrated to only one group in one migration batch.
Step 4: Start the migration request
In this step, you gather information from your Exchange environment, and then you use that information in
Exchange Online PowerShell to create a migration batch. After that, you start the migration.
1. On the Exchange 2016 or Exchange 2019 server, find the MRS proxy endpoint server and make note of it.
You will need this information later when you run the migration request.
2. In Exchange Online PowerShell, use the information that was returned above in step 1 to run the following
commands. The variables in these commands will be the values from step 1.
a. Pass the credential of a user with administrator permissions in the Exchange Server environment into
the variable $Source_Credential . When you eventually run the migration request in Exchange Online,
you will use this credential to gain access to your Exchange 2016 or Exchange 2019 servers in order
to copy the content over to Exchange Online.
$Source_Credential = Get-Credential
<source_domain>\<PublicFolder_Administrator_Account>
b. Use the MRS proxy server information from your Exchange Server environment that you noted in
Step 1 above and pass that value into the variable $Source_RemoteServer .
3. In Exchange Online PowerShell, run the following command to create a migration endpoint:
4. Run the following command to create a new public folder-to-Office 365 group migration batch. In this
command:
CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path
to this file. If the file was moved for any reason, be sure to verify and use the new location.
NotificationEmails is an optional parameter that can be used to set email addresses that will
receive notifications about the status and progress of the migration.
AutoStart is an optional parameter which, when used, starts the migration batch as soon as it is
created.
PublicFolderToUnifiedGroup is the parameter to indicate that it is a public folder to Office 365
Groups migration batch.
5. Start the migration by running the following command in Exchange Online PowerShell. Note that this step
is necessary only if the -AutoStart parameter was not used while creating the batch above in step 4.
Start-MigrationBatch PublicFolderToGroupMigration
While batch migrations need to be created using the New-MigrationBatch cmdlet in Exchange Online PowerShell,
the progress of the migration can be viewed and managed in Exchange admin center. You can also view the
progress of the migration by running the Get-MigrationBatch and Get-MigrationUser cmdlets. The
New-MigrationBatch cmdlet initiates a migration user for each Office 365 group mailbox, and you can view the
status of these requests using the mailbox migration page.
To view the mailbox migration page:
1. In Exchange Online, open Exchange admin center.
2. Navigate to Recipients, and then select Migration.
3. Select the migration request that was just created and then, on the Details pane, select View Details.
When the batch status is Completed, you can move on to Step 5: Add members to Office 365 groups from public
folders.
Once users have been added to a group in Office 365, they can begin using it.
Step 6: Lock down the public folders (public folder downtime required)
When the majority of the data in your public folders has migrated to Office 365 Groups, you can run the script
LockAndSavePublicFolderProperties.ps1 on the Exchange 2016 or Exchange 2019 server to make the public folders
read-only. This step ensures that no new data is added to public folders before the migration completes.
NOTE
If there are mail-enabled public folders (MEPFs) among the public folders being migrated, this step will copy some properties
of MEPFs, such as SMTP addresses, to the corresponding group in Office 365 and then mail-disable the public folder. Because
the migrating MEPFs will be mail-disabled after the execution of this script, you will start seeing emails sent to MEPFs instead
being received in the corresponding groups. For more details, see Migration scripts later in this article.
Next, create a new batch with the same .csv file by running the following command. In this command:
CSVData is the .csv file created above in Step 3: Create the .csv file. Be sure to provide the full path to this
file. If the file was moved for any reason, be sure to verify and use the new location.
NotificationEmails is an optional parameter that can be used to set email addresses that will receive
notifications about the status and progress of the migration.
AutoStart is an optional parameter which, when used, starts the migration batch as soon as it is created.
After the new batch is created, start the migration by running the following command in Exchange Online
PowerShell. Note that this step is only necessary if the -AutoStart parameter was not used in the preceding
command.
Start-MigrationBatch PublicFolderToGroupMigration
After you have finished this step (the batch status is Completed), verify that all data has been copied to Office 365
Groups. At that point, provided you're satisfied with the Groups experience, you can begin deleting the migrated
public folders from your Exchange Server environment.
IMPORTANT
While there are supported procedures for rolling back your migration and returning to public folders, this isn't possible after
the source public folders have been deleted. See How do I roll back to public folders from Office 365 Groups?) for more
information.
Known issues
The following known issues can occur during a typical public folders to Office 365 Groups migration.
The script that transfers SMTP address from mail-enabled public folders to Office 365 Group only adds the
addresses as secondary email addresses in Exchange Online. Because of this, if you have Exchange Online
Protection (EOP ) or Centralized Mail Flow setup in your environment, will have issues sending email to the
groups (to the secondary email addresses) post-migration.
If the .csv mapping file has an entry with invalid public folder path, the migration batch displays as
Completed without throwing an error, and no further data is copied.
Migration scripts
For your reference, this section provides in-depth descriptions for three of the migration scripts and the tasks they
execute in your Exchange environment. You can download all scripts and supporting files from this location.
AddMembersToGroups.ps1
This script will read the permissions of the public folders being migrated and then add members and owners to
Office 365 Groups as follows:
Users with the following permission roles will be added as members to a group in Office 365. Permission
roles: Owner, PublishingEditor, Editor, PublishingAuthor, Author
In addition to the above, users with the following minimum access rights will also be added as members to
a group in Office 365. Access rights: ReadItems, CreateItems, FolderVisible, EditOwnedItems,
DeleteOwnedItems
Users with access right "Owner" will be added as owners to a group and users with other eligible access
rights will be added as members.
Security groups cannot be added as members to groups in Office 365. Therefore they will be expanded, and
then the individual users will be added as members or owners to the groups based on the access rights of
the security group.
When users in security groups that have access rights over a public folder have themselves explicit
permissions over the same public folder, explicit permissions will be given preference. For example, consider
a case in which a security group called "SG1" has members User1 and User2. Permission entries for the
public folder "PF1" are as follows:
SG1: Author in PF1
User1: Owner in PF1
In this case, User1 will be added as an owner to the group in Office 365.
When the default permission of a public folder being migrated is 'Author' or above, the script will suggest
setting the corresponding group's privacy setting as 'Public'.
This script can be run even after the lock-down of public folders, with parameter the ArePublicFoldersLocked set to
$true . In this scenario, the script will read permissions from the back up file created during lock-down.
LockAndSavePublicFolderProperties.ps1
This script makes the public folders being migrated read-only. When mail-enabled public folders are migrated,
they will first be mail-disabled and their SMTP addresses will be added to the respective groups in Office 365.
Then the permission entries will be modified to make them read-only. A back up of the mail properties of mail-
enabled public folders, as well as the permission entries of all the public folders, will be copied, before performing
any modification on them.
If there are multiple migration batches, a separate backup directory should be used with each mapping .csv file.
The following mail properties will be stored, along with respective mail-enabled public folders and Office 365
groups:
PrimarySMTPAddress
EmailAddresses
ExternalEmailAddress
EmailAddressPolicyEnabled
GrantSendOnBehalfTo
SendAs Trustee list
The above mail properties will be stored in a .csv file, which can be used in the roll back process (if you want to
return to using public folders, see How do I roll back to public folders from Office 365 Groups? for more
information). A snapshot of the mail-enabled public folders' properties will also be stored in a file called
PfMailProperties.csv. This file is not necessary for the roll back process, but can still be used for your reference.
The following mail properties will be migrated to target groups as part of lock down:
PrimarySMTPAddress
EmailAddresses
SendAs Trustee list
GrantSendOnBehalfTo
The script ensures that the PrimarySMTPAddress and EmailAddresses of migrating mail-enabled public folders
will be added as secondary SMTP addresses of the corresponding groups in Office 365. Also, SendAs and
SendOnBehalfTo permissions of users on mail-enabled public folders will be given equivalent permission in the
corresponding target groups.
Access rights allowed
Only the following access rights will be allowed for users to ensure that the public folders are made read-only for
all users. These are stored in ListOfAccessRightsAllowed:
ReadItems
CreateSubfolders
FolderContact
FolderVisible
The permission entries will be modified as follows:
None None
AvailabilityOnly AvailabilityOnly
LimitedDetails LimitedDetails
Contributor FolderVisible
BEFORE LOCK DOWN AFTER LOCK DOWN
Access rights for users without read permissions will be left untouched, and they will continue to be blocked
from read rights.
For users with custom roles, all the access rights that are not in ListOfAccessRightsAllowed will be
removed. In the event that the users don't have any access rights from the allowed list after filtering, these
users' access right will be set to 'None'.
There might be an interruption in sending emails to mail-enabled public folders during the time between when the
folders are mail-disabled and their SMTP addresses are added to Office 365 Groups.
UnlockAndRestorePublicFolderProperties.ps1
This script will re-assign permissions back to public folders, based on the back up file taken during public folder
lock-down. This script will also mail-enable public folders that had been mail-disabled, after it removes the folders'
SMTP addresses from their respective groups in Office 365. There might be slight downtime during this process.
Be aware that any items added to the Office 365 group, or any edit operations performed in the groups, are not
copied back to your public folders. Therefore there will be data loss, assuming new data was added while the public
folder was a group.
Note also that it's not possible to restore a subset of public folders, which means all of the public folders there were
migrated should be restored.
The corresponding groups in Office 365 won't be deleted as part of the roll back process. You'll have to clean or
delete those groups manually.
Migrate public folders from Exchange 2013 to
Exchange 2016 or Exchange 2019
8/23/2019 • 5 minutes to read • Edit Online
To migrate your Exchange 2013 public folders to Exchange 2016 or Exchange 2019, you need to move all of your
Exchange 2013 public folder mailboxes to an Exchange 2016 server or Exchange 2019 server.
Before you move your public folder mailboxes, here are some things you should consider:
Capacity: The size of your public folder mailboxes might vary significantly depending on how many public
folders and public folder mailboxes you have. Make sure the target Exchange servers where you'll move
your public folder mailboxes have enough storage capacity.
Time: It might take a while to move your public folder mailboxes. The following items could impact how
long it takes:
Public folder mailbox size
The number of public folder mailboxes
Network bandwith
The good news is that your public folders will remain available during the public folder mailbox move. There's only
a brief time window where the public folders might no be available (as the move completes).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
2. Use the following syntax to list all mailbox databases on all Exchange 2016 or Exchange 2019 Mailbox
servers:
Get-ExchangeServer | Where {($_.AdminDisplayVersion -like '<Version>') -and ($_.ServerRole -Like
"*Mailbox*")} | Get-MailboxDatabase | Format-List Server,Name,EdbFilePath
You can use the location information that's returned by this command to check the available free disk space
for each mailbox database.
This example returns the locations of all mailbox databases on all Exchange 2016 Mailbox servers.
This example returns the locations of all mailbox databases on all Exchange 2019 Mailbox servers.
This example returns the locations of all mailbox databases on all Exchange 2016 and Exchange 2019
Mailbox servers.
3. Use the information from the previous steps to decide the target mailbox database and/or Mailbox server (if
you have more than one) to move some or all of your public folder mailboxes to. For example, you might
not want to move three large public folder mailboxes to a server with low available drive space.
You can also decide whether you want to move all public folder mailboxes at once, all public folder
mailboxes on a specific server, or a specific public folder mailbox.
Choose the command that fits the kind of move you want to do. Be sure to replace the Exchange server
names, database names, and public folder mailbox names with your own.
Move all Exchange 2013 public folder mailboxes at once.
Move all public folder mailboxes on a specific Exchange 2013 server at once.
4. To see the status of the move requests you created, run the following command:
Get-MoveRequest
Depending on the size of the public folder mailboxes you're moving and your available network capacity, it
could take several hours or days for the moves to complete.
For a list of possible status values that can be returned, see the next section.
Get-MoveRequest
The command will return each move request you created along with one of the following status values:
Completed: The public folder mailbox was successfully moved to the target mailbox database.
CompletedWithWarning: The public folder mailbox was moved to the target mailbox database, but
one or more issues were encountered during the move. You can find more information by viewing
the move report that was delivered to the Administrator mailbox.
CompletionInProgress: The public folder mailbox move to the target mailbox database is in its final
stages. Public folders hosted in this mailbox may be unavailable for a brief period of time while the
move is finalized.
InProgress: The public folder mailbox move to the target mailbox database is underway. Public
folders hosted in this mailbox are available during this portion of the move.
Failed: The public folder mailbox move failed for one or more reasons. You can find more
information by viewing the move report that was delivered to the Administrator mailbox.
Queued: The public folder mailbox move has been submitted but the move hasn't started yet.
Retry: The migration service is currently having trouble proceeding with the job, but it has not given
up, and will continue trying.
AutoSuspended: The public folder mailbox move is ready to enter its final stages but won't proceed
further until you manually resume the move.
This option can be helpful if you want to choose the time a move will complete. You can
automatically suspend a move when you create it by using the SuspendWhenReadyToComplete
switch on the New-MoveRequest cmdlet. To resume the move when you're ready, use the Resume-
MoveRequest cmdlet.
Suspended: The public folder mailbox move has been manually suspended by Suspend-
MoveRequest cmdlet and won't proceed until you manually resume the move. To resume the move
when you're ready, use the Resume-MoveRequest cmdlet.
View the location of your public folder mailboxes after their move request has completed by running the
following command on an Exchange 2016 or Exchange 2019 server:
In the list public folder mailboxes that are returned, verify that they've each been moved to an Exchange
2016 Mailbox server.
Set up public folders in a new organization
8/23/2019 • 3 minutes to read • Edit Online
Public folders in Exchange are based on a mailbox architecture that allows public folders to benefit from things
such as the resiliency of a Database Availability Group (DAG ) and other mailbox features.
For limits in on-premises Exchange Server, see Limits for public folders.
For additional management tasks related to public folders in Exchange Server, see Public folder procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Before you can create a public folder in Exchange server, you must first create a public folder mailbox. Public
folder mailboxes contain the hierarchy information as well as the content for public folders.
The first public folder mailbox that you create in the organization is the primary hierarchy mailbox, which contains
the only writable copy of the public folder hierarchy. Any additional public folder mailboxes that you create are
secondary hierarchy mailboxes, which contain a read-only copy of the public folder hierarchy. You can create
multiple public folder mailboxes for load balancing.
NOTE
For more information about the storage quotas and limits for public folders in on-premises Exchange, see Limits for public
folders.
For additional management tasks related to public folders in Exchange Server, see Public folder procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example creates the primary hierarchy public folder mailbox named Master Hierarchy, because this is the
first public folder mailbox in the organization (the value of the Name parameter doesn't determine whether the
mailbox is the primary hierarchy public folder mailbox).
This example creates a secondary hierarcy public folder mailbox named Istanbul, because this isn't the first public
folder mailbox in the organization (the value of the Name parameter doesn't determine whether the mailbox is a
secondary hierarchy public folder mailbox).
In the Exchange Management Shell, run the following commands to verify the primary hierarchy public
folder mailbox:
1. Run the following command:
```
Get-OrganizationConfig | Format-List RootPublicFolderMailbox
```
2. Use the GUID value returned by the first command with Get-Mailbox to confirm the mailbox name.
You can copy the GUID value by right-clicking in the Exchange Management Shell window, selecting
Mark, highlighting the GUID value, and then pressing ENTER.
```
Get-Mailbox -PublicFolder -Identity <GUID>
```
Create a public folder
8/23/2019 • 2 minutes to read • Edit Online
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization.
By default, a public folder inherits the settings of its parent folder, including the permissions settings.
For additional management tasks related to public folders, see Public folder procedures.
IMPORTANT
Don't use a backslash () in the name when creating a public folder.
5. In the Path box, verify the path to the public folder. If this isn't the desired path, click Cancel and follow
Step 2 of this procedure.
6. Click Save.
Get-PublicFolder -Recurse
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Mail-enable or mail-disable a public folder
8/23/2019 • 3 minutes to read • Edit Online
Public folders are designed for shared access and provide an easy and effective way to collect, organize, and share
information with other people in your workgroup or organization. Mail-enabling a public folder allows users to
post to the public folder by sending an email message to it. When a public folder is mail-enabled additional
settings become available for the public folder in the Exchange admin center (EAC ), such as email addresses and
mail quotas. In the Exchange Management Shell, before a public folder is mail-enabled, you use the Set-
PublicFolder cmdlet to manage all of its settings. After the public folder is mail-enabled, you use the Set-
PublicFolder and the Set-MailPublicFolder cmdlets to manage the settings.
If you want users on the Internet to send mail to a mail-enabled public folder, you need to set addition permissions
using the Add-PublicFolderClientPermission cmdlet.
For additional management tasks related to managing public folders, see Public folder procedures.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example mail-enables the public folder Reports under the Marketing public folder, but hides the folder from
address lists.
If you want external users to send mail to this public folder, make sure you follow the steps in Allow anonymous
users to send email to a mail-enabled public folder.
For detailed syntax and parameter information, see Enable-MailPublicFolder.
You can use the Exchange Management Shell to retrieve statistics about a public folder, such as the display name,
creation time, last user modified time, last user access, and item size. You can use this information to make
decisions about deleting or retaining public folders.
NOTE
While you can view some of the quota and usage information in the Exchange admin center (EAC), this information is
incomplete, and we recommend that you use the Exchange Management Shell to view public folder statistics. To view quota
and usage information for public folders by navigating to Public Folders > Edit > Mailbox usage.
For additional management tasks related to managing public folders, see Public Folder Procedures.
For additional management tasks related to public folders, see Public Folder Procedures in Exchange Online.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
The value for the Identity parameter must include the path to the public folder. For example, if the public folder Marketing
existed under the parent folder Business, you would provide the following value: \Business\Marketing
Use the Exchange Management Shell to view statistics for public folder
items
You can view the following information about items within a public folder:
Type of item
Subject
Last user modification time
Last user access time
Creation time
Attachments
Message size
You can use this information to make decisions about what actions to take for your public folders, such as which
public folders to delete. For example, you may want to delete a public folder if the items haven't been accessed for
over two years, or you may want to convert a public folder that's being used as a document repository to another
client access application.
This example returns default statistics for all items in the public folder Pamphlets under the path \Marketing\2013.
Default information includes item identity, creation time, and subject.
This example returns additional information about the items within the public folder Pamphlets, such as subject,
last modification time, creation time, attachments, message size, and the type of item. It also includes a piped
command to format the list.
Use the Exchange Management Shell to export the output of the Get-
PublicFolderItemStatistics cmdlet to a .csv file
This example exports the output of the cmdlet to the PFItemStats.csv file that includes the following information
for all items within the public folder \Marketing\Reports:
Subject of the message ( Subject )
Date and time that the item was last modified ( LastModificationTime )
Whether the item has attachments ( HasAttachments )
Type of item ( ItemType)
Size of the item ( MessageSize )
A shared mailbox is a mailbox that multiple users can use to read and send email messages. Shared mailboxes can
also be used to provide a common calendar, allowing multiple users to schedule and view vacation time or work
shifts.
Why set up a shared mailbox?
Provides a generic email address (for example, info@contoso.com or sales@contoso.com), that customers
can use to inquire about your company.
Allows departments that provide centralized services to employees (for example, help desk, human
resources, or printing services), to respond to employee questions.
Allows multiple users to monitor and reply to email sent to an email address (for example, an address used
specifically by the help desk).
If your organization uses a hybrid Exchange environment, you should use the on-premises Exchange admin center
(EAC ) to create and manage shared mailboxes.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions
are required for successful shared mailbox operation.
4. Click Save to save your changes and create the shared mailbox.
Use the EAC to edit shared mailbox delegation
1. Go to Recipients > Shared > Edit .
2. Click Mailbox delegation
3. To grant or remove Full Access and Send As permissions, click Add or Remove and then select the
users you want to grant permissions to.
NOTE
The Full Access permission allows a user to open the mailbox as well as create and modify items in it. The Send As
permission allows anyone other than the mailbox owner to send email from this shared mailbox. Both permissions
are required for successful shared mailbox operation.
NOTE
This example assumes that you've already created the security group MarketingSG and that security group is mail-enabled.
See Manage mail-enabled security groups in Exchange Server.
New-Mailbox -Shared -Name "Sales Department" -DisplayName "Sales Department" -Alias Sales | Set-Mailbox -
GrantSendOnBehalfTo MarketingSG | Add-MailboxPermission -User MarketingSG -AccessRights FullAccess -
InheritanceType All
More information
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts
in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Email addresses and address books in Exchange
Server
8/23/2019 • 2 minutes to read • Edit Online
Exchange uses address books to organize and store email address information for recipients in the organization.
The topics that will help you learn about and configure email addresses and address books in Exchange Server are
described in the following table.
Address book policies The global address list (GAL) is the Address book policies in Exchange
master list of all recipients in your Server
Exchange organization. Address book
policies (ABPs) provide a simpler
mechanism for GAL segmentation in
organizations that require multiple
GALs. An ABP defines a GAL, an offline
address book (OAB), a room list, and
one or more address lists. You can then
assign the ABP to users.
Address lists An address list is a subset of a GAL. Address lists in Exchange Server
Each address list is a dynamic collection
of one or more types recipients. You
can use address lists to help users find
the recipients and resources that they
need.
Email address policies Email address policies are the rules that Email address policies in Exchange
create email addresses for Exchange Server
recipients.
Hierarchical address books The hierarchical address book (HAB) Hierarchical Address Books
presents recipients in the GAL by using
your organization's unique business
structure (for example, seniority or
management hierarchy), which provides
an efficient method for locating internal
recipients.
Offline address books An offline address book (OAB) is a Offline address books in Exchange
collection of address lists that can be Server
downloaded and used in Outlook by
users that are disconnected from the
Exchange organization.
Email address policies in Exchange Server
8/23/2019 • 7 minutes to read • Edit Online
Email address policies define the rules that create email addresses for recipients in your Exchange organization.
Email address policies in Exchange Server 2016 and Exchange Server 2019 are basically unchanged from
Exchange Server 2010.
The SMTP domains that are available to use in email address policies are defined by the accepted domains that
are configured in the Exchange organization (specifically, authoritative domains and internal relay domains). For
more information about accepted domains, see Accepted domains in Exchange Server.
The basic components of an email address policy are:
Email address templates: Define the email address format for the recipients (for example
<firstname>@contoso.com or <lastname>.<firstname>@contoso.com ).
Recipient filter: Specifies the recipients whose email addresses are configured by the policy.
Priority: Specifies the order to apply the email address policies (important if a recipient is identified by
more than one policy).
To configure email address policies, see Procedures for email address policies in Exchange Server.
In the EAC, only the Make this format the reply email address check box controls whether the email
address is the primary address or a proxy address. It doesn't matter whether you type SMTP or smtp in the
Enter a custom address type field. However, in the list of email address templates in the policy, the EAC
shows the value SMTP (bold and uppercase) for the primary address, and smtp (not bold and lowercase)
for proxy addresses.
The types of email addresses that you can configure in a email address policy are limited compared to
those you can configure on individual recipients.
All non-SMTP email addresses are considered custom address types. Exchange doesn't provide unique
dialog boxes or property pages for X.400, Novell GroupWise, or Lotus Notes email address types. Non-
SMTP email addresses require the appropriate .dll files.
Address formats
An SMTP email address uses the syntax chris@contoso.com , where the value chris is the local part of the email
address, and the value contoso.com is the SMTP domain (also known as the address space or name space). The
available SMTP domain values are determined by the accepted domains that are configured for your
organization.
You can use email address policies to assign multiple SMTP email addresses to recipients by using different
combinations of the local part and domain values. However, only one SMTP email address in a policy can be
configured as the primary address.
All SMTP email address formats in the Exchange Management Shell, or custom SMTP email address formats in
the EAC require you to use variables to define the local part of the email address. These variables are described in
the following table:
VARIABLE VALUE
%d Display name
%i Middle initial
%m Exchange alias
%ng The first n letters of the first name. For example, %2g uses
the first two letters of the first name.
%ns The first n letters of the last name. For example, %2s uses
the first two letters of the last name.
In addition to variables, you can also use US ASCII text characters that are allowed in Exchange email addresses
(for example, periods ( . ) or underscores ( _ ). Note that each period needs to be surrounded by other valid
characters (for example %g.%s ).
In the EAC, you can selected from a short list of precanned SMTP email address formats. These address formats
are described in the following table, where the example user is named Elizabeth Brunner, and the domain is
contoso.com:
EXAMPLE EXCHANGE MANAGEMENT SHELL EQUIVALENT
<alias>@contoso.com %m@contoso.com
elizabeth.brunner@contoso.com %g.%s@contoso.com
ebrunner@contoso.com %1g%s@contoso.com
elizabethb@contoso.com %g%1s@contoso.com
brunner.elizabeth@contoso.com %s.%g@contoso.com
belizabeth@contoso.com %1s%g@contoso.com
brunnere@contoso.com %s%1g@contoso.com
FILTERABLE RECIPIENT
RECIPIENT FILTERING METHOD USER INTERFACE PROPERTIES FILTER OPERATORS
Precanned recipient filters Exchange admin center Limited to: Property values require an
(EAC) and the Exchange • Recipient type (All recipient exact match. Wildcards and
Management Shell types or any combination of partial matches aren't
user mailboxes, resource supported. For example,
mailboxes, mail contacts, "Sales" doesn't match the
mail users, and groups) value "Sales and Marketing".
• Company Multiple values of the same
• Custom Attribute 1 to 15 property always use the or
• State or Province operator. For example,
• Department "Department equals Sales or
Department equals
Marketing".
Custom recipient filters Exchange Management Shell You can use virtually any You use OPATH filter syntax
only available recipient attributes. to specify any available
Windows PowerShell filter
operators. Wildcards and
partial matches are
supported.
Notes:
You can't used precanned filters and customized filters at the same time.
The recipient's location in Active Directory (the organizational unit or container) is available in both
precanned and custom recipient filters.
If you create an email address policy in the Exchange Management Shell that uses custom recipient filters,
you can't edit the recipient filters in the EAC.
You can prevent individual recipients from being affected by email address policies. For example:
In the EAC, in the properties of the recipient, on the Email address tab, clear the check box:
Automatically update email addresses based on the email address policy applied to this
recipient.
In the Exchange Management Shell, set the EmailAddressPolicyEnabled parameter to the value
$false on the recipient management cmdlet (for example, Set-Mailbox or Set-
DistributionGroup).
Email address policies assign email addresses to recipients in your Exchange organization. You use the Exchange
admin center (EAC ) or the Exchange Management Shell to configure email address policies in Exchange Server.
For more information about email address policies, see Email address policies in Exchange Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forum at: Exchange Server.
New-EmailAddressPolicy -Name "<Policy Name>" <Precanned recipient filter | Custom recipient filter> [-
RecipientContainer <OrganizationalUnit>] [-Priority <AllowedInteger>] -EnabledEmailAddressTemplates "SMTP:
<PrimaryEmailAddressFormat>","smtp:<ProxyEmailAddress1>","smtp:<ProxyEmailAddress2>"...
This example creates an email address policy with a precanned recipient filter:
Name: Southeast Offices
Precanned recipient filter: All users with mailboxes where the State or province value is GA, AL, or LA
(Georgia, Alabama, or Louisiana).
Primary SMTP email address: <last name>.<first two letters of the first name>@contoso.com
Additional proxy email addresses: <last name>.<first two letters of the first name>@contoso.net
Priority: n+1, where n is the number of manually created email address policies that already exist (we didn't
use the Priority parameter, and the default value is n+1). Remember, the first email address policy that
identifies a recipient configures the recipient's email addresses. All other policies are ignored, even if the first
policy is unapplied and can't configure the recipient's email addresses.
This example creates an email address policy with a custom recipient filter:
Name: Northwest Executives
Custom recipient filter: All users with mailboxes where the Title value contains Director or Manager, and
the State or province value is WA, OR, or ID (Washington, Oregon, or Idaho).
Primary SMTP email address: <first two letters of the first name><last name>@contoso.com
Notes:
Typically, you use the EnabledEmailAddressTemplates parameter to define the primary SMTP email address
and one or more proxy addresses (SMTP or otherwise). However, if you're only going to define the primary
SMTP email address and no additional proxy addresses, you can use the
EnabledPrimarySMTPAddressTemplate parameter instead. This parameter doesn't require the SMTP: prefix,
and you can't use this parameter with the EnabledEmailAddressTemplates parameter.
The EnabledEmailAddressTemplates parameter requires at least one template with the <Type> value SMTP
(to define the primary SMTP email address). After that, if you don't include a <Type> prefix for a template,
the value smtp (an SMTP proxy address) is assumed.
For detailed syntax and parameter information, see New -EmailAddressPolicy.
How do you know this worked?
To verify that you've successfully created an email address policy, use either of the following procedures:
In the EAC, go to Mail flow > Email address policies, verify that the policy is listed, and the details are
correct. Select the policy and click Edit ( ) to view details that aren't displayed in the list view.
In the Exchange Management Shell, run the following command to verify the property values:
Get-EmailAddressPolicy | Format-List
Name,Priority,Enabled*,RecipientFilterType,RecipientContainer,RecipientFilter,IncludedRecipients,Conditi
onal*
You can't use the EAC or the Exchange Management Shell to replace a custom recipient filter with a
precanned recipient filter or vice-versa in an existing email address policy.
Modify email address policies in the EAC
The same settings are available as when you created the policy, although the settings are now located on separate
tabs.
1. In the EAC, go to Mail flow > Email address policies, select the policy from the list, and then click Edit (
).
2. Configure the settings on the following tabs:
General
Policy name: A unique, descriptive name for the policy.
Run this policy in this sequence with other policies: Remember, the first email address policy
that identifies a recipient configures the recipient's email addresses. All other policies are ignored,
even if the first policy is unapplied and can't configure the recipient's email addresses.
Email address format: For details about the settings that are available when you click Add ( ) or
Edit ( ), see the Email address format window in the EAC section in this topic.
You can also click Remove ( ) to delete existing email address templates.
Notes:
The Type value SMTP (bold and uppercase) indicates the primary SMTP email address, and the
value smtp (not bold and lowercase) indicates a proxy address.
You can't delete the email address template that defines the primary SMTP email address in the
policy. Instead, you can add or modify another template, configure it to define the primary email
address, and then delete the original template.
Apply to: For details about the recipient filters that are available here, see the Recipient filters in the
EAC section in this topic.
Note: Even if you configured a custom recipient filter in the Exchange Management Shell, you can
still select Preview recipients the policy applies to here.
3. When you're finished, click Save. You'll receive a warning message that tells you to click Apply in the details
pane to apply the policy to recipients. For more information, see the Apply email address policies to
recipients section in this topic.
Modify email address policies in the Exchange Management Shell
The same basic settings are available as when you created the policy. For more information, see the Use the
Exchange Management Shell to create email address policies section in this topic.
To modify an existing email address template, use the following syntax:
When you modify the Conditional parameter values, you can use the following syntax to add or remove values
without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing email address policy named Southeast Executives by adding the State or
province value TX (Texas) to the precanned recipient filter.
The DisabledEmailAddressTemplates parameter specifies inactive email address templates that are no longer used
in the policy, and uses the same syntax as the EnabledEmailAddressTemplates parameter (except that
DisabledEmailAddressTemplates can't contain a primary SMTP email address). Typically, this property is only
populated if you've migrated from a previous version of Exchange. However, if a domain is specified in this
property, you can't remove the corresponding accepted domain.
This example clears the disabled email address templates from the email address policy named Contoso
Executives.
Get-EmailAddressPolicy | Format-List
Name,Priority,*Template*,RecipientFilterType,RecipientContainer,RecipientFilter,IncludedRecipientsCondit
ional*
4. After you click Apply, a warning message that appears. Click Yes to apply the policy by using the EAC. A
progress bar allows you to monitor the recipient update process. When updates are complete, click Close.
Use the Exchange Management Shell to apply email address policies to recipients
To apply an email address policy to recipients, use the following syntax:
This example applies the email address policy named Northwest Executives.
This example removes the email address policy named Southeast Offices.
Get-EmailAddressPolicy
Reference
Email address format window in the EAC
As you create or modify an email address policy in the EAC, in the Email address format section, an Email
address format window appears when you click Add ( ) or Edit ( ). The following settings are available in this
window:
Precanned SMTP email addresses:
Select an accepted domain: Select an accepted domain (authoritative domain or internal relay
domain) from the drop down list. Note that if you've configured an accepted domain for a domain
and all subdomains (for example, *.contoso.com ), only the root domain ( contoso.com ) is available in
the drop down list.
Or
Specify a custom domain name for the email address: Select this option when you need to enter
a subdomain of a *.<domain> accepted domain. For example, if *.contoso.com is configured as an
authoritative domain, you can type eu.contoso.com in this field.
And then:
Email address format: Select one of the available email address templates from the list.
Custom SMTP or non-SMTP email addresses:
Click More options and then select Enter a custom address type.
Enter a custom address type: If this is the first email address template that you're configuring in the
policy, type SMTP, and then continue to the Email address parameters field to define the primary
SMTP email address format.
After you've configured a template in the policy to define the primary SMTP email address, you can
type SMTP or another address type value to configure email address templates for additional proxy
addresses. For more information about the type values that you can use, see Address types.
Email address parameters: For SMTP email addresses, this value contains:
Valid variables and ASCII text characters as described in Address formats.
A domain or subdomain that's configured as an accepted domain (authoritative or internal relay).
An example value is %3g.%s@contoso.com for <first three letters of the first name>.<last name>
@contoso.com.
Make this format the reply email address: The first email address template in a policy is automatically
configured as the primary (reply) email address (you can't uncheck the check box). When you add additional
templates to the policy, you can select this check box to define the primary email address.
Recipient filters in the EAC
When you create or modify email address policies in the EAC, the following recipient filter settings are available:
Specify the types of recipients this email address policy will apply to:
All recipient types
Or
Only the following recipient types: Select one or more of the following values:
Users with Exchange mailboxes
Mail users with external email addresses
Resource mailboxes
Mail contacts with external email addresses
Mail-enabled groups
Create rules to further define the recipients that this email address policy applies to:
1. Click Add rule and select one of the recipient properties from the drop down list:
Recipient container (container or organization unit)
State or province
Company
Department
Custom attribute 1 to 15
2. Enter a value for the property you selected:
If you selected Recipient container, a Select an organizational unit dialog box appears
that allows you to select the container or OU in Active Directory.
For other recipient properties, a Specify words or phrases dialog appears that allows you to
add, edit and remove text values.
Property values require an exact match. Wildcards and partial matches aren't supported. For
example, the value "Sales" doesn't match "Sales and Marketing".
Multiple values of the same property use the or operator. For example, "Department equals
Sales or Department equals Marketing"
3. After you've selected a property and value, click Add rule.
4. Repeat the previous steps to configure more filters. Note that multiple properties use the and
operator. For example, "Department equals Sales and Company equals Contoso".
Preview recipients the policy applies to: When you click this setting, a Preview dialog appears
that shows you the recipients that are identified by the filters you configured.
Notes:
You can't configure any recipient filter settings in the default email address policy (All recipient types is
selected).
If you configure too many recipient filter rules, you can restrict the policy to the point where it doesn't
contain any recipients.
Recipient filters in the Exchange Management Shell
In the Exchange Management Shell, you can specify precanned recipient filters, or custom recipient filters,
but not both at the same time.
Precanned recipient filters:
Uses the required IncludedRecipient parameter with the AllRecipients value or one or more of the
following values: MailboxUsers , MailContacts , MailGroups , MailUsers , or Resources . You can
specify multiple values separated by commas.
You can also use any of the optional Conditional filter parameters: ConditionalCompany,
ConditionalCustomAttribute[1to15 ], ConditionalDepartment, and ConditionalStateOrProvince.
You specify multiple values for a Conditional parameter by using the syntax
"<Value1>","<Value2>"... . Multiple values of the same property implies the or operator. For example,
"Department equals Sales or Marketing or Finance".
Custom recipient filters: Uses the required RecipientFilter parameter with an OPATH filter.
The basic OPATH filter syntax is
{<Property1> -<Operator> '<Value1>' <Property2> -<Operator> '<Value2>'...} .
Braces { } are required around the whole OPATH filter.
Hyphens ( - ) are required before all operators. Here are some of the most frequently used
operators:
and , or , and not .
eq and ne (equals and does not equal; not case-sensitive).
lt and gt (less than and greater than).
like and notlike (string contains and does not contain; requires at least one wildcard in the string.
For example, {Department -like 'Sales*'} .
Use parentheses to group <Property> -<Operator> '<Value>' statements together in complex filters.
For example, {(Department -like 'Sales*' -or Department -like 'Marketing*') -and (Company -eq
'Contoso' -or Company -eq 'Fabrikam')}. Exchange stores the filter in the RecipientFilter property
with each individual statement enclosed in parentheses, but you don't need to enter them that way.
After you use the New-EmailAddressPolicy cmdlet to create a policy that uses custom recipient
filters, you can't modify the recipient filters in the EAC. You need to use the Set-EmailAddressPolicy
cmdlet with the RecipientFilter parameter in the Exchange Management Shell.
Note: The RecipientContainer (organizational unit) recipient filter parameter is available to both precanned
recipient filters and custom recipient filters.
Offline address books in Exchange Server
8/23/2019 • 11 minutes to read • Edit Online
An offline address book (OAB ) is a local copy of an address list collection. OABs are used for address book queries
by Outlook clients that are configured in cached Exchange mode. OABs are the only option for Outlook clients that
are disconnected from the Exchange server, but they're also queried first by connected Outlook clients as a way to
help reduce the workload on Exchange servers. You can configure which address lists are included in an OAB,
access to specific OABs, how frequently the OABs are generated, and where the OABs are distributed from.
By default, a new installation of Exchange creates an OAB named Default Offline Address Book on the server. This
OAB is also the default OAB, which means it's the OAB that's used by mailboxes and mailbox databases that don't
have an OAB assigned to them.
OABs in Exchange 2013 and later are improved over OABs in Exchange 2010. These changes were introduced in
Exchange 2013:
Only web-based distribution is supported (public folder distribution is no longer available). Web-based
distribution allows:
Support for more concurrent downloads by client computers.
Reduced bandwidth usage.
More control over the OAB distribution points.
Only OAB version 4 is supported. This version of the OAB is Unicode, and allows clients to receive
differential updates, instead of always using full downloads. All versions of Outlook that are supported by
Exchange fully support OAB version 4.
A mailbox assistant (not the Microsoft Exchange System Attendant service) is the process that's responsible
for generating OABs. This allows OAB generation to run or pause based on the workload of the server
(workload management).
OAB generation occurs in a designated arbitration mailbox (not on a designated OAB generation server).
These mailboxes can use database availability groups (DAGs) to help prevent a single point of failure for
OAB generation and downloads.
For OAB procedures, see Procedures for offline address books in Exchange Server.
To learn more about address lists, see Address lists in Exchange Server.
OAB generation
OAB generation is controlled by the mailbox assistant named OABGeneratorAssistant that runs under the
Microsoft Exchange Mailbox Assistants service. OAB generation occurs in a designated arbitration mailbox that
has the OrganizationCapabilityOABGen value for the PersistedCapability property. An arbitration mailbox with
this capability is also known as an organization mailbox.
By default, OABs are generated every 8 hours. To change the OAB generation schedule, see Change the offline
address book generation schedule in Exchange Server. To manually update an OAB, see Use the Exchange
Management Shell to update offline address books.
The arbitration mailbox named SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} is the first organization
mailbox in your organization. By default, this organization mailbox is responsible for generating all OABs (the first
OAB named Default Offline Address Book, and any new OABs that you create).
You can create additional organization mailboxes to generate OABs. Exchange Server contains the improvements
to OAB generation that were introduced in Exchange 2013 Cumulative Update 7 (CU7):
You can configure multiple OABs to be generated by the same organization mailbox, but you can't
configure an OAB to be generated by more than one organization mailbox. If you configured an OAB with
multiple organization mailboxes, each copy of the OAB had a different unique identifier. So, a full OAB
download was required whenever a client was proxied to a different organization mailbox location.
You can configure an OAB to allow a read-only copy (also known as a shadow copy) to be distributed to all
organization mailboxes in the organization (also known as shadow distribution). All copies of the OAB have
the same unique identifier, so full a OAB download isn't required when a client is proxied to a different
organization mailbox location.
Typically, shadow copies are only required in multi-site Exchange organizations. You configure an
organization mailbox in each site, and you configure shadow distribution for an OAB to help prevent cross-
site OAB download requests by clients (likely over slow WAN links). To create additional organization
mailboxes, see Use the Exchange Management Shell to create organization mailboxes.
Shadow distribution is described in detail in the next section.
To find all organization mailboxes, and the organization mailbox that's defined for an OAB, see Use the Exchange
Management Shell to find organization mailboxes.
The OAB files are generated and stored in the designated organization mailbox, so the destination for OAB
download requests is the Mailbox server that holds the active copy of the organization mailbox. The OAB files are
copied from the organization mailbox to %ExchangeInstallPath%ClientAccess\OAB\<OAB GUID> for retrieval by clients.
Clients never connect directly to this backend location. Client requests for the OAB are proxied by the Client
Access (frontend) services on a Mailbox server to this backend location.
OAB distribution
By default, Outlook clients are configured to download the OAB every 24 hours, or users can initiate a manual
download from Outlook at any time.
OAB distribution to clients depends on Internet Information Services (IIS ) virtual directories and the Autodiscover
service. The IIS virtual directory that's used for client access to OABs is located in the default web site in the Client
Access (frontend) services on the Mailbox server, and is named OAB (Default Web Site). This virtual directory is
automatically created when you install Exchange, and is configured to service internal clients at the URL
https://<ServerName>/oab (for example, https://mailbox01.contoso.com/oab ). You'll need to manually configure the
external URL that's used to distribute OABs to external clients. For more information, see Step 4: Configure
external URLs in Configure mail flow and client access on Exchange servers.
In the properties of the OAB, you can configure the OAB virtual directories that are available to distribute the OAB
to clients. The default setting restricts OAB distribution to the OAB virtual directories on the server that holds the
OAB's organization mailbox. However, the Client Access services on any Mailbox server can proxy incoming OAB
download requests to the correct location. Therefore, we recommend that you configure all OAB virtual directories
to accept requests to download the OAB. For instructions, see Use the Exchange Management Shell to configure
any virtual directory in the organization to accept download requests for the OAB.
The Autodiscover service advertises the OAB URLs that you've configured. Autodiscover is supported by all
versions of Outlook and virtually all mobile devices that are currently by Exchange. Here's a summary of the OAB
distribution process:
1. Outlook receives the OAB URL from Autodiscover, and connects to the Client Access (frontend) services on
a Mailbox server.
2. The Client Access services on the Mailbox server that accepted the connection performs these steps:
a. Queries Active Directory to find the organization mailbox that's responsible for generating the user's
OAB (the default OAB, the OAB that's specified for the mailbox database, or the OAB that's specified
for the mailbox).
b. Queries Active Directory again to find the mailbox database that hosts the organization mailbox for
the OAB, and the Mailbox server that currently holds the active copy of the database.
c. Proxies the OAB download request to the identified Mailbox server.
d. Retrieves the OAB files from the backend location %ExchangeInstallPath%ClientAccess\OAB\<GUID>
and proxies them back to the client.
If a shadow copy of the OAB exists in an organization mailbox in the local Active Directory site (the site where the
user is connecting from), then a local Mailbox server is used to download the OAB. However, synchronization of
the shadow copy between organization mailboxes is performed on-demand. Here's how it works:
1. Let's say the organization mailbox doesn't have a suitable shadow copy of the OAB. This can be caused by
the following conditions:
A client has never requested a download of the shadow copy.
The shadow copy is out of date. Shadow copies are aware when an updated copy of the parent OAB
has been generated and published (manually, or by the default 8 hour OAB generation schedule).
The affected Mailbox servers will stop distributing the outdated shadow copy to clients.
2. The first client tries to download the shadow copy will receive error 0x80190194 (BG_E_HTTP_ERROR_404) in
Outlook. This will trigger a full copy of the OAB from the parent to the shadow copy. The following events
are reported:
Event ID: 102
Description: The OABRequestHandler has begun downloading the OAB <GUID> from the server <Server>.
3. The OABRequestHandler will make up to three immediate attempts to copy the OAB files from the Mailbox
server that holds the parent OAB generation mailbox. If all three attempts fail, the OABRequestHandler will
retry the copy after one hour. The following events are reported:
Event ID: 104
Description: Download of the OAB <GUID> failed. The job will be re-submitted. The error was:
BG_ERROR_CONTEXT=BE_ERROR_CONTEXT_REMOTE_FILE; error code=0x80190194
Description: Download of the OAB <GUID> has failed too many times. The job will not be
resubmitted for the next hour.
4. If the OAB is configured for shadow distribution, but there's no organization mailbox in the local Active
Directory site (the site where the user is connecting from), the Client Access services will proxy the OAB
download request back to the Mailbox server that holds the organization mailbox for the parent OAB.
Conditions that cause a full OAB download
The improvements to OABs typically require clients to download OAB updates, not the full and complete OAB.
However, full OAB downloads are sometimes required. For example:
The Changes.oab files are greater than or equal to half the size of the full OAB files. Outlook compares the
total size of the compressed Changes.oab files that are required to update the OAB to the total size of the
compressed full OAB files on the server.
There's no OAB on your computer (for example, during the initial setup of Outlook).
A differential file is missing on the server. Missing differential files can be caused by the following
conditions:
You haven't used Outlook to connect to your Exchange mailbox in more than 30 days (by default, the
differential files are stored on the server for 30 days).
The server couldn't generate the differential file for a day that's required to update your local copy of
the OAB.
A more recent version of the OAB is available on the server (for example, your mailbox was upgraded from
Exchange 2010, and your local copy of the OAB is version 3).
Applying changes to the OAB failed. For example, differential files are corrupted on the server (the server
crashed during differential file generation).
The OAB is not present on your computer (for example, you manually deleted one or more local OAB files).
A previous full download failed, so Outlook has to start over.
You initiated a manual download of the full OAB.
An offline address book (OAB ) in Exchange Server allows Outlook users in cached Exchange mode to access
address list and global address list information while they're disconnected from the server. For more information,
see Offline address books in Exchange Server.
Here's a list of OAB procedures that are covered in this topic:
Use the Exchange Management Shell to view offline address books
Use the Exchange Management Shell to create offline address books
Use the Exchange Management Shell to modify offline address books:
Use the Exchange Management Shell to configure the default offline address book
Use the Exchange Management Shell to add and remove address lists from offline address books
Use the Exchange Management Shell to change the organization mailbox that's responsible for
generating an offline address book
Use the Exchange Management Shell to configure any virtual directory in the organization to accept
download requests for the OAB
Use the Exchange Management Shell to enable shadow distribution for offline address books
Use the Exchange Management Shell to update offline address books
Use the Exchange Management Shell to remove offline address books
Use the Exchange Management Shell to find organization mailboxes
Use the Exchange Management Shell to create organization mailboxes
Assign offline address books to mailbox databases
Use the Exchange Management Shell to assign offline address books to mailboxes
To change the OAB generation schedule, see Change the offline address book generation schedule in Exchange
Server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Get-OfflineAddressBook
This example returns detailed information about the OAB named Default Offline Address Book.
This example returns values for the specified properties on all OABs in your organization.
Get-OfflineAddressBook | Format-List
Name,GUID,AddressLists,GeneratingMailbox,IsDefault,VirtualDirectories,GlobalWebDistributionEnabled,ShadowMailb
oxDistributionEnabled
This example creates a new OAB named Contoso Executives OAB with the following properties:
The Default Global Address List and Contoso Executives Address List are included in the OAB.
All OAB virtual directories in the organization can accept requests to download the OAB.
The organization mailbox that's responsible for generating the OAB is
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} (we didn't use the GeneratingMailbox parameter to
specify a different organization mailbox).
The OAB isn't used by mailboxes and mailbox databases that don't have an OAB specified (we didn't use
the IsDefault parameter with the value $true ).
Shadow distribution for the OAB is disabled (read-only copies of the OAB aren't copied to all other
organization mailboxes, because we didn't use the ShadowMailboxDistributionEnabled parameter with the
value $true ).
New-OfflineAddressBook -Name "Contoso Executives OAB" -AddressLists "Default Global Address List","Contoso
Executives Address List" -GlobalWebDistributionEnabled $true
Get-OfflineAddressBook | Format-List
Name,AddressLists,GeneratingMailbox,IsDefault,VirtualDirectories,GlobalWebDistributionEnabled
Use the Exchange Management Shell to add and remove address lists from offline address books
When you modify the address lists that are configured in an OAB, the values that you specify will replace any
address lists in the OAB. To add address lists to the OAB, specify the current address lists plus the ones you want
to add. To remove address lists from the OAB, specify the current address lists minus the ones you want to
remove.
In this example, the OAB named Marketing OAB is already configured with Address List 1 and Address List 2. To
keeps those address lists and add Address List 3, run the following command:
Set-OfflineAddressBook -Identity "Marketing OAB" -Address Lists "Address List1","Address List 2","Address List
3"
Similarly, to keep the OAB configured with Address List 1 and Address 2, but remove Address List 3, run the
following command:
Set-OfflineAddressBook -Identity "Marketing OAB" -AddressLists "Address List 1","Address List 2"
Use the Exchange Management Shell to change the organization mailbox that's responsible for generating an
offline address book
Typically, you only need to configure multiple organization mailboxes if you have Exchange servers in different
Active Directory sites. You can configure multiple OABs to use the same organization mailbox, but you can't
configure an OAB to use more than one organization mailbox. If you need multiple copies of the OAB in different
locations, enable shadow distribution for the OAB. For more information, see the Use the Exchange Management
Shell to enable shadow distribution for offline address books section in this topic.
This example changes the organization mailbox that's responsible for generating the OAB named Default Offline
Address Book.
Note: To configure an arbitration mailbox that you can use as an organization mailbox, see the Use the Exchange
Management Shell to create organization mailboxes section in this topic.
Use the Exchange Management Shell to configure any virtual directory in the organization to accept download
requests for the OAB
The Client Access (frontend) services on any Mailbox server can proxy the OAB download request to the correct
location. The OAB files are downloaded from the backend location
%ExchangeInstallPath%ClientAccess\OAB\<OAB GUID> on the Mailbox server that holds the active copy of the OAB's
designated organization mailbox (or from the server that holds a shadow copy of the OAB ).
This example modifies the OAB named Default Offline Address Book to allow any virtual directory in the
organization to accept requests to download the OAB.
1. Run the following command:
Use the Exchange Management Shell to enable shadow distribution for offline address books
Before you enable shadow distribution to distribute a read-only copy of the OAB to organization mailboxes in
different Active Directory sites, verify that an organization mailbox exists in each site. To create organization
mailboxes, see the Use the Exchange Management Shell to create organization mailboxes section in this topic.
This example enables shadow distribution for the OAB named Contoso Executives OAB.
This example updates the OAB named Default Offline Address Book.
Get-OfflineAddressBook | Update-OfflineAddressBook
Note: If the removed OAB is the default OAB, you need to create or configure another OAB as the default (the
IsDefault parameter value is $true ).
How do you know this worked?
To verify that you've successfully removed the OAB, run the following command to verify that the OAB is gone.
Get-OfflineAddressBook
To find the organization mailbox that's used to generate an OAB, run the following command:
This example creates a new arbitration mailbox named OAB Gen 2, with the UPN (account name)
oabgen2@contoso.com, in the default database.
2. Turn the arbitration mailbox into an organization mailbox by using the following syntax:
This example turns the OAB Gen 2 arbitration mailbox into an organization mailbox.
Set-Mailbox -Identity "OAB Gen 2" -Arbitration -OABGen $true -MaxSendSize 1GB
3. To activate the OAB generation capabilities of the new organization mailbox, run Update-
OfflineAddressBook for any OAB in the organization. For example:
2. The Mailbox Database window opens. Click the Client settings tab, and then click Browse next to
Offline address book.
3. In the Select Offline Address Book window that opens, select the OAB from the list, and click OK.
4. Back in the Mailbox Database window, click Save.
Use the Exchange Management Shell to assign an offline address book to a mailbox database
Use the following syntax:
This example assigns the OAB named Contoso Executives OAB to the mailbox database named MBX DB02.
Set-MailboxDatabase -Identity "MBX DB02" -OfflineAddressBook "Contoso Executives OAB"
This example assigns the OAB named Contoso Executives to the mailbox laura@contoso.com.
This example assigns the OAB named Contoso US to a filtered list of mailboxes.
$USContoso = Get-User -ResultSize Unlimited -Filter {RecipientType -eq "UserMailbox" -and Company -eq
"Contoso" -and CountryOrRegion -eq "US"}; $USContoso | foreach {Set-Mailbox $_.Identity -OfflineAddressBook
"Contoso United States"}
An address list is a collection of mail-enabled recipient objects from Active Directory. Address lists are based on
recipient filters, and are basically unchanged from Exchange 2010. You can filter by recipient type (for example,
mailboxes and mail contacts), recipient properties (for example, Company or State or Province), or both. Address
lists aren't static; they're updated dynamically. When you create or modify recipients in your organization, they're
automatically added to the appropriate address lists. These are the different types of address lists that are available:
Global address lists (GALs): The built-in GAL that's automatically created by Exchange includes every
mail-enabled object in the Active Directory forest. You can create additional GALs to separate users by
organization or location, but a user can only see and use one GAL.
Address lists: Address lists are subsets of recipients that are grouped together in one list, which makes
them easier to find by users. Exchange comes with several built-in address lists, and you can create more
based on you organization's needs.
Offline address books (OABs): OABs contain address lists and GALs. OABs are used by Outlook clients in
cached Exchange mode to provide local access to address lists and GALs for recipient look-ups. For more
information, see Offline address books in Exchange Server.
Users in your organization use address lists and the GAL to find recipients for email messages. Here's an example
of what address lists look like in Outlook 2016:
For procedures related to address lists, see Procedures for address lists in Exchange Server.
Precanned recipient filters Address lists: Exchange Limited to: Property values require an
admin center (EAC) and the • Recipient type (All recipient exact match. Wildcards and
Exchange Management Shell types or any combination of partial matches aren't
user mailboxes, resource supported. For example,
GALs: Exchange mailboxes, mail contacts, "Sales" doesn't match the
Management Shell only mail users, and groups) value "Sales and Marketing".
• Company
• Custom Attribute 1 to 15 Multiple values of the same
• Department property always use the or
• State or Province operator. For example,
"Department equals Sales or
Department equals
Marketing".
Custom recipient filters Exchange Management Shell You can use virtually any You use OPATH filter syntax
only available recipient attributes. to specify any available
For more information, see Windows PowerShell filter
Filterable Properties for the - operators. Wildcards and
RecipientFilter Parameter. partial matches are
supported.
Notes:
You can't used precanned filters and customized filters at the same time.
The recipient's location in Active Directory (the organizational unit or container) is available in both
precanned and custom recipient filters.
If an address list uses custom recipient filters instead of precanned filters, you can see the address list in the
EAC, but you can't modify or remove it by using the EAC.
You can hide recipients from all address lists and GALs. For more information, see Hide recipients from
address lists.
All Contacts Address list Includes all mail contacts in {Alias -ne $null -and
the organization. To learn (ObjectCategory -like
'person' -and
more about mail contacts, ObjectClass -eq
see Recipients. 'contact')}
All Distribution Lists Address list Includes all distribution {Alias -ne $null -and
groups, mail-enabled ObjectCategory -like
'group'}
security groups, and
dynamic distribution groups
in the organization. To learn
more about mail-enabled
groups, see Recipients.
All Rooms Address list Includes all room mailboxes. {Alias -ne $null -and
Equipment mailboxes aren't (RecipientDisplayType -eq
'ConferenceRoomMailbox' -or
included. To learn more RecipientDisplayType -eq
about room and equipment 'SyncedConferenceRoomMailbox')}
(resource) mailboxes, see
Recipients.
All Users Address list Includes all user mailboxes, {((Alias -ne $null) -and
linked mailboxes, remote (((((((ObjectCategory -like
'person') -and (ObjectClass -
mailboxes (Office 365 eq 'user') -and (-
mailboxes), shared not(Database -ne $null)) -and
mailboxes, room mailboxes, (-not(ServerLegacyDN -ne
$null)))) -or
equipment mailboxes, and (((ObjectCategory -like
mail users in the 'person') -and (ObjectClass -
organization. To learn more eq 'user') -and (((Database -
ne $null) -or (ServerLegacyDN
about these recipient types, -ne $null))))))) -and (-
see Recipients. not(RecipientTypeDetailsValue
-eq 'GroupMailbox')))))}
Default Global Address List GAL Includes all mail-enabled {((Alias -ne $null) -and
recipient objects in the (((ObjectClass -eq 'user') -or
(ObjectClass -eq 'contact') -or
organization (users, contacts, (ObjectClass -eq
groups, dynamic distribution 'msExchSystemMailbox') -or
groups, and public folders. (ObjectClass -eq
'msExchDynamicDistributionList')
-or (ObjectClass -eq 'group') -
or (ObjectClass -eq
'publicFolder'))))}
NAME TYPE DESCRIPTION RECIPIENT FILTER USED
Public Folders Address list Includes all mail-enabled {Alias -ne $null -and
public folders in your ObjectCategory -like
'publicFolder'}
organization. Access
permissions determine who
can view and use public
folders. For more
information about public
folders, see Public Folders.
Address lists and global address lists (GALs) are collections of mail-enabled recipient objects from Active
Directory. You can create or modify GALs, and update using the tools available in the Exchange admin center (EAC )
and the Exchange Management Shell. For more information, see Address lists in Exchange Server.
These are the address list and GAL procedures that you'll find in this topic:
Global address list procedures
Use the Exchange Management Shell to update global address lists
Use the Exchange Management Shell to view members of global address lists
Use the Exchange Management Shell to create global address lists
Use the Exchange Management Shell to modify global address lists
Use the Exchange Management Shell to remove global address lists
Address list procedures
Update address lists
View the members of address lists
Create address lists
Modify address lists
Use the Exchange Management Shell to move address lists
Remove address lists
Hide recipients from address lists
Recipient filters in the EAC
Recipient filters in the Exchange Management Shell
This example updates all GALs in the organization that require updates.
Use the Exchange Management Shell to view members of global address lists
Technically, this procedure returns all recipients (including hidden recipients) that match the recipient filters
for the GAL. The recipients that are actually visible in the GAL have the
HiddenFromAddressListsEnabled property value False .
If the GAL isn't up to date (the RecipientFilterApplied property has the value False ), you should update
the GAL before you view the members. For more information, see the previous section.
To view the members of a GAL, use the following syntax:
This example returns the members of the GAL named Humongous Insurance.
New-GlobalAddressList -Name "<GAL Name>" [<Precanned recipient filter | Custom recipient filter>]
Set-GlobalAddressList -Identity <GALIdentity>] [-Name <Name>] [<Precanned recipient filter | Custom recipient
filter>] [-RecipientContainer <OrganizationalUnit>]
When you modify the Conditional parameter values, you can use the following syntax to add or remove values
without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing GAL named Contoso GAL by adding the Company value Fabrikam to the
precanned recipient filter.
This example updates the address list named Sales that's located under the address list named North America.
This example updates all address lists in the organization that require updates.
This example returns the members of the address list named Southeast Offices.
This example exports the results to the file C:\My Documents\Southeast Offices Export.csv.
Set-AddressList -Identity <AddressListIdentity> [-Name <Name>] [<Precanned recipient filter | Custom recipient
filter>] [-RecipientContainer <OrganizationalUnit>]
When you modify the Conditional parameter values, you can use the following syntax to add or remove values
without affecting other existing values: @{Add="<Value1>","<Value2>"...; Remove="<Value1>","<Value2>"...} .
This example modifies the existing address list named Southeast Offices by adding the State or province value
TX (Texas) to the precanned recipient filter.
This example moves the address list named Southeast Offices from the root (" \ ", also known as All Address
Lists) to the address list named North America.
This example removes the address list named Southeast Offices and all its children from under the North America
address list.
Get-AddressList
DynamicDistributionGroup
Mailbox
MailContact
MailPublicFolder
MailUser
RemoteMailbox
This example hides the distribution group named Internal Affairs from address lists.
Notes:
To make the recipient visible in address lists again, use the value $false for the
HiddenFromAddressListsEnabled parameter.
By default, arbitration mailboxes and public folder mailboxes are hidden from address lists. If you use the
Set-Mailbox cmdlet to change this or any other setting for arbitration or public folder mailboxes, you need
to include the Arbitration or PublicFolder switches.
How do you know this worked?
You can verify that you've successfully hidden a recipient from address lists by using any of the following
procedures:
In the EAC, select the recipient, click Edit ( ) and verify the hide from address lists setting is selected.
In the Exchange Management Shell, run the following command and verify the recipient is listed:
Open the GAL in Outlook or Outlook on the web (formerly known as Outlook Web App), and verify the
recipient isn't visible.
Address book policies (ABPs) lets administrators segment users into specific groups to provide customized
views of the organization's global address list (GAL ). The goal of an ABP is to provide a simpler mechanism for
GAL segmentation (also known as GAL segregation) in on-premises organizations that require multiple GALs.
An ABP contains these elements:
One GAL. For more information about GALs, see Global address lists.
One offline address book (OAB ). For more information about OABs, see Offline address books in
Exchange Server.
One room list. Note that this room list is a custom address list that specifies rooms (contains the filter
RecipientDisplayType -eq 'ConferenceRoomMailbox' ). It's not a room finder that you create with the
RoomList switch on the New-DistributionGroup or Set-DistributionGroup cmdlet. For more
information, see Create and manage room mailboxes.
One or more address lists. For more information about address lists, see Custom address lists.
For procedures involving ABPs, see Procedures for address book policies in Exchange Server.
Notes:
ABPs create only a virtual separation of users from a directory perspective, not a legal separation.
Implementing an ABP is a multi-step process that requires planning. For more information, see Scenario:
Deploying address book policies in Exchange Server.
ABP example
In the following diagram, Fabrikam and Tailspin Toys share the same Exchange organization and the same CEO.
The CEO is the only employee common to both companies.
The scenarios in this topic describe the deployment solutions for address book policies (ABPs) in three of the most
common organization types where multiple entities (companies, government agencies, school classrooms, etc.)
share a common Exchange environment. In all scenarios, a recipient filter divides recipients into separate virtual
organizations, which then defines the ABPs that are applied to users in those virtual organizations. For more
information recipient filters and virtual organizations, see the Considerations and best practices for address book
policies section later in this topic.
For more information about ABPs, see Address book policies in Exchange Server. For ABP procedures, see
Procedures for address book policies in Exchange Server.
The GAL, offline address book (OAB ), room list, and address lists that are required inn the ABPs for this scenario
are described in the this table:
The GAL, OAB, room list, and address lists that are required in the ABPs for this scenario are described in the this
table:
For a complete walkthrough of creating the required elements for this scenario, see the Detailed deployment steps
for Scenario 2: Two companies sharing a CEO in one Exchange organization section at the end of this topic.
Scenario 3: Education
This scenario is applicable to schools or universities where a division of class rooms is necessary to ensure the
privacy of the students, and has the following requirements:
Students in each class can only see other students in their class, their teacher, and the principal.
Teachers can only see students in their own classes.
Teachers can see the principal and all other teachers.
Distribution groups are created for the parents and faculty that are associated with each class.
The GAL, OAB, room list, and address lists that are required in the ABPs for this scenario are described in the this
table:
For more information about mail flow rules, see Mail flow rules in Exchange Server.
To configure a feature that's similar to address book policies in the Skype for Business or Lync client, you
can set the msRTCSIP -GroupingID attribute for specific users. For details, see PartitionByOU Replaced
with msRTCSIP -GroupingID.
Notes:
Using the recipient's GUID value for the Identity parameter can help avoid collisions if there are similar
usernames in both organizations (for example, julia@fabrikam.com and julia@contoso.com).
The valid <RecipientType> values for the cmdlet names are Mailbox, DistributionGroup,
DynamicDistributionGroup, MailContact, and MailUser. You need to configure the CustomAttribute15
attribute value for each recipient type separately.
This example sets the value FAB for the CustomAttribute15 attribute on all Fabrikam mailboxes.
Step 3: Create the required elements for the address book policies
Create address lists
This organization requires four custom address lists:
AL_FAB_Users_DGs
AL_FAB_Contacts
AL_TAIL_Users_DGs
AL_TAIL_Contacts
This example creates the address list named AL_FAB_Users_DGs that contains all Fabrikam users, distribution
groups, and dynamic distribution groups and the CEO.
This example creates the address list named AL_FAB_Contacts that contains all Fabrikam mail contacts.
This example creates the address list named AL_TAIL_Users_DGs that contains all Tailspin Toys users, distribution
groups, and dynamic distribution groups and the CEO.
New-AddressList -Name "AL_TAIL_Users_DGs" -RecipientFilter {((RecipientType -eq 'UserMailbox') -or
(RecipientType -eq 'MailUniversalDistributionGroup') -or (RecipientType -eq 'DynamicDistributionGroup')) -and
(CustomAttribute15 -eq 'TAIL') -or (CustomAttribute15 -eq 'CEO')}
This example creates the address list named AL_TAIL_Contacts that contains all Tailspin Toys mail contacts.
New-AddressList -Name AL_FAB_Rooms -RecipientFilter {(Alias -ne $null) -and (CustomAttribute15 -eq 'FAB') -and
(RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq
'SyncedConferenceRoomMailbox')}
This example creates a room list named AL_TAIL_Rooms for Tailspin Toys room mailboxes.
New-AddressList -Name AL_TAIL_Rooms -RecipientFilter {(Alias -ne $null) -and (CustomAttribute15 -eq 'TAIL') -
and (RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq
'SyncedConferenceRoomMailbox')}
Note: This example creates a blank room list named AL_BlankRoom if the organization doesn't have any room
mailboxes (an ABP requires a room list, even if it's empty):
New-AddressList -Name AL_BlankRoom -RecipientFilter {(Alias -ne $null) -and ((RecipientDisplayType -eq
'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox'))}
For more information about creating address lists, see Create address lists.
Create GALs
This organization requires two custom GALs:
GAL_FAB
GAL_TAIL
This example creates the GAL named GAL_FAB for Fabrikam that includes all Fabrikam recipients and allows the
Fabrikam users to see the CEO.
This example creates the GAL named GAL_TAIL for Tailspin Toys that includes all Tailspin Toys recipients and
allows the Tailspin Toys users to see the CEO.
This example creates the OAB named OAB_TAIL for Tailspin Toys that includes the Tailspin Toys GAL.
Note: If you want users to see all recipients in the virtual organization, make sure that you include the GAL in
OAB. Otherwise, you can reduce the download size of the OAB by specifying a reduced list of address lists that are
included in the OAB.
For more information, see Use the Exchange Management Shell to create offline address books.
Step 4: Create the address book policies
This organization requires three ABPs:
This example creates the ABP named ABP_FAB that contains the GAL, OAB, room list and address lists for
Fabrikam.
This example creates the ABP named ABP_TAIL that contains the GAL, OAB, room list and address lists for
Tailspin Toys.
New-AddressBookPolicy -Name "ABP_TAIL" -AddressLists "AL_TAIL_Users_DGs","AL_TAIL_Contacts" -
OfflineAddressBook "\OAB_TAIL" -GlobalAddressList "\GAL_TAIL" -RoomList "\AL_TAIL_Rooms"
This example creates the ABP named ABP_CEO that contains the GAL, OAB, room list and address lists for the
CEO.
For more information, see Procedures for address book policies in Exchange Server.
Step 5: Assign the address book policies to mailboxes
This example assigns the ABP named ABP_FAB to all Fabrikam mailboxes.
$Fab = Get-Mailbox -ResultSize unlimited -Filter {CustomAttribute15 -eq 'FAB'}; $Fab | foreach {Set-Mailbox -
Identity $_.Identity -AddressBookPolicy 'ABP_FAB'}
This example assigns the ABP named ABP_TAIL to all Tailspin Toys mailboxes.
$Tail = Get-Mailbox -ResultSize unlimited -Filter {CustomAttribute15 -eq 'TAIL'}; $Tail | foreach {Set-Mailbox
-Identity $_.Identity -AddressBookPolicy 'ABP_TAIL'}
This example assigns the ABP named ABP_CEO to the CEO named Gabriela Laureano.
Note: If the user is already connected to Outlook or Outlook on the web when the ABP is applied to their mailbox,
they'll need to close and restart their client application before they can see the new address lists and GAL.
For more information, see Assign address book policies to mailboxes.
Other considerations
After you create or modify an address list or GAL, you need to update the membership.
If the address list contains a large number of recipients (our recommendation is more than 3000), you should use
the Exchange Management Shell to update the address list (not the Exchange admin center). For more
information, see Update address lists.
To update a GAL, you always need to use the Exchange Management Shell. For more information, see Use the
Exchange Management Shell to update global address lists.
Procedures for address book policies in Exchange
Server
8/23/2019 • 12 minutes to read • Edit Online
Address book policies (ABPs) allow you to segment users into specific groups to give them customized global
address lists (GALs) in Outlook and Outlook on the web (formerly known as Outlook Web App). For more
information about ABPs, see Address book policies in Exchange Server.
Note: Implementing an ABP is a multi-step process that requires planning. For more information, see Scenario:
Deploying address book policies in Exchange Server.
Get-AddressBookPolicy
This example returns detailed information for the ABP named All Fabrikam ABP.
New-AddressBookPolicy -Name "<Unique Name>" -GlobalAddressList "<GAL>" -OfflineAddressBook "<OAB>" -RoomList "
<RoomList>" -AddressLists "<AddressList1>","<AddressList2>"...
This example creates an ABP named All Fabrikam ABP with the these settings:
GAL: All Fabrikam
OAB: Fabrikam-All-OAB
Room list: All Fabrikam Rooms
Address lists: All Fabrikam Mailboxes, All Fabrikam DLs, and All Fabrikam Contacts
Get-AddressBookPolicy
Replace <ABPIdentity> with the name of the ABP, and run this command in the Exchange Management
Shell to verify the property values:
The AddressLists parameter takes multiple values, so you need to decide whether you want to replace the
existing address lists in the ABP, or add and remove address lists without affecting the other address lists in
the ABP.
This example replaces the existing address lists in the ABP named Government Agency A with the specified
address lists.
To add address lists to an ABP, you need to specify the new address lists and any existing address lists that
you want to keep.
This example adds the address list named Contoso-Chicago to the ABP named ABP Contoso, which is
already configured to use the address list named Contoso-Seattle.
To remove address lists from an ABP, you need to specify the existing address lists that you want to keep,
and omit the address lists that you want to remove.
For example, the ABP named ABP Fabrikam uses the address lists named Fabrikam-HR and Fabrikam-
Finance. To remove the Fabrikam-HR address list, specify only the Fabrikam-Finance address list.
Then, use the DistinguishedName value of the ABP in this command to show all mailboxes where the
ABP is assigned:
Get-Mailbox -ResultSize unlimited -Filter {AddressBookPolicy -eq '<DistinguishedName>'}
To remove ABP assignments from mailboxes, see the Assign address book policies to mailboxes section in
this topic.
To remove an ABP, use this syntax:
Get-AddressBookPolicy
Replace <ABPIdentity> with the name of the ABP, and run this command to confirm that an error is
returned:
This example assigns the ABP named All Fabrikam to mailbox joe@fabrikam.com.
Note: You can also assign an ABP when you create a user mailbox with the New-Mailbox cmdlet by using the
AddressBookPolicy parameter. If you don't specify an ABP when you create the mailbox, no ABP is assigned (the
default value is blank or $null ).
For detailed syntax and parameter information, see Set-Mailbox.
Use the EAC to assign an address book policy to multiple mailboxes
1. In the EAC, go to Recipients > Mailboxes.
2. In the list of mailboxes, find the mailboxes that you want to modify. For example:
a. Click More options > Advanced search.
b. In the Advanced search window that opens, select Recipient types and verify the default value
User mailbox.
c. Click More options, and then click Add a condition.
d. In the Select one drop-down box that appears, select the appropriate Custom attribute 1 to
Custom attribute 15 values that defines your virtual organizations.
e. In the Specify words or phrases dialog that appears, enter the value that you want to search for,
and then click OK.
f. Back on the Advanced search window, click OK. In the EAC at Recipients > Mailboxes, click
More options > Advanced search to find user mailboxes.
3. In the list of mailboxes, select multiple mailboxes of the same type (for example, User) from the list. For
example:
Select a mailbox, hold down the Shift key, and select another mailbox that's farther down in the list.
Hold down the CTRL key as you select each mailbox.
After you select multiple mailboxes of the same type, the title of the details pane changes to Bulk Edit.
4. In the details pane, scroll down and click More options, scroll down to Address Book Policy, and then
click Update.
5. In the Bulk assign address book policy window that opens, select the ABP by clicking the drop-down
arrow in Select Address Book Policy, and then click Save.
Use the Exchange Management Shell to assign an address book policy to multiple mailboxes
You can use the Get-Mailbox or Get-Content cmdlets to identify the user mailboxes that you want to assign the
ABP to. For example:
Use the Filter parameter to create OPATH filters that identify the mailboxes. For more information, see
Filterable Properties for the -Filter Parameter.
Use a text file to specify the mailboxes. The text file contains one mailbox (email address, name, or other
unique identifier) on each line like this:
ebrunner@tailspintoys.com
fapodaca@tailspintoys.com
glaureano@tailspintoys.com
hrim@tailspintoys.com
This example assigns the ABP named ABP_EngineeringDepartment to all user mailboxes where the
CustomAttribute11 attribute contains the value Engineering Department.
Get-Mailbox -Filter {RecipientType -eq 'UserMailbox' -and CustomAttribute11 -like '*Engineering Department'} |
Set-Mailbox -AddressBookPolicy "ABP_EngineeringDepartment"
This example uses the text file C:\My Documents\Accounts.txt to assign the same ABP to the specified user
mailboxes.
In the Exchange Management Shell, replace <MailboxIdentity> with the identity of the mailbox (for
example, name, alias, or email address), and run this command:
In the Exchange Management Shell, use the same filter that you used to identify the mailboxes. For
example:
In the Exchange Management Shell, replace <ABPIdentity> with the name of the ABP, and run this
command to get the DistinguishedName value:
Then, use the DistinguishedName value of the ABP in this command to show all mailboxes where the
ABP is assigned:
Note: You'll get a warning that the Transport service needs to be restarted for the changes to take effect. But, don't
restart the Transport service until you finish Step 2 (so you only have to restart the Transport service once).
For detailed syntax and parameter information, see Install-TransportAgent.
Step 2: Enable the ABP Routing agent
To enable the ABP Routing Agent on the local Mailbox server, run this command on every Mailbox server in the
organization.
Restart-Service MSExchangeTransport
2. Disable the ABP Routing Agent by running this command on every Mailbox server where the agent is
installed:
3. Run this command on every Mailbox server where the agent is installed:
Restart-Service MSExchangeTransport
Run this command on every Mailbox server to verify that the ABP Routing Agent is enabled:
Have a user that's assigned an ABP send an email message to an user that's assigned a different ABP, and
verify that the sender's email address doesn't resolve to their display name.
Messaging policy and compliance in Exchange
Server
8/23/2019 • 2 minutes to read • Edit Online
Email has become a reliable and ubiquitous communication medium for information workers in organizations of
all sizes. Messaging stores and mailboxes have become repositories of valuable data. It's important for
organizations to formulate messaging policies that dictate the fair use of their messaging systems, provide user
guidelines for how to act on the policies, and where required, provide details about the types of communication
that may not be allowed.
Organizations must also create policies to manage email lifecycle, retain messages for the length of time based
on business, legal, and regulatory requirements, preserve email records for litigation and investigation purposes,
and be prepared to search and provide the required email records to fulfill eDiscovery requests.
In-Place Archiving In-Place Archiving helps you regain In-Place Archiving in Exchange Server
control of your organization's
messaging data by eliminating the
need for personal store (.pst) files and
allowing users to store messages in an
archive mailbox accessible in Outlook
2010 and later and Outlook on the
web.
In-Place Hold and Litigation Hold When a reasonable expectation of In-Place Hold and Litigation Hold in
litigation exists, organizations are Exchange Server
required to preserve electronically
stored information, including email
that's relevant to the case. In-Place
Hold allows you to search and preserve
messages matching query parameters.
Litigation Hold only allows you to place
all items in a mailbox on hold. For both
types of holds, messages are protected
from permanent deletion, modification,
and tampering and can be preserved
indefinitely or for a specified period.
In-Place eDiscovery In-Place eDiscovery allows you to In-Place eDiscovery in Exchange Server
search mailbox data across your
Exchange organization, preview search
results, copy search results to a
Discovery mailbox, or export the results
to a PST file
FEATURE DESCRIPTION RESOURCES
Administrator audit logging Administrator audit logs enable you to Administrator audit logging in
keep a log of changes made by Exchange Server
administrators to Exchange server and
organization configuration and to
Exchange recipients. You might use
administrator audit logging as part of
your change control process or to track
changes and access to configuration
and recipients for compliance purposes.
Mailbox audit logging Because mailboxes can potentially Mailbox audit logging in Exchange
contain sensitive, high business impact Server
information and personally identifiable
information, it's important that you
track who logs on to the mailboxes in
your organization and what actions are
taken. It's especially important to track
access to mailboxes by users other
than the mailbox owner (known as
delegate users). Using mailbox audit
logging, you can log mailbox access by
administrators, delegates (including
administrators with full access
permissions), and mailbox owners.
Data loss prevention Data loss prevention (DLP) in Exchange Sensitive information types in Exchange
Server includes 80 sensitive information Server
types that are ready for you to use in
your DLP policies.
Mail flow rules (also known as Use mail flow rules to look for specific Mail flow rule conditions and
transport rules) conditions in messages that pass exceptions (predicates) in Exchange
through your organization and take Server
action on them. You can use conditions Mail flow rule actions in Exchange
and exceptions to define when a mail Server
flow rule is applied, and then apply an
action on messages when the
conditions are met.
In-Place Archiving in Exchange Server
8/23/2019 • 9 minutes to read • Edit Online
In-Place Archiving in Exchange Server helps you regain control of your organization's messaging data by
eliminating the need for personal store (.pst) files and allowing users to store messages in an archive mailbox.
The archive mailbox is an additional mailbox that's enabled for a user's primary mailbox. The archive mailbox is
accessible in Outlook and Outlook on the web (formerly known as Outlook Web App). Users can view an archive
mailbox and move or copy messages between their primary mailbox and their archive mailbox.
You can provision a user's archive mailbox on the same mailbox database as the user's primary mailbox, a
different mailbox database on the same Mailbox server, or on a mailbox database on a different Mailbox server in
the same Active Directory site. In Exchange hybrid deployments, you can also provision a cloud-based archive
mailbox for primary mailboxes located in your on-premises organization.
Outlook for Mac for Office 365 Yes. Users can copy or move items from their primary
mailbox to their archive mailbox, and can also use retention
Outlook 2016 for Mac or later policies to move items to the archive.
Office 365 ProPlus Outlook doesn't create a local copy of the archive mailbox on
a user's computer, even if it's configured to use Cached
Outlook 2013 or later Exchange Mode. Users can access an archive mailbox in online
mode only.
Outlook on the web
Exchange ActiveSync No
NOTE
• In-Place Archiving is a premium feature and requires an Exchange Enterprise client access license (CAL). For details about
how to license Exchange, see Exchange Server Licensing.
• For details about the versions of Outlook that are required to access an archive mailbox, see Outlook license requirements
for Exchange features.
Default 2 year move to archive Default (DPT) Messages are automatically moved to
the archive mailbox after two years.
Applies to items in the entire mailbox
that don't have a retention tag applied
explicitly or inherited from the folder.
Personal never move to archive Personal Messages are never moved to the
archive mailbox.
Recoverable Items 14 days move to Recoverable Items Folder Messages are moved from the
archive Recoverable Items folder in the user's
primary mailbox to the Recoverable
Items folder in the archive mailbox.
Users attempting to recover deleted
items in their archive mailbox must use
the Recover Deleted Items tool in the
archive mailbox.
If you enable an In-Place Archive for a mailbox user and the mailbox doesn't already have a retention policy
assigned, the default archive and retention policy is automatically assigned. After the Managed Folder Assistant
processes the mailbox, these tags become available to the user, who can then tag folders or messages to be
moved to the archive mailbox. By default, email messages from the entire mailbox are moved to the archive after
two years.
Before provisioning archive mailboxes for your users, we recommend that you inform them about the archive
policies that will be applied to their mailbox and provide subsequent training or documentation to meet their
needs. This should include details about the following:
Functionality available within the archive, and the default archive retention policies.
Information about when messages are automatically moved to the archive.
Information about the folder hierarchy created in the archive mailbox.
How to apply personal tags (displayed in the Archive policy menu in Outlook and Outlook on the web).
NOTE
If you apply a retention policy to users who have an archive mailbox, the retention policy replaces the default MRM policy.
You can create one or more retention tags with the Move to Archive action, and then link the tags to the retention policy.
You can also add the default Move to Archive tags (which are created by Setup and linked to the Default MRM Policy) to
any retention policies you create.
Archive quotas
Archive mailboxes are designed so that users can store historical messaging data outside their primary mailbox.
Often, users use .pst files due to low mailbox storage quotas and the restrictions imposed when these quotas are
exceeded. For example, users can be prevented from sending messages when their mailbox size exceeds the
Prohibit send quota. Similarly, users can be prevented from sending and receiving messages when their mailbox
size exceeds the Prohibit send and receive quota.
To eliminate the need for .pst files, you can provide an archive mailbox with storage limits that meet the user's
requirements. However, you may still want to retain some control of the storage quotas and growth of archive
mailboxes to help monitor costs and expansion.
To help with this control, you can configure archive mailboxes with an archive warning quota and an archive
quota. When an archive mailbox exceeds the specified archive warning quota, a warning event is logged in the
Application event log. When an archive mailbox exceeds the specified archive quota, messages are no longer
moved to the archive, a warning event is logged in the Application event log, and a quota message is sent to the
mailbox user. By default, in Exchange Server, the archive warning quota is set to 90 GB and the archive quota is
set to 100 GB.
The following table lists the events logged and warning messages sent when the archive warning quota and
archive quota are met.
In-Place Archiving helps you regain control of your organization's messaging data by eliminating the need for
personal store (.pst) files and allowing you to meet your organization's message retention and eDiscovery
requirements. With archiving enabled, users can store messages in an archive mailbox, which is accessible by
using Microsoft Outlook and Outlook on the web.
This example retrieves mailboxes in database DB01 that don't have an on-premises or cloud-based archive
enabled and don't have a name starting with DiscoverySearchMailbox. It pipes the results to the Enable-Mailbox
cmdlet to enable the archive for all mailboxes on mailbox database DB01.
Get-Mailbox -Database DB01 -Filter {ArchiveGuid -Eq $null -AND ArchiveDomain -eq $null -AND Name -NotLike
"DiscoverySearchMailbox*"} | Enable-Mailbox -Archive
In the Exchange Management Shell, use the Test-ArchiveConnectivity cmdlet to test connectivity to the
archive. For an example of how to test archive connectivity, see the Examples section in the topic, Test-
ArchiveConnectivity.
New-Mailbox -UserPrincipalName cashton@contoso.com -Alias cashton -Database "DB01" -Archive -Name "Chris
Ashton" -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton
In the Exchange Management Shell, use the Test-ArchiveConnectivity cmdlet to test connectivity to the
archive. For an example of how to test archive connectivity, see the Examples section in Test-
ArchiveConnectivity.
If the archive is disabled, the following values are returned for archive-related properties.
PROPERTY VALUE
ArchiveState None
As previously stated, if you re-enable an archive mailbox within 30 days of disabling it, the user will be able to
access the original contents of their archive mailbox. If you re-enable the archive more than 30 days after disabling
it, the new archive mailbox will be empty the first time the user accesses it.
In-Place Hold and Litigation Hold in Exchange
Server
8/23/2019 • 14 minutes to read • Edit Online
When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored
information (ESI), including email that's relevant to the case. This expectation often exists before the specifics of
the case are known, and preservation is often broad. Organizations may need to preserve all email related to a
specific topic or all email for certain individuals. Depending on the organization's electronic discovery
(eDiscovery) practices, the following measures can be adopted to preserve email:
End users may be asked to preserve email by not deleting any messages. However, users can still delete
email knowingly or inadvertently.
Automated deletion mechanisms such as messaging records management (MRM ) may be suspended.
This could result in large volumes of email cluttering the user mailbox, and thus impacting user
productivity. Suspending automated deletion also doesn't prevent users from manually deleting email.
Some organizations copy or move email to an archive to make sure it isn't deleted, altered, or tampered
with. This increases costs due to the manual efforts required to copy or move messages to an archive, or
third-party products used to collect and store email outside Exchange.
Failure to preserve email can expose an organization to legal and financial risks such as scrutiny of the
organization's records retention and discovery processes, adverse legal judgments, sanctions, or fines.
IMPORTANT
When you put a mailbox on Litigation Hold or In-Place Hold, the hold is placed on both the primary and the archive
mailbox.
For more information when to use each type of hold, see Place all mailboxes on hold.
TIP
You can use a time-based hold together with a retention policy to make sure items are preserved for a specified
duration and then permanently removed from Exchange after the retention age and the hold duration expire.
NOTE
If you use Exchange Online Archiving to provision a cloud-based archive for your on-premises mailboxes, you must
manage In-Place Holds from your on-premises Exchange Server organization. Hold settings are automatically propagated
to the cloud-based archive using DirSync.
Many organizations require that users be informed when they're placed on hold. Additionally, when a mailbox is
on hold, any retention policies applicable to the mailbox user don't need to be suspended. Because messages
continue to be deleted as expected, users may not notice they're on hold. If your organization requires that users
on hold be informed, you can add a notification message to the mailbox user's by populating the Retention
Comment property and using the RetentionUrl property to link to a web page for more information. Outlook
2010 and later versions display the retention comment and URL in the backstage area, which is located on the
Files ribbon. You can use the Set-Mailbox cmdlet to add these properties.
Items other than messages and posts Any change to a visible property, except the following:
• Item location (when an item is moved between folders)
• Item status change (read or unread)
• Changes to retention tag applied to an item
Items in the default folder Drafts None (items in the Drafts folder are exempt from copy on
write)
IMPORTANT
Copy-on-write is disabled for calendar items in the organizer's mailbox when meeting responses are received from
attendees and the tracking information for the meeting is updated. For calendar items and items that have a reminder set,
copy-on-write is disabled for the ReminderTime and ReminderSignalTime properties. Changes to these properties are not
captured by copy-on-write. Changes to RSS feeds aren't captured by copy-on-write.
Although the DiscoveryHolds, Purges, and Versions folders aren't visible to the user, all items in the Recoverable
Items folder are discoverable by using In-Place eDiscovery. After a mailbox user is removed from In-Place Hold
or Litigation Hold, items in the DiscoveryHolds, Purges, and Versions folders are purged by the Managed Folder
Assistant.
If a mailbox isn't placed on Litigation Hold or In-Place Hold, items in the Purges folder are permanently deleted
from the Recoverable Items folder on a first in, first out basis when the item has resided in the folder for longer
than the deleted item retention period.
TIP
For Exchange Server, an Exchange hybrid deployment is the recommended way to migrate on-premises mailboxes to
Office 365.
Create or remove an In-Place Hold
8/23/2019 • 7 minutes to read • Edit Online
An In-Place Hold preserves all mailbox and public folder content, including deleted items and original versions of
modified items. All such items can be returned in an In-Place eDiscovery search. When you place an In-Place Hold
on a user's mailbox, the contents in the corresponding archive mailbox (if it's enabled) are also placed on hold and
returned in a eDiscovery search.
When you create an In-Place Hold, you can place all items in the source mailbox or public folder on hold or you
can hold only the items that meet the search criteria specified for the hold. Similarly, you can hold items
indefinitely or for a specific amount of time. For more information about In-Place Holds, see In-Place Hold and
Litigation Hold in Exchange Server.
You can create In-Place holds in the Exchange admin center (EAC ) or in the Exchange Management Shell.
4. On the Search query page, complete the following fields, and then click Next.
Include all content: Select this option to place all content in selected sources on hold.
Filter based on criteria: Select this option to specify search criteria, including keywords, start and
end dates, sender and recipient addresses, and message types.
IMPORTANT
If a user is placed on multiple In-Place Holds, the search queries from any query-based hold are combined (with OR
operators). In this case, the maximum number of keywords in all query-based holds placed on a mailbox is 500. If
there are more than 500 keywords, then all content in the mailbox is placed on hold (not just that content that
matches the search criteria). All content is held until the total number of keywords is reduced to 500 or less.
5. On the In-Place Hold settings page, click the Place content matching the search query in selected
sources on hold check box and then select one of the following options:
Hold indefinitely: Place items returned by the search on an indefinite hold. Items on hold will be
preserved until you change the hold duration, remove the mailbox (or public folders) from the
search, or remove the search.
Specify number of days to hold items relative to their received date: Hold items for a specific
period. For example, you can use this option if your organization requires that all messages be
retained for at least seven years. You can use a time-based In-Place Hold along with a retention
policy to make sure items are permanently deleted in seven years.
6. Click Finish to create the In-Place Hold.
Use the Exchange Management Shell to create an In-Place Hold
This example creates an In-Place Hold named Hold-CaseId012 and adds the mailbox joe@contoso.com to the
hold.
IMPORTANT
If you don't specify additional search parameters for an In-Place Hold, all items in the specified source mailboxes are placed
on hold. If you don't specify the ItemHoldPeriod parameter, items are placed on hold indefinitely or until the mailbox is
either removed from hold or the hold is deleted.
This example places an In-Place Hold on all public folders in the organization, and holds content for 7 years. The
hold doesn't include any mailboxes.
New-MailboxSearch -Name "Hold for Public Folders" -AllPublicFolderSources $true -AllSourceMailboxes $false -
ItemHoldPeriod 2555 -InPlaceHoldEnabled $true
Use the Get-Mailbox cmdlet to display In-Place Hold information for specific user mailboxes or public
folder mailboxes. For example, the following command displays the GUID for the In-Place Hold:
This example will display the In-Place Hold GUID for all public folder mailboxes in the organization.
More information
How does In-Place Hold work?: If a mailbox or public folder is not on hold, an item is moved to the Deletions
subfolder in the Recoverable Items folder when it's permanently deleted (Shift + Delete) or deleted from the
Deleted Items folder. A deletion policy (how long items are set to be retained) also moves items to the Deletions
subfolder when the retention period expires. When a user purges an item in the Recoverable Items folder or when
the deleted item retention period expires for an item, the item is moved to the Purges subfolder and marked for
permanent deletion. It will be then be purged from Exchange the next time the mailbox is processed by the
Managed Folder Assistant (MFA).
When an In-Place Hold is placed on a mailbox or public folder, purged items are not moved to the Purges
subfolder but are instead moved to the DiscoveryHolds subfolder and are preserved for the hold duration
specified by the In-Place Hold. The hold duration is calculated from the original date an item was received or
created, and defines how long items in the DiscoveryHolds subfolder are held. When the hold duration expires for
an item in the DiscoveryHolds subfolder, the item it is marked for permanent deletion and will be purged from
Exchange the next time the mailbox or public folder is processed by the MFA. If an indefinite hold is placed on a
mailbox or public folder, items will never be purged from the DiscoveryHolds subfolder.
The following illustration shows the subfolders in the Recoverable Items folders and the hold workflow process.
NOTE
If a mailbox is place on Litigation Hold, purged items are moved to the Purges subfolder and preserved for the hold duration
configured for the Litigation Hold.
Place a mailbox on Litigation Hold
8/23/2019 • 8 minutes to read • Edit Online
Place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of
modified items. When you place a mailbox on Litigation Hold, the user's archive mailbox (if it's enabled) is also
placed on hold. Deleted and modified items are preserved for a specified period or until you remove the mailbox
from Litigation Hold. All such mailbox items are returned in an In-Place eDiscovery in Exchange Server search.
NOTE
When you place a mailbox on Litigation Hold indefinitely (by not specifying a duration period), the value for the
LitigationHoldDuration property mailbox is set to Unlimited .
The example uses the Get-Mailbox cmdlet to retrieve all mailboxes in the organization, specifies a recipient filter to
include all user mailboxes, and then pipes the list of mailboxes to the Set-Mailbox cmdlet to enable the Litigation
Hold and set the hold duration.
To place all user mailboxes on an indefinite hold, run the previous command but don't include the
LitigationHoldDuration parameter.
See the More information section for examples of using other recipient properties in a filter to include or exclude
one or more mailboxes.
or
If a mailbox is placed on Litigation Hold indefinitely, the value for the LitigationHoldDuration property
mailbox is set to Unlimited .
More information
How does Litigation Hold work? In the normal deleted item workflow, a mailbox item is moved to the
Deletions subfolder in the Recoverable Items folder when a user permanently deletes it (Shift + Delete) or
deletes it from the Deleted Items folder. A deletion policy (which is a retention tag configured with a Delete
retention action) also moves items to the Deletions subfolder when the retention period expires. When a
user purges an item in the Recoverable Items folder or when the deleted item retention period expires for
an item, it's moved to the Purges subfolder in the Recoverable Items folder and marked for permanent
deletion. It will be purged from Exchange the next time the mailbox is processed by the Managed Folder
Assistant (MFA).
When a mailbox is placed on Litigation Hold, items in the Purges subfolder are preserved for the hold
duration specified by the Litigation Hold. The hold duration is calculated from the original date an item was
received or created, and defines how long items in the Purges subfolder are held. When the hold duration
expires for an item in the Purges subfolder, the item is marked for permanent deletion and will be purged
from Exchange the next time the mailbox is processed by the MFA. If an indefinite hold is placed on a
mailbox, items will never be purged from the Purges subfolder.
The following illustration shows the subfolders in the Recoverable Items folders and the hold workflow
process.
NOTE
If an In-Place Hold is placed on a mailbox, purged items are moved from the Deletions subfolder to the
DiscoveryHolds subfolder and are preserved for the hold duration for the In-Place Hold.
If your organization requires that all mailbox data has to preserved for a specific period of time, consider
the following before you place all mailboxes in an organization on Litigation Hold.
When you use the previous command to place a hold on all mailboxes in an organization (or a subset
of mailboxes matching a specified recipient filter) only mailboxes that exist at the time that you run
the command are placed on hold. If you create new mailboxes later, you have to run the command
again to place the new mailboxes on hold. If you create new mailboxes often, you can run the
command as a scheduled task as frequently as required.
Placing all mailboxes on Litigation Hold can significantly impact mailbox sizes. In an Exchange 2016
or Exchange 2019 organization, plan for adequate storage to meet your organization's preservation
requirements.
The Recoverable Items folder has its own storage limit, so items in the folder don't count towards the
mailbox storage limit. As previously explained, preserving mailbox data for a long period of time will
result in growth of the Recoverable Items folder in a user's mailbox and archive. We recommend that
you periodically monitor the size of this folder by using the Get-MailboxFolderStatistics cmdlet to
ensure it doesn't reach the limit. For more information, see:
Get-MailboxFolderStatistics
Clean up or delete items from the Recoverable Items folder.
The previous command to place a hold on all mailboxes uses a recipient filter that returns all user
mailboxes. You can use other recipient properties to return a list of specific mailboxes that you can then pipe
to the Set-Mailbox cmdlet to place a Litigation Hold on those mailboxes.
Here are some examples of using the Get-Mailbox and Get-Recipient cmdlets to return a subset of
mailboxes based on common user or mailbox properties. These examples assume that relevant mailbox
properties (such as CustomAttributeN or Department) have been populated.
You can use other user mailbox properties in a filter to include or exclude mailboxes. For details, see
Filterable Properties for the -Filter Parameter.
Place all mailboxes on hold
8/23/2019 • 6 minutes to read • Edit Online
Your organization may require all mailbox data to be preserved for a specific period. You can use Litigation Hold or
In-Place Hold to meet this requirement. After you place a mailbox on Litigation Hold or In-Place Hold, mailbox
items that are modified or that are permanently deleted are preserved in the Recoverable Items folder for the
duration specified by the hold. For more information, see In-Place Hold and Litigation Hold in Exchange Server.
Before you place all mailboxes in an organization on Litigation Hold or In-Place Hold, consider the following:
When you place mailboxes on hold, content in a user's archive mailbox (if it's enabled) is also placed on
hold.
Placing all mailboxes in an organization on hold can significantly impact mailbox sizes. In an Exchange
Server deployment, plan for adequate storage to meet your organization's preservation requirements.
Preserving mailbox data for a long duration will result in growth of the Recoverable Items folder in a user's
primary mailbox and archive mailbox. The Recoverable Items folder has its own storage limit, so items in
the folder don't count towards the mailbox storage limit. In Exchange Server, the default storage limit for
the Recoverable Items folder is 30 GB. We recommend that you periodically monitor the size of this folder
to ensure it doesn't reach the limit. For more information, see Recoverable Items folder in Exchange Server.
For setting a Litigation Hold, the EAC is However, you can't select more than
best suited for quick one-off actions on 500 source mailboxes in the EAC. For
a few mailboxes. We recommend using details, see Create or remove an In-
the Exchange Management Shell for Place Hold.
placing a Litigation Hold for all users in
your organization. For details, see Place
a mailbox on Litigation Hold.
Place more than 10,000 mailboxes on Yes Yes; use multiple In-Place Holds
hold
Litigation Hold is a mailbox property. You can use distribution groups to
You can place all mailboxes in an specify a maximum of 10,000 mailboxes
organization on hold by using the Set- in a single In-Place Hold. To place
Mailbox cmdlet. additional mailboxes on hold, you must
create additional In-Place Holds. This
will result in additional management
overhead. Using Litigation Hold placing
large numbers of mailboxes on hold is
simpler.
IF YOU WANT TO... USE LITIGATION HOLD USE IN-PLACE HOLD
The example uses the Get-Mailbox cmdlet and a recipient filter to retrieve all user mailboxes in the organization,
and then pipes the list of mailboxes to the Set-Mailbox cmdlet to enable the Litigation Hold and specify a hold
duration. For more information, see Place a mailbox on Litigation Hold.
More information
When you place all mailboxes in your organization on hold, only the mailboxes that exist at the time you run
the command are placed on hold. If you create new mailboxes later, run the command again to place them
on hold. If you frequently create new mailboxes, you can run the command as a scheduled task as
frequently as required.
Placing mailboxes on hold preserves data by preventing items in the Recoverable Items folder from being
deleted until the specified hold duration for an item expires. If a hold is configured to hold items indefinitely,
items won't be purged from a mailbox. Also, when a mailbox is on hold the original version of a message is
saved before it's modified. Combine Litigation Hold or In-Place Hold with a Retention Policy, which can
automatically delete messages (and move them into the Recoverable Items folder) after a specified period,
to meet your organization's email retention requirements. See Retention tags and retention policies in
Exchange Server for details.
The Exchange Management Shell command used in this topic to place a Litigation Hold on all mailboxes
uses a recipient filter that returns all user mailboxes. You can use other recipient properties to return a list of
specific mailboxes that you can then pipe to the Set-Mailbox cmdlet to place a Litigation Hold on those
mailboxes.
Here are some examples of using the Get-Mailbox and Get-Recipient cmdlets to return a subset of
mailboxes based on common user or mailbox properties. These examples assume that relevant mailbox
properties (such as CustomAttributeN or Department) have been populated.
You can use other user mailbox properties in a filter to include or exclude mailboxes. For details, see
Filterable Properties for the -Filter Parameter.
Preserve Bcc and expanded distribution group
recipients for eDiscovery
8/23/2019 • 4 minutes to read • Edit Online
In-Place Hold and Litigation Hold allow you to preserve mailbox content to meet regulatory compliance and
eDiscovery requirements. Information about recipients directly addressed in the To and Cc fields of a message is
included in all messages by default, but your organization may require the ability to search for and reproduce
details about all recipients of a message. This includes
Recipients addressed using the Bcc field of a message: Bcc recipients are stored in the message in the
sender's mailbox, but not included in headers of the message delivered to recipients.
Expanded distribution group recipients: Recipients who receive the message because they're members
of a distribution group to which the message was addressed, either in the To, Cc or Bcc fields.
Exchange 2016 and Exchange 2019 preserve information about Bcc and expanded distribution group recipients.
You can search for this information by using an In-Place eDiscovery search .
Expanded distribution group Message properties in the No. Expanded distribution Compliance officers
recipients sender's mailbox. group recipient information
is stored after a mailbox is
placed on In-Place Hold or
Litigation Hold.
Scenario 2: Bob sends an email to John (To/Cc) and Jack (Bcc directly, or indirectly via a distribution group). The
table below shows eDiscovery search results.
WHEN YOU SEARCH... FOR MESSAGES SENT... RESULTS INCLUDE MESSAGE? NOTES
If your organization adheres to legal discovery requirements (related to organizational policy, compliance, or
lawsuits), In-Place eDiscovery in Exchange Server can help you perform discovery searches for relevant content
within mailboxes. You can also use In-Place eDiscovery in an Exchange hybrid environment to search on-
premises and cloud-based mailboxes in the same search.
IMPORTANT
In-Place eDiscovery is a powerful feature that allows a user with the correct permissions to potentially gain access to all
messaging records stored throughout the Exchange Server organization. It's important to control and monitor discovery
activities, including addition of members to the Discovery Management role group, assignment of the Mailbox Search
management role, and assignment of mailbox access permission to discovery mailboxes.
IMPORTANT
If a user isn't added to the Discovery Management role group or isn't assigned the Mailbox Search role, the In-Place
eDiscovery & Hold user interface isn't displayed in the EAC, and the In-Place eDiscovery (*MailboxSearch) cmdlets
aren't available in the Exchange Management Shell.
Auditing of RBAC role changes, which is enabled by default, makes sure that adequate records are kept to track
assignment of the Discovery Management role group. You can use the administrator role group report to search
for changes made to administrator role groups. For more information, see Search the role group changes or
administrator audit logs.
NOTE
In-Place eDiscovery does not support regular expressions.
You must capitalize logical operators such as AND and OR for them to be treated as operators
instead of keywords. We recommend that you use explicit parenthesis for any query that mixes
multiple logical operators to avoid mistakes or misinterpretations. For example, if you want to
search for messages that contain either WordA or WordB AND either WordC or WordD, you must
use (WordA OR WordB ) AND (WordC OR WordD ).
Start and End dates - By default, In-Place eDiscovery doesn't limit searches by a date range. To
search messages sent during a specific date range, you can narrow the search by specifying the
start and end dates. If you don't specify an end date, the search will return the latest results every
time you restart it.
Senders and recipients - To narrow down the search, you can specify the senders or recipients of
messages. You can use email addresses, display names, or the name of a domain to search for
items sent to or from everyone in the domain. For example, to find email sent by or sent to anyone
at Contoso, Ltd, specify **@contoso.com** in the From or the To/cc field in the EAC. You can also
specify **@contoso.com** in the Senders or Recipients parameters in the Exchange Management
Shell
Message types - By default, all message types are searched. You can restrict the search by
selecting specific message types such as email, contacts, documents, journal, meetings, notes and
Lync content.
The following screenshot shows an example of a search query in the EAC.
NOTE
In Exchange Server, keyword statistics also include statistics for non-keyword properties such as dates, message types,
and senders/recipients specified in a search query.
You can also preview the search results to further ensure that messages returned contain the content you're
searching for and further fine-tune the query if required. eDiscovery Search Preview displays the number of
messages returned from each mailbox searched and the total number of messages returned by the search. The
preview is generated quickly without requiring you to copy messages to a discovery mailbox.
After you're satisfied with the quantity and quality of search results, you can copy them to a discovery mailbox.
When copying messages, you have the following options:
Include unsearchable items - For details about the types of items that are considered unsearchable,
see the eDiscovery search considerations in the previous section.
Enable de-duplication - De-duplication reduces the dataset by only including a single instance of a
unique record if multiple instances are found in one or more mailboxes searched.
Enable full logging - By default, only basic logging is enabled when copying items. You can select full
logging to include information about all records returned by the search.
Send me mail when the copy is completed - An In-Place eDiscovery search can potentially return a
large number of records. Copying the messages returned to a discovery mailbox can take a long time.
Use this option to get an email notification when the copying process is completed. For easier access
using Outlook on the web, the notification includes a link to the location in a discovery mailbox where the
messages are copied.
For more information, see Copy eDiscovery search results to a discovery mailbox.
After search results are exported to a PST file, you or other users can open them in Outlook to review or print
messages returned in the search results. For more information, see Export eDiscovery search results to a PST
file.
Besides the search log included when copying search results to a discovery mailbox, Exchange also logs cmdlets
used by the EAC or the Exchange Management Shell to create, modify or remove In-Place eDiscovery searches.
This information is logged in the admin audit log entries. For details, see Administrator audit logging in
Exchange Server.
Discovery mailboxes
After you create an In-Place eDiscovery search, you can copy the search results to a target mailbox. The EAC
allows you to select a discovery mailbox as the target mailbox. A discovery mailbox is a special type of mailbox
that provides the following functionality:
Easier and secure target mailbox selection - When you use the EAC to copy In-Place eDiscovery
search results, only discovery mailboxes are made available as a repository in which to store search
results. This eliminates the possibility of a discovery manager accidentally selecting another user's
mailbox or an unsecured mailbox in which to store potentially sensitive messages.
Large mailbox storage quota - The target mailbox should be able to store a large amount of message
data that may be returned by an In-Place eDiscovery search. By default, discovery mailboxes have a
mailbox storage quota of 50 GB. This storage quota can't be increased.
More secure by default - Like all mailbox types, a discovery mailbox has an associated Active Directory
user account. However, this account is disabled by default. Only users explicitly authorized to access a
discovery mailbox have access to it. Members of the Discovery Management role group are assigned Full
Access permissions to the default discovery mailbox. Any additional discovery mailboxes you create don't
have mailbox access permissions assigned to any user.
Email delivery disabled - Users can't send email to a discovery mailbox. Email delivery to discovery
mailboxes is prohibited by using delivery restrictions. This preserves the integrity of search results copied
to a discovery mailbox. By default, discovery mailboxes aren't displayed in your organization's global
address list.
Exchange Server Setup creates one discovery mailbox with the display name Discovery Search Mailbox. You
can use the Exchange Management Shell to create additional discovery mailboxes. By default, the discovery
mailboxes you create won't have any mailbox access permissions assigned. You can assign Full Access
permissions for a discovery manager to access messages copied to a discovery mailbox. For details, see Create a
Discovery Mailbox .
In-Place eDiscovery also uses a system mailbox with the display name SystemMailbox{e0dc1c29-89c3-4034-
b678-e6c29d823ed9} to hold In-Place eDiscovery metadata. System mailboxes aren't visible in the EAC or in
Exchange address lists. Before removing a mailbox database where the In-Place eDiscovery system mailbox is
located, you must move the mailbox to another mailbox database. If the mailbox is removed or corrupted, your
discovery managers are unable to perform eDiscovery searches until you re-create the mailbox. For details, see
Re-Create the Discovery System Mailbox.
IMPORTANT
Users with Full Access mailbox permission will still be able to access the mailbox. To prevent access by others, you
must remove their Full Access permission from the mailbox. For information about how to remove Full Access
mailbox permissions on a mailbox, see Manage permissions for recipients.
2. Set the message size limit for messages that can be sent from or received by the mailbox user to a very
low value, 1 KB for example. This prevents delivery of new mail to and from the mailbox. For details, see
Configure message size limits for a mailbox.
3. Configure delivery restrictions for the mailbox so nobody can send messages to it. For details, see
Configure message delivery restrictions for a mailbox.
IMPORTANT
You must take the above steps along with any other account management processes required by your organization, but
without disabling or removing the mailbox or removing the associated user account.
When planning to implement mailbox retention for messaging retention management (MRM ) or In-Place
eDiscovery, you must take employee turnover into consideration. Long-term retention of ex-employee
mailboxes will require additional storage on Mailbox servers and also result in an increase in Active Directory
database because it requires that the associated user account be retained for the same duration. Additionally, it
may also require changes to your organization's account provisioning and management processes.
Different search results
Because In-Place eDiscovery performs searches on live data, it's possible that two searches of the same content
sources and that use the same search query can return different results. Estimated search results can also be
different from the actual search results that are copied to a discovery mailbox. This can happen even when
rerunning the same search within a short amount of time. There are several factors that can affect the
consistency of search results.
The continual indexing of incoming email because Exchange Search continuously crawls and indexes
your organization's mailbox databases and transport pipeline.
Deletion of email by users or automated processes.
Bulk importing large amounts of email, which takes time to index.
If you do experience dissimilar results for the same search, consider placing mailboxes on hold to preserve
content, running searches during off-peak hours, and allowing time for indexing after importing large amounts
of email.
1 Archive mailboxes are counted against the source mailbox limit. That means you can search a maximum of
5,000 mailboxes if the corresponding archive mailbox is enabled for all 5,000 mailboxes.
TOPIC DESCRIPTION
Assign eDiscovery permissions in Exchange Server Learn how to give a user access to use In-Place eDiscovery in
the EAC (and by using the corresponding cmdlets) to search
Exchange mailboxes.
Create an In-Place eDiscovery search in Exchange Server Learn how to create an In-Place eDiscovery search, and how
to estimate and preview eDiscovery search results.
Copy eDiscovery search results to a discovery mailbox Learn how to copy the results of an eDiscovery search to a
discovery mailbox.
TOPIC DESCRIPTION
Export eDiscovery search results to a PST file Learn how to export the results of an eDiscovery search to a
PST file.
Message properties and search operators for In-Place Learn which email message properties can be searched using
eDiscovery in Exchange Server In-Place eDiscovery. The topic provides syntax examples for
each property, information about search operators such as
AND and OR, and information about other search query
techniques such as using double quotation marks (" ") and
prefix wildcards.
Search and place a hold on public folders using In-Place Learn how to use In-Place eDiscovery to search and place a
eDiscovery hold on all public folders in your organization.
Assign eDiscovery permissions in Exchange Server
8/23/2019 • 2 minutes to read • Edit Online
If you want users to be able to use Exchange Server In-Place eDiscovery, you first need to add them to the
Discovery Management role group. Members of the Discovery Management role group have Full Access mailbox
permissions to the default discovery mailbox, which is called Discovery Search Mailbox.
Cau t i on
Members of the Discovery Management role group can access sensitive message content. Specifically, these
members can use In-Place eDiscovery to search all mailboxes in your Exchange organization, preview the search
results (and other mailbox items), copy them to a discovery mailbox, and export the search results to a .pst file. In
most organizations, this permission is assigned to legal, compliance, or Human Resources personnel.
Use the EAC to add a user to the Discovery Management role group
1. In the EAC, go to Permissions > Admin roles, select the Discovery Management role group, and then
click Edit .
2. On the resulting Role Group page, in the Members section, click Add .
3. In the resulting Select Members dialog, select an available user or group, and then click Add. Repeat this
step as many times as necessary. When you're finished, click OK.
4. Back on the Role Group page, click Save.
This example adds the user Bsuneja to the Discovery Management role group.
This example add the members of the mail-enabled security group named Contoso Compliance Management.
Use an In-Place eDiscovery search to search for content across all mailboxes and public folders in your Exchange
Server organization. This includes searching permanently deleted items and original versions of modified items
(in the Recoverable Items folder) for users placed on Litigation Hold or In-Place Hold. For more information about
these searches, see In-Place eDiscovery in Exchange Server.
5. On the In-Place Hold settings page, you can select the Place content matching the search query in
selected sources on hold check box, and then select one of the following options to place items on In-
Place Hold:
Hold indefinitely: Select this option to place the returned items on an indefinite hold. Items on
hold will be preserved until you remove the content source from the search or if you delete the
search.
Specify number of days to hold items relative to their received date Use this option to hold
items for a specific period. For example, you can use this option if your organization requires that all
messages be retained for at least seven years. You can use a time-based In-Place Hold along with a
retention policy to make sure items are deleted in seven years.
IMPORTANT
When placing content sources or specific items on In-Place Hold for legal purposes, it's generally
recommended to hold items indefinitely and remove the hold when the case or investigation is completed.
6. Click Finish to save the search and return an estimate of the total size and number of items that will be
returned by the search based on the criteria you specified. Estimates are displayed in the details pane. Click
Refresh to update the information displayed in the details pane.
IMPORTANT
If you don't specify a search query, a date range, or a message type, all items in the source mailboxes or public folders are
returned in the results. The results would be similar to selecting Include all content on the Search query page in the EAC.
Start-MailboxSearch "Discovery-CaseId012"
After using the Exchange Management Shell to create an In-Place eDiscovery search, you have to start the search
by using the Start-MailboxSearch cmdlet to copy messages to the discovery mailbox specified in the
TargetMailbox parameter. For details, see Copy eDiscovery search results to a discovery mailbox.
NOTE
When using the StartDate and EndDate parameters, you have to use the date format of mm/dd/yyyy, even if your local
machine settings are configured to use a different date format, such as dd/mm/yyyy. For example, to search for messages
sent between April 1, 2015 and July 1, 2015, you would use 04/01/2015 and 07/01/2015 for the start and end dates.
Example 2
This example creates an In-Place eDiscovery search named HRCase090116 that searches for email messages sent
by Alex Darrow to Sara Davis in 2015.
Start-MailboxSearch "HRCase090116"
Example 3
This example creates an estimate-only search that searches all public folders in the organization for items sent
between January 1, 2015 and June 30, 2015, and that contain the phrase "patent infringement". The search
doesn't include any mailboxes. The Start-MailboxSearch cmdlet is used to start the estimate-only search.
New-MailboxSearch -Name "Northwind Subpoena-All PFs" -AllPublicFolderSources $true -AllSourceMailboxes $false
-SearchQuery "patent infringement" -StartDate "01/01/2015" -EndDate "06/30/2015" -TargetMailbox "Discovery
Search Mailbox" -EstimateOnly
Example 4
This example searches all mailboxes and public folders for any content that contains the words "price list" and
"Contoso" and that was sent after January 1, 2015. The Start-MailboxSearch cmdlet is use to run the search and
copy the search results to the discovery mailbox.
NOTE
The mailboxes or public folders that were searched are listed in the right pane in the eDiscovery search
preview window. For each source, the number of items returned and the total size of these items is also
displayed. All items returned by the search are listed in the right pane, and can be sorted by newest or oldest
date. Items from each mailbox or public folder can't be displayed in the right pane by clicking a source in the
left pane. To view the items returned from a specific mailbox or public folder, you can copy the search results
and view the items in the discovery mailbox.
Use the Exchange Management Shell to estimate search results
You can use the EstimateOnly switch to get an estimate of the search results and not copy the results to a
discovery mailbox. You have to start an estimate-only search with the Start-MailboxSearch cmdlet. Then you
can retrieve the estimated search results by using the Get-MailboxSearch cmdlet. You can't use the Exchange
Management Shell to preview messages returned in search results.
For example, you would run the following commands to create a new search and then display an estimate of the
search results:
To display specific information about the estimated search results from the previous example, you could run the
following command:
More information
After you create a new eDiscovery search, you can copy search results to the discovery mailbox and export
those search results to a PST file. For more information, see:
Copy eDiscovery search results to a discovery mailbox
Export eDiscovery search results to a PST file
After you run an eDiscovery search estimate (that includes keywords in the search criteria), you can view
keyword statistics by clicking View keyword statistics in the details pane for the selected search. These
statistics show details about the number of items returned for each keyword used in the search query.
However, if more than 100 source mailboxes are included in the search, an error will be returned if you try
to view keyword statistics. To view keyword statistics, no more than 100 source mailboxes can be included
in the search.
If you use Get-MailboxSearch in Exchange Online to retrieve information about an eDiscovery search,
you have to specify the name of a search to return a complete list of the search properties; for example,
Get-MailboxSearch "Contoso Legal Case" . If you run the Get-MailboxSearch cmdlet without using any
parameters, the following properties aren't returned:
SourceMailboxes
Sources
PublicFolderSources
SearchQuery
ResultsLink
PreviewResultsLink
Errors
The reason is that it requires a lot of resources to return these properties for all eDiscovery searches
in your organization.
Copy eDiscovery search results to a discovery
mailbox
8/23/2019 • 4 minutes to read • Edit Online
After you create an In-Place eDiscovery search in Exchange Server, you can use the Exchange admin center (EAC )
to copy the results to a discovery mailbox. You can also use the Exchange Management Shell to start an
eDiscovery search that was created using the New-MailboxSearch cmdlet, which will copy the results to the
discovery mailbox that was specified when you created the search.
If you used the EstimateOnly switch to get an estimate of the search results, you have to remove the switch before
you can copy the search results. You also have to specify a discovery mailbox to copy to search results to. For
example, say you created an estimate-only search by using the following command:
To copy the results of this search to a discovery mailbox, you would run the following commands:
Set-MailboxSearch "FY15 Q2 Financial Results" -EstimateOnly $false -TargetMailbox "Discovery Search Mailbox"
For more information about these cmdlets, see the following topics:
Set-Mailboxsearch
Start-MailboxSearch
More information
After you copy search results to the discovery mailbox, you can also export those search results to a PST
file. For more information, see Export eDiscovery search results to a PST file. Note that you can export
search results without having to copy them to a discovery mailbox. You can create an estimate-only search,
start it, and then export the search results.
For more information about unsearchable items, see Unsearchable Items in Exchange eDiscovery.
If you're copying all mailbox content within a specific date range (by not specifying any keywords in the
search criteria), then all unsearchable items within that date range will be automatically included in the
search results. Therefore, don't select the Include unsearchable items checkbox when copying search
results. Otherwise, a duplicate copy of all unsearchable items will be copied to the discovery mailbox.
In addition to copying the search results to a discovery mailbox, you can also estimate or preview the
search results for a selected search.
Estimate search results: This option returns an estimate of the total size and number of items that
will be returned by the search based on the criteria you specified. Estimates are displayed in the
details pane in the EAC.
Preview search results: This option lets you preview the search results returned by the search
instead of having to copy them to a discovery mailbox to view. This lets you quickly determine
whether the search results are relevant. After you preview the results, you can revise your search
query to narrow the search results and rerun the search. Items in the preview page are read-only
versions of the actual search results, so you can't move, edit, delete or forward on the preview page.
For more information, see Use the EAC to estimate or preview search results.
Export eDiscovery search results to a PST file
8/23/2019 • 4 minutes to read • Edit Online
You can use the eDiscovery Export tool in the Exchange admin center (EAC ) to export the results of an In-Place
eDiscovery search to an Outlook Data File, which is also called a PST file. Search results will contain items from
mailboxes and public folders, depending on the content sources from the eDiscovery search. This lets you
distribute search results to other people within your organization, such as a human resources manager or records
manager, or to opposing counsel in a legal case. After search results are exported to a PST file, you or other users
can open them in Outlook to review or print messages returned in the search results. PST files can also be opened
in third-party eDiscovery and reporting applications.
Use the EAC to export In-Place eDiscovery search results to a PST file
1. In the EAC, go to Compliance management > In-Place eDiscovery & Hold.
2. In the list view, select the eDiscovery search you want to export the results of, and then click Export to a
PST file.
3. In the eDiscovery PST Export Tool window, do the following:
Click Browse to specify the location where you want to download the PST file.
Click the Enable deduplication checkbox to exclude duplicate messages. Only a single instance of
a message will be included in the PST file.
Click the Include unsearchable items checkbox to include items that couldn't be searched (for
example, messages with attachments of file types that couldn't be indexed by Exchange Search).
Unsearchable items are exported to a separate PST file.
Note: Including unsearchable items when you export eDiscovery search results takes longer when
mailboxes or public folders contain a lot of unsearchable items. To reduce the time it takes to export search
results and prevent large PST export files, consider the following recommendations:
Create multiple eDiscovery searches that each search a fewer number of source mailboxes.
Create an eDiscovery search that only includes public folders.
If you're exporting all mailbox or public folder content within a specific date range (by not specifying
any keywords in the search criteria), then all unsearchable items within that date range will be
automatically included in the search results. Therefore, don't select the Include unsearchable
items checkbox.
4. Click Start to export the search results to a PST file.
A window is displayed that contains status information about the export process.
More information
Another way to reduce the size of PST export files is to export only the unsearchable items for an
eDiscovery search. To do this, create or edit a search, specify a start date in the future, and then remove any
keywords from the Keywords box. This will result in no search results being returned. When you copy or
export the search results and select the Include unsearchable items checkbox, only the unsearchable
items will be copied to the discovery mailbox or exported to a PST file.
If you enable deduplication, all search results are exported in a single PST file. If you don't enable
deduplication, a separate PST file is exported for each mailbox (including public folder mailboxes if the
search includes public folders) that contains search results. And as previously stated, unsearchable items
are exported to a separate PST file.
In addition to the PST files that contain the search results, two other files are also exported:
A configuration file (.txt file format) that contains information about the PST export request, such as
the name of the eDiscovery search that was exported, the date and time of the export, whether de-
duplication and unsearchable items were enabled, the search query, and the content sources that
were searched.
A search results log (.csv file format) that contains an entry for each message returned in the search
results. Each entry identifies the content source where the message is located. If you've enabled de-
duplication, this helps you identify all mailboxes or public folders that contain a duplicate message.
The name of the search is the first part of the filename for each file that is exported. Also, the date and time
of the export request is appended to the filename of each PST file and the results log.
You can't use the PST export tool with accounts that require mult-factor authentication (MFA). Instead, you
need to create an app password for the PST export tool. For instructions, see Create an app password for
Office 365.
Message properties and search operators for In-
Place eDiscovery in Exchange Server
8/23/2019 • 8 minutes to read • Edit Online
This topic describes the properties of Exchange email messages that you can search by using In-Place eDiscovery
& Hold in Exchange Server 2016 or Exchange Server 2019. The topic also describes Boolean search operators and
other search query techniques that you can use to refine eDiscovery search results.
In-Place eDiscovery uses Keyword Query Language (KQL ). For more details, see Keyword Query Language syntax
reference.
bcc:"Pilar Pinilla"
Category The categories to search. category:"Red Category" Messages that have been
Categories can be defined assigned the red category in
by users by using Outlook the source mailboxes.
or Outlook on the web
(formerly known as Outlook
Web App). Valid values are:
• blue
• green
• orange
• purple
• red
• yellow
Kind The message type to search. kind:email Email messages that meet
Valid values are: the search criteria. The
• contacts kind:email OR kind:im OR second example returns
• docs kind:voicemail email messages, instant
• email messaging conversations,
• faxes and voice messages that
• im meet the search criteria.
• journals
• meetings
• notes
• posts
• rssfeeds
• tasks
• voicemail
Received The date that an email received:04/15/2015 Messages that were received
message was received by a on April 15, 2014. The
recipient. received>=01/01/2015 second example returns all
AND messages received between
received<=03/31/2015 January 1, 2014 and March
31, 2014.
Sent The date that an email sent:07/01/2015 Messages that were sent on
message was sent by the the specified date or sent
sender. sent>=06/01/2015 AND within the specified date
sent<=07/01/2015 range.
SEARCH RESULTS RETURNED
PROPERTY PROPERTY DESCRIPTION EXAMPLES BY THE EXAMPLES
Subject The text in the subject line of subject:"Quarterly Financials" Messages that contain the
an email message. exact phrase "Quarterly
subject:northwind Financials" anywhere in the
text of the subject line.
to:"Ann Beebe"
1 For
the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For
example, you can use annb@contoso.com, annb, or "Ann Beebe" to specify the user Ann Beebe.
AND keyword1 AND keyword2 Returns messages that include all of the
specified keywords or property:value
expressions.
NEAR keyword1 NEAR(n) keyword2 Returns messages with words that are
near each other, where n equals the
number of words apart. For example,
best NEAR(5) worst returns
messages where the word "worst" is
within five words of "best". If no
number is specified, the default distance
is eight words.
1 Use this operator for properties that have date or numeric values.
2 Boolean search operators must be uppercase; for example, AND. Using lowercase operators in search queries
will return an error.
How to prevent unsupported characters in your search queries? The best way to prevent unsupported
characters is to just type the query in the keyword box. Alternatively, you can copy a query from Word or Excel
and then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select ANSI in
the Encoding drop-down list. This will remove any formatting and unsupported characters. Then you can copy
and paste the query from the text file to the keyword query box.
Search tips and tricks
Keyword searches are not case sensitive. For example, cat and CAT return the same results.
A space between two keywords or two property:value expressions is the same as using AND. For
example, from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain
the word reorganization in the subject line.
Use syntax that matches the property:value format. Values are not case-sensitive, and they can't have a
space after the operator. If there is a space, your intended value will just be full-text searched. For example,
to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.
When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address,
alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar
Pinilla".
You can use only prefix wildcard searches (for example, cat* or set*). Suffix wildcard searches (*cat) or
substring wildcard searches (*cat*) aren't supported.
When searching a property, use double quotation marks (" ") if the search value consists of multiple words.
For example subject:budget Q1 returns messages that contain budget in the in the subject line and that
contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1"
returns all messages that contain budget Q1 anywhere in the subject line.
To exclude content marked with a certain property value from your search results, place a minus sign (-)
before the name of the property. For example, -from:"Sara Davis" will exclude any messages sent by Sara
Davis.
Search and place a hold on public folders using In-
Place eDiscovery
8/23/2019 • 4 minutes to read • Edit Online
You can use In-Place eDiscovery to search for content in public folders and place content in public folders on In-
Place Hold. Like content in user mailboxes, content in public folders might be relevant if your organization has to
respond to legal requests such as lawsuits or regulatory investigations.
NOTE
As previously explained, if you select the Search all mailboxesoption, you won't be able to enable an In-
Place Hold for the search.
5. On the Search query page, complete the following fields:
Include all content: Select this option to include all content in the selected sources in the search
results. If you select this option, you can't specify additional search criteria.
Filter based on criteria: Select this option to specify search criteria, including keywords, start and
end dates, sender and recipient addresses, and message types.
6. On the In-Place Hold settings page, you can select the Place content matching the search query in
selected mailboxes on hold to place an In-Place Hold on all public folders in your organization. Leave
the check box unselected to not place content on hold. If you place content on hold, select one of the
following options for the hold duration:
Hold indefinitely: Click this button to place items returned by the search on an indefinite hold.
Items on hold will be preserved until you remove public folders from the search or remove the
search.
Specify number of days to hold items relative to their received date: Click this button to hold
items in public folders for a specific period. For example, you can use this option if your organization
requires that public folder content be retained for at least seven years.
7. Click Finish to save the search and return an estimate of the total size and number of items that will be
returned by the search or placed on hold based on the criteria you specified.
Estimates are displayed in the details pane on the In-Place eDiscovery & Hold page. Select a search and
then click Refresh to update the information about the search that's displayed in the details pane.
Example 2
This example places all content in all public folders on In-Place hold, with an unlimited hold duration. The Start-
MailboxSearch cmdlet is use to run the search and place the content on hold.
New-MailboxSearch -Name "Hold for all PFs" -AllPublicFolderSources $true -AllSourceMailboxes $false -
EstimateOnly -InPlaceHoldEnabled $true
Example 3
This example searches all mailboxes and public folders for any content that contains the words "price list" and
"Contoso" and that was sent after January 1, 2015. The Start-MailboxSearch cmdlet is use to run the search and
copy the search results to the discovery mailbox.
More information
You can only search or place holds on all public folders in your organization. You can't select specific public
folders to search.
Moving public folders to a different public folder mailbox doesn't affect searching or placing holds on
public folders that have been moved.
Public folder mailboxes are counted against the source mailbox limit for the eDiscovery search.
You can't delete public folders that are on In-Place Hold. You will have to remove the hold before you can
delete any public folder.
Mail-enabling a public folder doesn't impact using In-Place eDiscovery to search or place holds on public
folders. Mail-enabled and non-mail enabled public folders can be searched and placed on hold.
Use Compliance Search to search all mailboxes in
Exchange Server
8/23/2019 • 11 minutes to read • Edit Online
The Compliance Search feature in Exchange Server allows you to search all mailboxes in your organization. Unlike
In-Place eDiscovery where you can search up to 10,000 mailboxes, there are no limits for the number of target
mailboxes in a single search. For scenarios that require you to perform organization-wide searches, you can use the
New-ComplianceSearch cmdlet to search all mailboxes. Then you can use the workflow features of In-Place
eDiscovery to perform other eDiscovery-related tasks, such as placing mailboxes on hold and exporting search
results. For example, let's say you have to search all mailboxes to identify specific custodians that are responsive to
a legal case. You can use the New-ComplianceSearch cmdlet to search all mailboxes in your organization to
identify those that are responsive to the case. Then you can use that list of custodian mailboxes as the source
mailboxes for an In-Place eDiscovery. Using In-Place eDiscovery also allows you to put a hold on those source
mailboxes, copy search results to a discovery mailbox, and export the search results.
This topic includes a script that you can run to create an In-Place eDiscovery search by using the list of source
mailboxes and search query from a compliance search that is created by running the New-ComplianceSearch
cmdlet.
NOTE
If the source compliance search doesn't return any results, an In-Place eDiscovery won't be created when you run the script in
Step 3. You may have to revise the search query and then rerun the compliance search to return search results.
Here's an example of using the New-ComplianceSearch cmdlet to search all mailboxes in your organization. The
search query returns all messages sent between October 1, 2015 and October 31, 2015 and that contain the
phrase "financial report" in the subject line. The first command creates the search, and the second command runs
the search.
[CmdletBinding()]
Param(
[Parameter(Mandatory=$True,Position=1)]
[string]$SearchName
)
$search = Get-ComplianceSearch $SearchName
if ($search.Status -ne "Completed")
{ "Please wait until the search finishes."; break; } $results = $search.SuccessResults; if (($search.Items -le 0) -or
([string]::IsNullOrWhiteSpace($results))) { "The compliance search " + $SearchName + " didn't return any useful
results."; break; } $mailboxes = @(); $lines = $results -split '[\r\n]+'; foreach ($line in $lines) { if ($line -match
'Location: (\S+),.+Item count: (\d+)' -and $matches[2] -gt 0) { $mailboxes += $matches[1]; } } "Number of
mailboxes that have search hits: " + $mailboxes.Count
2. In the Exchange Management Shell, go to the folder where the script you created in the previous step is
located, and then run the script; for example:
.\SourceMailboxes.ps1
3. When prompted by the script, type the name of the compliance search that you created in Step 1.
The script displays the number of source mailboxes that contain search results.
If there are more than 500 source mailboxes, try creating two (or more) compliance searches. For example,
search half of your organization's mailboxes in one compliance search and the other half in another compliance
search. You could also change the search criteria to reduce the number of mailboxes that contain search
results. For example, you could specify a date range or refine the keyword query.
## Step 3: Run the script to create an In-Place eDiscovery search from the Compliance Search
The next step is to run a script that will convert an existing compliance search to an In-Place eDiscovery
search. Here's what the script does:
- Verifies that the compliance search has completed running. If the compliance search doesn't return any
results, and In-Place eDiscovery won't be created.
- Saves a list of the source mailboxes from the compliance search that contain search results to a variable.
- Creates a new In-Place eDiscovery search, with the following properties. Note that the new search isn't
started. You'll start it in step 4.
- **Name**: The name of the new search uses this format: *\<Name of compliance search\>* _MBSearch1. If you run
the script again and use the same source compliance search, the search will be named *\<Name of compliance
search\>* _MBSearch2.
- **Source mailboxes**: All mailboxes from the compliance search that contain search results.
- **Search query**: The new search uses the search query from the compliance search. If the compliance search
includes all content (where the search query is blank) the new search will also have a blank search query and
will include all content found in the source mailboxes.
- **Estimate only search**: The new search is marked as an estimate-only search. It won't copy search results
to a discovery mailbox after you start it.
1. Save the following text to a Windows PowerShell script file by using a filename suffix of ps1. For example,
you could save it to a file named MBSearchFromComplianceSearch.ps1.
2. In the Exchange Management Shell, go to the folder where the script that you created in the previous step is
located, and then run the script; for example:
.\MBSearchFromComplianceSearch.ps1
3. When prompted by the script, type the name of the compliance search that you want to covert to an In-Place
eDiscovery search (for example, the search that you created in Step 1) , and then press **Enter**.
If the script is successful, a new In-Place eDiscovery search is created with a status of **NotStarted**. Run
the command `Get-MailboxSearch <Name of compliance search>_MBSearch1 | FL` to display the properties of the new
search.
The script that you run in Step 3 creates a new In-Place eDiscovery search, but doesn't start it. The next step
is to start the search so you can get an estimate of the search results.
1. In the Exchange admin center (EAC), go to **Compliance management** \> **In-Place eDiscovery & Hold**.
2. In the list view, select the In-Place eDiscovery search that you created in Step 3.
3. Click **Search** (![Search icon](../../media/ITPro_EAC_.png)) \> **Estimate search results** to start the
search and return an estimate of the total size and number of items returned by the search.
The estimates are displayed in the details pane. Click **Refresh** (![Refresh icon]
(../../media/ITPro_EAC_RefreshIcon.png)) to update the information displayed in the details pane.
4. To preview the results after the search is completed, click **Preview search results** in the details pane.
> [!TIP]
> Alternatively, you can use the Exchange Management Shell to start the In-Place eDiscovery search; for example
`Start-MailboxSearch -Identity <Name of compliance search>_MBSearch1`.
## Next steps after creating and running the In-Place eDiscovery search
After you create and start the In-Place eDiscovery search that was created by the script in Step 3, you can use
the normal In-Place eDiscovery workflow to perform different eDiscovery actions on the search results.
2. In the list view, select the In-Place eDiscovery search that you created in Step 3, and then click **Edit**
(![Edit icon](../../media/ITPro_EAC_EditIcon.png)).
3. On the **In-Place Hold** page, select the **Place content matching the search query in selected mailboxes on
hold** check box and then select one of the following options:
- **Hold indefinitely**: Choose this option to place items returned by the search on an indefinite hold. Items
on hold will be preserved until you remove the mailbox from the search or remove the search.
- **Specify number of days to hold items relative to their received date**: Choose this option to hold items
for a specific period. The duration is calculated from the date a mailbox item is received or created.
4. Click **Save** to create the In-Place Hold and restart the search.
2. In the list view, select the In-Place eDiscovery search that you created in Step 3.
3. Click **Search** (![Search icon](../../media/ITPro_EAC_.png)), and then click **Copy search results** from
the drop-down list.
- **Include unsearchable items**: Select this check box to include mailbox items that couldn't be searched (for
example, messages with attachments of file types that couldn't be indexed by Exchange Search).
example, messages with attachments of file types that couldn't be indexed by Exchange Search).
- **Enable de-duplication**: Select this check box to exclude duplicate messages. Only a single instance of a
message will be copied to the discovery mailbox.
- **Enable full logging**: Select this check box to include a full log in search results.
- **Send me mail when the copy is completed**: Select this check box to get an email notification when the
search is completed.
- **Copy results to this discovery mailbox**: Click **Browse** to select the discovery mailbox where you want
the search results copied to.
5. Click **Copy** to start the process to copy the search results to the specified discovery mailbox.
7. When copying is complete, click **Open** to open the discovery mailbox to view the search results.
2. In the list view, select the In-Place eDiscovery search that you created in Step 3, and then click **Export
to a PST file**.
3. In the list view, select the In-Place eDiscovery search you want to export the results of, and then click
**Export to a PST file**.
- Click **Browse** to specify the location where you want to download the PST file.
- Click the **Enable deduplication** checkbox to exclude duplicate messages. Only a single instance of a
message will be included in the PST file.
- Click the **Include unsearchable items** checkbox to include mailbox items that couldn't be searched (for
example, messages with attachments of file types that couldn't be indexed by Exchange Search). Unsearchable
items are exported to a separate PST file.
A window is displayed that contains status information about the export process.
Search for and delete messages in Exchange Server
8/23/2019 • 6 minutes to read • Edit Online
You can use the New-ComplianceSearch and New-ComplianceSearchAction cmdlets to search for and
delete an email message from all mailboxes in your organization. This can help you find and remove potentially
harmful or high-risk email, such as:
Messages that contain dangerous attachment or virus
Phishing messages
Messages that contain sensitive data
Why use the New-ComplianceSearch and New-ComplianceSearchAction cmdlets instead of using the
Search-Mailbox cmdlet to delete messages? In previous versions of Exchange, you could run the
Search-Mailbox -DeleteContent command to search for and delete email messages. You can still do that in
Exchange Server, but you can only search a maximum of 10,000 mailboxes in a single search by using the Search-
Mailbox cmdlet. For New-ComplianceSearch, there are no limits for the number of mailboxes in a single
search. This lets large organizations perform organization-wide search and delete operations.
Here's the workflow for the search and delete process:
Step 1: Create and run a Compliance Search to find the message to delete
Step 2: Delete the message
See the More information section for description of what happens to deleted messages and how to get the status
of a search and delete operation.
Cau t i on
Search and delete is a powerful feature that allows anyone that is assigned the necessary permissions to delete
email messages from mailboxes in your organization.
For information about creating a Compliance Search and configuring search queries, see the following topics:
New -ComplianceSearch
Start-ComplianceSearch
Message properties and search operators for In-Place eDiscovery in Exchange Server
Tips for finding messages to remove
The goal of the search query is to narrow the results of the search to only the message or messages that you want
to remove. Here are some tips:
If you know the exact text or phrase used in the subject line of the message, use the Subject property in the
search query.
If you know that exact date (or date range) of the message, include the Received property in the search
query.
If you know who sent the message, include the From property in the search query.
Preview the search results to verify that the search returned only the message (or messages) that you want
to delete.
Use the search estimate statistics (by running the Get-ComplianceSearch cmdlet) to get a count of the total
number of search results.
Here are two examples of queries to find suspicious email messages.
This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and
that contain the words "action" and "required" in the subject line.
This query returns messages that were sent by chatsuwloginsset12345@outlook.com and that contain the
exact phrase "Update your account information" in the subject line.
More information
What happens after you delete a message?: A message that is deleted by using the
New-ComplianceSearchAction -Purge -PurgeType SoftDelete command is moved to the Deletions folder in the
user's Recoverable Items folder. It isn't immediately purged from the Exchange database. The user can
recover messages in the Deleted Items folder for the duration based on the deleted item retention period
configured for the mailbox. After this retention period expires (or if user purges the message before it
expires), the message is moved to the Purges folder and can no longer be accessed by the user. Once in the
Purges folder, the message is again retained for the duration based on the deleted item retention period
configured for the mailbox if single items recovery is enabled for the mailbox. (In Exchange, single item
recovery is enabled by default when a new mailbox is created. ) After the deleted item retention period
expires, the message is marked from permanent deletion and will be purged from the Exchange database
the next time that the mailbox is processed by the Managed Folder assistant.
How do you know that messages are deleted and moved to the users' Recoverable Items folder?:
If you run the same Compliance Search after you delete a message, you will still see the same number of
search results (and might assume that the message wasn't deleted from user mailboxes). This is because a
Compliance Search searches the Recoverable Items folder, which is where the deleted message is moved to
after you run the New-ComplianceSearchAction -Purge -PurgeType SoftDelete command. To verify that
messages where moved to the Recoverable Items folder, you can run an In-Place eDiscovery search (using
the same source mailboxes and search criteria as the Compliance Search created in Step 1) and the copy the
search results to discovery mailbox. Then you can view the search results in the discovery mailbox and
verify that the messages was moved to the Recoverable Items folder. See Use Compliance Search to search
all mailboxes in Exchange Server for details about creating an In-Place eDiscovery search that uses the list
of source mailboxes and search query from a Compliance Search.
What happens if a message is deleted from a mailbox that has been placed on In-Place Hold or
Litigation Hold?: After the message is purged (either by the user or after the deleted item retention period
expires), the message is retained until the hold duration expires. If the hold duration is unlimited, then items
are retained until the hold is removed or the hold duration is changed.
How to get status on the search and delete operation? Run the Get-ComplianceSearchAction: to
get the status on the delete operation. Note that the object that is created when you run the New-
ComplianceSearchAction cmdlet is named by using this format: <name of Compliance Search>_Purge .
Messaging records management in Exchange Server
8/23/2019 • 6 minutes to read • Edit Online
Users send and receive email every day. If left unmanaged, the volume of email generated and received each day
can inundate users, impact user productivity, and expose your organization to risks. As a result, email lifecycle
management is a critical component for most organizations.
Messaging records management (MRM ) is the records management technology in Exchange Server that helps
organizations manage email lifecycle and reduce the legal risks associated with email. Deploying MRM can help
your organization in several ways:
Meet business requirements: Depending on your organization's messaging policies, you may need to
retain important email messages for a certain period. For example, a user's mailbox may contain critical
messages related to business strategy, transactions, product development, or customer interactions.
Meet legal and regulatory requirements: Many organizations have a legal or regulatory requirement to
store messages for a designated period and remove messages older than that period. Storing messages
longer than necessary may increase your organization's legal or financial risks.
Increase user productivity: If left unmanaged, the ever-increasing volume of email in your users'
mailboxes can also impact their productivity. For example, although newsletter subscriptions and automated
notifications may have informational value when they're received, users may not remove them after reading
(often they're never read). Many of these types of messages don't have a retention value beyond a few days.
Using MRM to remove such messages can help reduce information clutter in users' mailboxes, thereby
increasing productivity.
Improve storage management: Due to expectations driven by free consumer email services, many users
keep old messages for a long period or never remove them. Maintaining large mailboxes is increasingly
becoming a standard practice, and users shouldn't be forced to change their work habits based on restrictive
mailbox quotas. However, retaining messages beyond the period that's necessary for business, legal, or
regulatory reasons also increases storage costs.
MRM provides the flexibility to implement the records management policy that best meets your organization's
requirements. With a good understanding of MRM, In-Place Archiving, and In-Place Hold, you can help meet your
goals of managing mailbox storage and meeting regulatory retention requirements.
NOTE
In Exchange Server, you can create RPTs for the Calendar and Tasks folders. If you don't want items in these folders or other
default folders to expire, you can create a disabled retention tag for that default folder.
Allow users to classify messages: In this strategy, you implement MRM policies that include a baseline retention
setting for all messages but allow users to classify messages based on business or regulatory requirements. In this
case, users become an important part of your records management strategy - often they have the best
understanding of a message's retention value.
Users can apply different retention settings to messages that need to be retained for a longer or shorter period.
You can implement this policy using a combination of the following:
A DPT for the mailbox
Personal tags that users can apply to custom folders or individual messages
(Optional) Additional RPTs to expire items in specific default folders
For example, you can use a retention policy with personal tags that have a shorter retention period (such as two
days, one week, or one month), as well as personal tags that have a longer retention period (such as one, two, or
five years). Users can apply personal tags with the shorter retention periods for items such as newsletter
subscriptions that may lose their value within days of receiving them, and apply the tags with longer periods to
preserve items that have a high business value. They can also automate the process by using Inbox rules in
Outlook to apply a personal tag to messages that match rule conditions.
Retain messages for eDiscovery purposes: In this strategy, you implement MRM policies that remove
messages from mailboxes after a specified period but also retain them in the Recoverable Items folder for In-Place
eDiscovery in Exchange Server purposes, even if the messages were deleted by the user or another process.
You can meet this requirement by using a combination of retention policies and In-Place Hold and Litigation Hold
in Exchange Server or Litigation Hold. Retention policies remove messages from the mailbox after the specified
period. A time-based In-Place Hold or Litigation Hold preserves messages that were deleted or modified before
that period. For example, to retain messages for seven years, you can create a retention policy with a DPT that
deletes messages in seven years and Litigation Hold to hold messages for seven years. Messages that aren't
removed by users will be deleted after seven years; messages deleted by users before the seven year period will be
retained in the Recoverable Items folder for seven years. To learn more about this folder, see Recoverable Items
folder in Exchange Server.
Optionally, you can use RPTs and personal tags to allow users to clean up their mailboxes. However, In-Place Hold
and Litigation Hold continues to retain the deleted messages until the hold period expires.
NOTE
A time-based In-Place Hold or Litigation Hold is similar to what was informally referred to as a rolling legal hold in Exchange
2010. Rolling legal hold was implemented by configuring the deleted item retention period for a mailbox database or
individual mailbox. However, deleted item retention retains deleted and modified items based on the date deleted. In-Place
Hold and Litigation Hold preserves items based on the date they're received or created. This ensures that messages are
preserved for at least the specified period.
Retention tags and retention policies in Exchange
Server
8/23/2019 • 15 minutes to read • Edit Online
Messaging records management (MRM ) helps organizations to manage email lifecycle and reduce legal risks
associated with email and other communications. MRM makes it easier to keep messages needed to comply with
company policy, government regulations, or legal needs, and to remove content that has no legal or business
value.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS
Default policy tag Automatically to Administrator Move to archive Users can't change
(DPT) entire mailbox Delete and allow DPTs applied to a
A DPT applies to recovery mailbox.
untagged items, Permanently delete
which are mailbox
items that don't have
a retention tag
applied directly or by
inheritance from the
folder.
TYPE OF RETENTION
TAG APPLIED... APPLIED BY... AVAILABLE ACTIONS... DETAILS
Retention policy tag Automatically to a Administrator Delete and allow Users can't change
(RPT) default folder recovery the RPT applied to a
Default folders are Permanently delete default folder.
folders created
automatically in all
mailboxes, for
example: Inbox,
Deleted Items, and
Sent Items. See the
list of supported
default folders in
Default folders that
support Retention
Policy Tags.
Personal tag Manually to items Users Move to archive Personal tags allow
and folders Delete and allow your users to
Users can automate recovery determine how long
tagging by using Permanently delete an item should be
Inbox rules to either retained. For example,
move a message to a the mailbox can have
folder that has a a DPT to delete items
particular tag or to in seven years, but a
apply a personal tag user can create an
to the message. exception for items
such as newsletters
and automated
notifications by
applying a personal
tag to delete them in
three days.
NOTE
Users can apply archive policies to default folders, user-created folders or subfolders, and individual items. Users can apply a
retention policy to user-created folders or subfolders and individual items (including subfolders and items in a default folder),
but not to default folders.
Users can also use the Exchange admin center (EAC ) to select additional personal tags that aren't linked to their
retention policy. The selected tags then become available in Outlook and Outlook on the web. To enable users to
select additional tags from the EAC, you must add the MyRetentionPolicies Role to the user's role assignment
policy. To learn more about role assignment policies for users, see Understanding Management Role Assignment
Policies. If you allow users to select additional personal tags, all personal tags in your Exchange organization
become available to them.
NOTE
Personal tags are a premium feature. Mailboxes with policies that contain these tags (or as a result of users adding the tags
to their mailbox) require an Exchange Enterprise client access license (CAL).
Retention age
When you enable a retention tag, you must specify a retention age for the tag. This age indicates the number of
days to retain a message after it arrives in the user's mailbox.
The retention age for non-recurring items (such as email messages) is calculated differently than items that have
an end date or recurring items (such as meetings and tasks). To learn how retention age is calculated for different
types of items, see How retention age is calculated in Exchange Server.
You can also create retention tags with retention disabled or disable tags after they're created. Because messages
that have a disabled tag applied aren't processed, no retention action is taken. As a result, users can use a disabled
personal tag as a Never Move tag or a Never Delete tag to override a DPT or RPT that would otherwise apply
to the message.
Retention actions
When creating or configuring a retention tag, you can select one of the following retention actions to be taken
when an item reaches its retention age:
Move to archive Moves the message to the user's If the user doesn't have an archive
archive mailbox mailbox, no action is taken.
Only available for DPTs and personal
tags
For details about archiving, see In-Place
Archiving in Exchange Server.
Delete and allow recovery: Emulates the behavior when the user If you've set the deleted item retention
empties the Deleted Items folder. period to zero days, items are
Items are moved to the Recoverable permanently deleted. For details, see
Items folder in Exchange Server in the Configure Deleted Item retention and
mailbox and preserved until the deleted Recoverable Items quotas.
item retention period.
Provides the user a second chance to
recover the item using the Recover
Deleted Items dialog box in Outlook
or Outlook on the web
NOTE
Default Policy tag (DPT) with Move to Archive action always overwrites the Retention Policy tag (RPT) or the Personal tag
(PT), when the age limit for retention of DPT is lower than RPT or PT.
For details about how to create retention tags, see Create a retention policy in Exchange Server.
Retention policies
To apply one or more retention tags to a mailbox, you need to add them to a retention policy and then apply the
policy to mailboxes. A mailbox can't have more than one retention policy. Retention tags can be linked to or
unlinked from a retention policy at any time, and the changes automatically take effect for all mailboxes that have
the policy applied.
A retention policy can have the following retention tags:
Default policy tag (DPT) One DPT with the Move to archive action
One DPT with the Delete and allow Recovery or
Permanently delete actions
One DPT for voice mail messages with the Delete and allow
recovery or Permanently delete action
Retention policy tags (RPTs) One RPT for each supported default folder
Note: You can't link more than one RPT for a particular
default folder (such as Deleted Items) to the same retention
policy.
NOTE
Although a retention policy doesn't need to have any retention tags linked to it, we don't recommend using this scenario. If
mailboxes with retention policies don't have retention tags linked to them, this may cause mailbox items to never expire.
A retention policy can contain both archive tags (tags that move items to the personal archive mailbox) and
deletion tags (tags that delete items). A mailbox item can also have both types of tags applied. Archive mailboxes
don't have a separate retention policy. The same retention policy is applied to the primary and archive mailbox.
When planning to create retention policies, you must consider whether they'll include both archive and deletion
tags. As mentioned earlier, a retention policy can have one DPT that uses the Move to archive action and one
DPT that uses either the Delete and allow recovery or Permanently delete action. The DPT with the Move to
archive action must have a lower retention age than the DPT with a deletion action. For example, you can use a
DPT with the Move to archive action to move items to the archive mailbox in two years, and a DPT with a
deletion action to remove items from the mailbox in seven years. Items in both primary and archive mailboxes will
be deleted after seven years.
Default retention policy
Exchange Setup creates the retention policy Default MRM Policy. The policy is applied automatically if you
create an archive for the new user and don't specify a retention policy
You can modify tags included in the Default MRM Policy, for example by changing the retention age or retention
action, disable a tag or modify the policy by adding or removing tags from it. The updated policy is applied to
mailboxes the next time they're processed by the Managed Folder Assistant.
For more details, including a list of retention tags linked to the policy, see Default Retention Policy.
NOTE
The Managed Folder Assistant doesn't take any action on messages that aren't subject to retention, specified by disabling
the retention tag. You can also disable a retention tag to temporarily suspend items with that tag from being processed.
IMPORTANT
If a retention tag is removed from a retention policy, any existing mailbox items with the tag applied will continue to expire
based on the tag's settings. To prevent the tag's settings from being applied to any items, you should delete the tag.
Deleting a tag removes it from any retention policies where it's included.
NOTE
The retention period for a disabled retention tag is displayed to the user as Never. If a user tags an item believing it will
never be deleted, enabling the tag later may result in unintentional deletion of items the user didn't want to delete. The
same is true for tags with the Move to archive action.
Retention hold
When users are temporarily away from work and don't have access to their email, retention settings can be
applied to new messages before they return to work or access their email. Depending on the retention policy,
messages may be deleted or moved to the user's personal archive. You can temporarily suspend retention policies
from processing a mailbox for a specified period by placing the mailbox on retention hold. When you place a
mailbox on retention hold, you can also specify a retention comment that informs the mailbox user (or another
user authorized to access the mailbox) about the retention hold, including when the hold is scheduled to begin and
end. Retention comments are displayed in supported Outlook clients. You can also localize the retention hold
comment in the user's preferred language.
NOTE
Placing a mailbox on retention hold doesn't affect how mailbox storage quotas are processed. Depending on the mailbox
usage and applicable mailbox quotas, consider temporarily increasing the mailbox storage quota for users when they're on
vacation or don't have access to email for an extended period. For more information about mailbox storage quotas, see
Configure storage quotas for a mailbox.
During long absences from work, users may accrue a large amount of email. Depending on the volume of email
and the length of absence, it may take these users several weeks to sort through their messages. In these cases,
consider the additional time it may take the users to catch up on their mail before removing them from retention
hold.
If your organization has never implemented MRM, and your users aren't familiar with its features, you can also
use retention holds during the initial warm up and training phase of your MRM deployment. You can create and
deploy retention policies and educate users about the policies without the risk of having items moved or deleted
before users can tag them. A few days before the warm up and training period ends, you should remind users of
the warm-up deadline. After the deadline, you can remove the retention hold from user mailboxes, allowing the
Managed Folder Assistant to process mailbox items and take the specified retention action.
For details about how to place a mailbox on retention hold, see Place a Mailbox on Retention Hold.
How retention age is calculated in Exchange Server
8/23/2019 • 4 minutes to read • Edit Online
The Managed Folder Assistant (MFA) is one of many mailbox assistant processes that runs on mailbox servers. Its
job is to process mailboxes that have a Retention Policy applied, add the Retention Tags included in the policy to
the mailbox, and process items in the mailbox. If the items have a retention tag, the assistant tests the age of those
items. If an item has exceeded its retention age, it takes the specified retention action. Retention actions include
moving an item to the user's archive, deleting the item and allowing recovery, or deleting the item permanently.
See Retention tags and retention policies in Exchange Server for more information.
Email message Not in the Deleted Items folder Delivery date or date of creation
Document
Fax
Journal item
Missed call
Email message In the Deleted Items folder Date of delivery or creation unless the
item was deleted from a folder that
Document does not have an inherited or implicit
retention tag.
Fax
If an item is in a folder that doesn't have
Journal item an inherited or implicit retention tag
applied, the item isn't processed by the
Meeting request, response, or MFA and therefore doesn't have a start
cancellation date stamped by it. When the user
deletes such an item, and the MFA
Missed call processes it for the first time in the
Deleted Items folder, it stamps the
current date as the start date.
THE RETENTION AGE IS CALCULATED
IF THE ITEM TYPE IS... AND THE ITEM IS... BASED ON...
Calendar Not in the Deleted Items folder Non-recurring calendar items expire
according to their end date.
Calendar In the Deleted Items folder A calendar item expires according to its
message-received date , if one exists.
Examples
IF THE USER.. THE RETENTION TAGS ON FOLDER... THE MANAGED FOLDER ASSISTANT...
Receives a message in the Inbox on Inbox: Delete in 365 days Processes the message in the Inbox on
01/26/2016. 1/26/2016, stamps it with a start date
Deleted Items: Delete in 30 days of 01/26/2016 and an expiration date
Deletes the message on 2/27/2016. of 01/26/2017.
Receives a message in the Inbox on Inbox: None (inherited or implicit) Processes the message in the Deleted
01/26/2016. Items folder on 02/27/2016 and
Deleted Items: Delete in 30 days determines the item doesn't have a
Deletes the message on 2/27/2016. start date. It stamps the current date as
the start date, and 03/27/2016 as the
expiration date.
More information
Items in mailboxes placed on Retention Hold aren't removed until the hold is removed.
If a mailbox is placed on In-Place Hold or Litigation Hold, expiring items are removed from the Inbox but
preserved in the Recoverable Items folder until the mailbox is removed from In-Place Hold and Litigation Hold in
Exchange Server.
In hybrid deployments, the same retention tags and retention policies must exist in your on-premises and
Exchange Online organizations in order to consistently move and expire items across both organizations. See
Export and import retention tags for more information.
Create a retention policy in Exchange Server
8/23/2019 • 6 minutes to read • Edit Online
Learn how to use retention policies to manage an email lifecycle in Exchange 2016 and Exchange 2019. Retention
policies are applied by creating retention tags, adding them to a retention policy, and applying the policy to mailbox
users.
NOTE
You can't use the EAC to create a DPT to delete voice mail items. For details about how to create a DPT to
delete voice mail items, see the Exchange Management Shell example below.
Applied automatically to a default folder: Creates a retention policy tag (RPT) for a default folder
such as Inbox or Deleted Items.
NOTE
You can only create RPTs with the Delete and allow recovery or Permanently delete actions.
Applied by users to items and folders (personal): Creates personal tags. These tags allow
Outlook and Outlook on the web users to apply archive or deletion settings to a message or folders
that are different from the settings applied to the parent folder or the entire mailbox.
3. The New retention tag page title and options vary depending on the type of tag you select. Complete the
following fields:
Name: Enter a name for the retention tag. Retention tag names are displayed to users in Outlook
and Outlook on the web along with the retention period.
Apply this tag to the following default folder: Available only if you selected this option in Step 2.
Retention action: Select one of the following actions to take after the item reaches its retention
period:
Delete and Allow Recovery: Deletes items but allow users to recover them using the Recover
Deleted Items option in Outlook or Outlook on the web. Items are retained until the deleted item
retention period configured for the mailbox database or the mailbox user is reached.
Permanently Delete: Permanently deletes the item from the mailbox database.
IMPORTANT
Mailboxes or items subject to In-Place Hold or litigation hold will be retained and returned in In-Place
eDiscovery searches. To learn more, see In-Place Hold and Litigation Hold in Exchange Server.
Move to Archive: Available only if you're creating a DPT or a personal tag. Select this action to
move items to the user's In-Place Archive.
Retention period: Select one of the following options:
Never: Specifies that items should never be deleted or moved to the archive.
When the item reaches the following age (in days): Specifies the number of days to retain items
before they're moved or deleted. The retention age for all supported items except Calendar and Tasks
is calculated from the date an item is received or created. Retention age for Calendar and Tasks items
is calculated from the end date.
Comment: Optional field used for administrative notes or comments. The field isn't displayed to
users.
Use the Exchange Management Shell to create a retention tag
Use the New-RetentionPolicyTag cmdlet to create a retention tag. Different options available in the cmdlet allow
you to create different types of retention tags. Use the Type parameter to create a DPT ( All ), RPT (specify a
default folder type, such as Inbox ) or a personal tag ( Personal ).
This example creates a DPT to delete all messages in the mailbox after 7 years (2,556 days).
This example creates a DPT to move all messages to the In-Place Archive in 2 years (730 days).
This example creates a DPT to delete voice mail messages after 20 days.
This example creates a RPT to permanently delete messages in the Junk EMail folder after 30 days.
New-RetentionPolicyTag -Name "RPT-Corp-JunkMail" -Type JunkEmail -AgeLimitForRetention 30 -RetentionAction
PermanentlyDelete
NOTE
Although you can add any number of personal tags to a retention policy, having many personal tags with
different retention settings can confuse users. We recommend linking no more than ten personal tags to a
retention policy.
You can create a retention policy without adding any retention tags to it, but items in the mailbox to which
the policy is applied won't be moved or deleted. You can also add and remove retention tags from a
retention policy after you create it.
Use the Exchange Management Shell to create a retention policy
This example creates the retention policy RetentionPolicy-Corp and uses the RetentionPolicyTagLinks parameter to
associate five tags to the policy.
2. Log on to the mailbox using Outlook or Outlook on the web and verify that messages are deleted or moved
to an archive in accordance with the policy configuration.
Apply a retention policy to mailboxes in Exchange
Server
8/23/2019 • 2 minutes to read • Edit Online
You can use retention policies to group one or more retention tags and apply them to mailboxes to enforce
message retention settings. A mailbox can't have more than one retention policy.
Cau t i on
Messages are expired based on settings defined in the retention tags linked to the policy. These settings include
actions such moving messages to the archive or permanently deleting them. Before applying a retention policy to
one or more mailboxes, we recommended that you test the policy and inspect each retention tag associated with it.
$OldPolicy={Get-RetentionPolicy "Old-Retention-Policy"}.distinguishedName
Get-Mailbox -Filter {RetentionPolicy -eq $OldPolicy} -Resultsize Unlimited | Set-Mailbox -RetentionPolicy
"New-Retention-Policy"
This example applies the retention policy RetentionPolicy-Corp to all mailboxes in the Exchange organization.
This example applies the retention policy RetentionPolicy-Finance to all mailboxes in the Finance organizational
unit.
For detailed syntax and parameter information, see Get-Mailbox and Set-Mailbox.
This command retrieves all mailboxes that have the retention policy RP -Finance applied.
The Managed Folder Assistant (MFA) is an Exchange Mailbox Assistant that applies and processes the message
retention settings that are configured in retention policies.
As in Exchange 2013, the Managed Folder Assistant in Exchange 2016 and Exchange 2019 is a throttle-based
assistant that's always running. The MFA doesn't need to be scheduled, and the system resources that are
consumed by the MFA can be throttled. You can configure the Managed Folder Assistant to process all mailboxes
on a Mailbox server within a certain time period that's known as a work cycle. By default, the work cycle for the
MFA is one day (all mailboxes on the server are processed by the MFA every day).
You can also force the MFA to immediately process a specified mailbox.
Notes:
To specify a <TimeSpan> value, use the syntax d.hh:mm:ss , where d = days, hh = hours, mm = minutes,
and ss = seconds.
To configure the same work cycle for the MFA on all Exchange 2016 and Exchange 2019 Mailbox servers in
the Active Directory forest, don't use the Server parameter.
To configure the work cycle for the MFA on a specific Exchange 2016 and Exchange 2019 Mailbox server,
use the Server parameter and the name (not the fully qualified domain name or FQDN ) of the server. This
method is useful when you need to specify different work cycle values for the MFA on different Exchange
servers.
This example configures the work cycle for the MFA to two days (the MFA processes mailboxes every two days).
Because we aren't using the Server parameter, the setting is applied to all Exchange 2016 and Exchange 2019
Mailbox servers in the organization.
Setting override name: "MFA WorkCycle Override" (must be unique)
WorkCycle: 2.00:00:00 (2 days; note the value 2 also works)
Override reason: Process mailboxes every 2 days
This example specifies the same 2 day work cycle for the MFA, but only on the server named Mailbox01.
Step 2: Use the Exchange Management Shell to apply the new the work cycle value for the Managed Folder
Assistant
To apply the new the work cycle value for the MFA, use this syntax:
Notes:
If you didn't use the Server parameter in Step 1, don't use it here. If you used the Server parameter in Step 1,
use the same server name here.
If you delete the custom work cycle value for the MFA by using the Remove-SettingOverride cmdlet, you
still need to run this command to change the work cycle back to the default value of one day.
This example applies the new work cycle value for the MFA on all Exchange 2016 and Exchange 2019 Mailbox
servers in the organization.
This example applies the new work cycle value for the MFA on the server named Mailbox01.
This example triggers the Managed Folder Assistant to immediately process Morris Cornejo's mailbox.
You can use administrator audit logging in Exchange Server to log when a user or administrator makes a change
in your organization. By keeping a log of the changes, you can trace changes to the person who made the change,
augment your change logs with detailed records of the change as it was implemented, comply with regulatory
requirements and requests for discovery, and more.
By default, administrator audit logging is enabled in new installations of Exchange Server.
IMPORTANT
Changes to the administrator audit log configuration are always logged, regardless of whether the Set-
AdminAuditLogConfig cmdlet is included in the list of cmdlets being audited or whether audit logging is enabled or
disabled.
When a command is run, Exchange inspects the cmdlet that was used. If the cmdlet that was run matches any of
the cmdlets provided with the AdminAuditLogCmdlets parameter, Exchange then checks the parameters specified
in the AdminAuditLogParameters parameter. If at least one or more parameters from the parameters list are
matched, Exchange logs the cmdlet that was run. The following sections contain more information about each
aspect of the audit logging configuration.
For more information about managing audit logging configuration, see Manage administrator audit logging.
Cmdlets
You can control which cmdlets are audited by providing a list of cmdlets, and their parameters, that you want to
log. When you configure audit logging, you can specify to audit every cmdlet, or you can specify the cmdlets you
want to audit by using the AdminAuditLogCmdlets parameter. You can specify full cmdlet names, such as New-
Mailbox, or you can specify partial cmdlet names and enclose those names in wildcard characters, such as an
asterisk ( * ). For example, if you want to log when any cmdlet that contains the string Transport runs, you can
specify a value of *Transport* . You can use a mix of full cmdlet names and partial cmdlet names at the same time
to tailor the audit logging configuration to your needs.
To audit all cmdlets, specify only the wildcard character (*). This is the default setting.
Parameters
In addition to specifying which cmdlets you want to log, you can also indicate that cmdlets should only be logged
if certain parameters on those cmdlets are used. Use the AdminAuditLogParameters parameter to specify which
parameters should be logged. As with cmdlets, you can specify full parameter names, such as Database , or partial
parameter names enclosed in wildcard characters ( * ), such as *Address* , or a combination of both.
To audit all parameters, specify only the wildcard character (*). This is the default setting.
Admin audit log age limit
By default, admin audit logging is configured to store audit log entries for 90 days. After 90 days, the audit log
entry is deleted. You can change the audit log age limit using the AdminAuditLogAgeLimit parameter. For
example, to change the age limit to 180 days, use the command
Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 180 . You can also specify the number of days, hours, minutes, and
seconds that audit log entries should be kept. To specify a value, use the format dd.hh:mm:ss where the following
applies:
dd: The number of days to keep the audit log entry.
hh: The number of hours to keep the audit log entry.
mm: The number of minutes to keep the audit log entry.
ss: The number of seconds to keep the audit log entry.
You need to specify multiple years by using the dd field. For example, 365 days equals one year; 730 days equals
two years; 913 days equals two years and six months. For example, to set the audit log age limit to two years and
six months, use the value 913 .
Notes:
You can set the admin audit log age limit to a value that's less than the current age limit. If you do this, any
audit log entry whose age exceeds the new age limit is deleted.
If you set the age limit to 0, Exchange deletes all the entries in the audit log.
We recommend that you assign permissions to configure the audit log age limit only to highly trusted
users.
Verbose logging
By default, the admin audit log records only the cmdlet name, cmdlet parameters (and values specified), the object
that was modified, who ran the cmdlet, when the cmdlet was run, and on what server the cmdlet was run. The
admin audit log doesn't log what properties were modified on the object. If you want the admin audit log to also
include the properties of the object that were modified, you can enable verbose logging by setting the LogLevel
parameter to Verbose . When you enable verbose logging, in addition to the information logged by default, the
properties modified on an object, including their old and new values, are included in the admin audit log.
Test cmdlets
Cmdlets that begin with the verb Test aren't logged by default. You can indicate that Test cmdlets should be
logged by setting the TestCmdletLoggingEnabled parameter to $true . Although you can enable logging of test
cmdlets, we recommend that you do this only for short periods of time because test cmdlets can produce a large
number of audit log entries.
FIELD DESCRIPTION
ObjectModified This field contains the object that was modified by the cmdlet
specified in the CmdletName field.
CmdletName This field contains the name of the cmdlet that was run by the
user in the Caller field.
CmdletParameters This field contains the parameters that were specified when
the cmdlet in the CmdletName field was run. Also stored in
this field, but not visible in the default output, is the value
specified with the parameter, if any.
ModifiedProperties This field contains the properties that were modified on the
object in the ObjectModified field. Also stored in this field,
but not visible in the default output, are the old value of the
property and the new value that was stored.
Important: This field is only populated if the LogLevel
parameter on the Set-AdminAuditLogConfig cmdlet is set
to erbose .
Caller This field contains the user account of the user who ran the
cmdlet in the CmdletName field.
FIELD DESCRIPTION
Error This field contains the error message generated if the cmdlet
in the CmdletName field failed to complete successfully.
RunDate This field contains the date and time when the cmdlet in the
CmdletName field was run. The date and time are stored in
Coordinated Universal Time (UTC) format.
OriginatingServer This field indicates the server on which the cmdlet specified in
the CmdletName field was run.
NOTE
Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML
attachments to be viewed using Outlook Web App, or you can use another email client, such as Microsoft Outlook, to view
the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see
View or configure Outlook on the web virtual directories in Exchange Server.
For information about how to use the New-AdminAuditLogSearch cmdlet, see Search the Administrator Audit
Log.
Administrator audit logs contain a record of all the cmdlets and parameters that have been run in the Exchange
Management Shell and by the Exchange admin center (EAC ). They're created on-demand when you run the admin
audit log report in the EAC, or when you run the New-AdminAuditLogSearch cmdlet in the Exchange
Management Shell. For more information about audit logs, see Administrator audit logging in Exchange Server.
Based on the information in this log entry, we know the following occurred:
On 10/18/2017 at 3:48 P.M. Pacific Daylight Time (UTC -7), the user Administrator ran the cmdlet Set-
Mailbox.
The two following parameters were provided when the Set-Mailbox cmdlet was run:
Identity with a value of david
The ProhibitSendReceiveQuota property on the object david was modified with a new value of 10GB ,
which replaced the old value of 35GB .
NOTE
The modified properties are saved to the audit log because the LogLevel parameter on the
Set-AdminAuditLogConfig cmdlet was set to Verbose in this example.
Administrator audit logging in Exchange Server enables you to create a log entry each time a specified cmdlet is
run. Log entries provide you with information about what cmdlet was run, which parameters were used, who ran
the cmdlet, and what objects were affected. For more information about administrator audit logging, see
Administrator audit logging in Exchange Server.
Set-AdminAuditLogConfig -AdminAuditLogCmdlets *
You can specify which cmdlets to audit by providing a list of cmdlets using the AdminAuditLogCmdlets parameter.
When you provide the list of cmdlets to audit, you can provide single cmdlets, cmdlets with the asterisk (*) wildcard
characters, or a mix of both. Each entry in the list is separated by commas. The following values are all valid:
New-Mailbox
*TransportRule
*Management*
Set-Transport*
Set-AdminAuditLogConfig -AdminAuditLogParameters *
You can specify which parameters you want to audit by using the AdminAuditLogParameters parameter. When
you provide the list of parameters to audit, you can provide single parameters, parameters with the asterisk (*)
wildcard characters, or a mix of both. Each entry in the list is separated by commas. The following values are all
valid:
Database
*Address*
Custom*
*Region
NOTE
For an audit log entry to be created when a command is run, the command must include at least one or more parameters
that exist on at least one or more cmdlets specified with the AdminAuditLogCmdlets parameter.
You can set the audit log age limit to a value that's less than the current age limit. If you do this, any audit log entry
whose age exceeds the new age limit will be deleted. > If you set the age limit to 0, Exchange deletes all the entries
in the audit log. > We recommend that you assign permissions to configure the audit log age limit only to highly
trusted users.
This example specifies an age limit of two years and six months.
Get-AdminAuditLogConfig
Mailbox audit logging in Exchange Server
8/23/2019 • 6 minutes to read • Edit Online
Because mailboxes can contain sensitive, high business impact (HBI) information and personally identifiable
information (PII), it's important that you track who logs on to the mailboxes in your organization and what actions
are taken. It's especially important to track access to mailboxes by users other than the mailbox owner. These users
are referred to as delegate users.
By using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including
administrators with full access permissions to mailboxes), and administrators.
When you enable audit logging for a mailbox, you can specify which user actions (for example, accessing, moving,
or deleting a message) will be logged for a logon type (administrator, delegate user, or owner). Audit log entries
also include important information such as the client IP address, host name, and process or client used to access
the mailbox. For items that are moved, the entry includes the name of the destination folder.
LogonType Logon type of the user who performed the operation. Logon
types include:
Owner
Delegate
Admin
More information
Administrator access to mailboxes: Mailboxes are considered to be accessed by an administrator only in
the following scenarios:
In-Place eDiscovery is used to search a mailbox.
The New -MailboxExportRequest cmdlet is used to export a mailbox.
Microsoft Exchange Server MAPI Editor is used to access the mailbox.
Bypassing mailbox auditing logging: Mailbox access by authorized automated processes such as
accounts used by third-party tools or accounts used for lawful monitoring can create a large number of
mailbox audit log entries and may not be of interest to your organization. You can configure such accounts
to bypass mailbox audit logging. For details, see Bypass a User Account From Mailbox Audit Logging.
Logging mailbox owner actions: For mailboxes such as the Discovery Search Mailbox, which may
contain more sensitive information, consider enabling mailbox audit logging for mailbox owner actions
such as message deletion.
Enable or disable mailbox audit logging for a mailbox
8/23/2019 • 4 minutes to read • Edit Online
With mailbox audit logging in Exchange Server, you can track logons to a mailbox as well as what actions are taken
while the user is logged on. When you enable mailbox audit logging for a mailbox, some actions performed by
administrators and delegates are logged by default. None of the actions performed by the mailbox owner are
logged by default. To learn more about mailbox audit logging and what actions can be logged, see Mailbox audit
logging in Exchange Server.
Cau t i on
Auditing of mailbox owner actions can generate a large number of mailbox audit log entries and is therefore
disabled by default. We recommend that you only enable auditing of specific owner actions needed to meet
business or compliance requirements.
This example enables mailbox audit logging for all user mailboxes in your organization.
This example disables mailbox audit logging for Ben Smith's mailbox.
Set-Mailbox -Identity "Ben Smith" -AuditEnabled $false
This example specifies that the SendAs or SendOnBehalf actions performed by delegate users will be logged for
Ben Smith's mailbox.
This example specifies that the HardDelete action performed by the mailbox owner will be logged for Ben Smith's
mailbox.
A value of True for the AuditEnabled property verifies that audit logging is enabled.
This example retrieves the auditing settings for all user mailboxes in your organization.
More information
The actions that are audited for each type of user may not all be displayed when you run the Get-Mailbox cmdlet.
But you can run the following commands to display all the audited actions for a specific user logon type.
Get-Mailbox <identity of mailbox> | Select-Object -ExpandProperty AuditAdmin
By default, entries in the mailbox audit log are kept for 90 days. When an entry is older than 90 days, it's deleted.
You can use the Set-Mailbox cmdlet to change this setting so items are kept for a longer (or shorter) period of
time.
This example increases the age limit for mailbox audit log entries in Pilar Pinilla's mailbox to 180 days.
This example decreases the age limit for mailbox audit log entries for all user mailboxes in your organization to 60
days.
The Non-Owner Mailbox Access Report in the Exchange admin center (EAC ) lists the mailboxes that have been
accessed by someone other than the person who owns the mailbox. When a non-owner accesses a mailbox,
Exchange logs information about this action. Exchange stores this mailbox audit log as an email message in a
hidden folder in the audited mailbox. The report displays entries from this log as search results and includes any
mailboxes accessed by a non-owner, who accessed each mailbox and when, the actions performed by non-owners,
and whether or not the actions were successful.
Exchange logs specific actions by non-owners, which includes administrators and users who have been assigned
permissions to a mailbox (who are called delegated users). You can also narrow the search to users inside or
outside your organization. By default, Exchange retains entries in the mailbox audit log for 90 days.
You enable mailbox audit logging in the Exchange Management Shell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
For example, to enable mailbox auditing for a user named Florence Flipo, run the following command.
A value of True for the AuditEnabled property verifies that audit logging is enabled.
Data loss prevention (DLP ) is important in Exchange Server because business critical email communication often
includes sensitive data. DLP features make managing sensitive data in email messages easier than ever before by
balancing compliance requirements without unnecessarily hindering the productivity of workers. For a conceptual
overview of DLP, watch the following video.
DLP policies are simple packages that are collections of mail flow rules (also known as transport rules) that
contain specific conditions, actions, and exceptions that filter messages and attachments based on their content.
You can create a DLP policy, yet choose to not activate it. This allows you to test your policies without affecting
mail flow. For more information, see Test a mail flow rule.
DLP policies can use the full power of mail flow rules to detect and then act on messages in transit. For example, a
mail flow rule can perform deep content analysis through keyword matches, dictionary matches, text pattern
matches through regular expressions, and other content examination techniques to detect content that violates
your organization's DLP policies. Document fingerprinting is also available to help you detect sensitive
information in standard forms. For more information, see the following topics:
Document fingerprinting
Mail flow rules in Exchange Server
Integrating classification rules with mail flow rules
Messaging policy and compliance cmdlets
In addition to the customizable DLP policies themselves, you can also inform email senders when they're about to
violate one of your policies, even before they send a message that contains sensitive information. You do this by
configuring Policy Tips. Policy Tips present a brief note about the possible policy violations in Outlook 2013 or
later, Outlook on the web (formerly known as Outlook Web App), and Outlook on the web for devices. For more
information, see Policy Tips.
Notes:
DLP is a premium feature that requires an Exchange Enterprise Client Access License (CAL ). For more
information about CALs and server licensing, see Exchange Server Licensing.
In hybrid environments where some mailboxes are in on-premises Exchange and some are in Exchange
Online, DLP policies are only applied in Exchange Online. Messages that are sent between on-premises
users don't have DLP policies applied, because the messages don't leave the on-premises environment.
Looking for management tasks related to Data Loss Prevention? See DLP Procedures.
Data loss prevention (DLP ) includes 80 sensitive information types that are ready for you to use in your DLP
policies. This topic lists all of these sensitive information types and shows what a DLP policy looks for when it
detects each type. A sensitive information type is defined by a pattern that can be identified by a regular
expression or a function. In addition, corroborative evidence such as keywords and checksums can be used to
identify a sensitive information type. Confidence level and proximity are also used in the evaluation process.
Keywords:
KEYWORD_ABA_ROUTING
aba
aba #
aba routing #
aba routing number
aba#
abarouting#
aba number
abaroutingnumber
american bank association routing #
american bank association routing number
americanbankassociationrouting#
americanbankassociationroutingnumber
bank routing number
bankrouting#
bankroutingnumber
routing transit number
RTN
Keywords:
KEYWORD_ARGENTINA_NATIONAL_ID
Keywords:
KEYWORD_AUSTRALIA_BANK_ACCOUNT_NUMBER
KEYWORD_AUSTRALIA_DRIVERS_LICENSE_NUMBER KEYWORD_AUSTRALIA_DRIVERS_LICENSE_NUMBER_EXCLUSIONS
Keywords:
KEYWORD_AUSTRALIA_MEDICAL_ACCOUNT_NUMBER
Keywords:
KEYWORD_PASSPORT KEYWORD_AUSTRALIA_PASSPORT_NUMBER
Keywords:
KEYWORD_AUSTRALIA_TAX_FILE_NUMBER KEYWORD_NUMBER_EXCLUSIONS
Keywords:
KEYWORD_BELGIUM_NATIONAL_NUMBER
Identity
Registration
Identification
ID
Identiteitskaart
Registratie nummer
Identificatie nummer
Identiteit
Registratie
Identificatie
Carte d'identité
numéro d'immatriculation
numéro d'identification
identité
inscription
Identifikation
Identifizierung
Identifikationsnummer
Personalausweis
Registrierung
Registrationsnummer
Keywords:
KEYWORD_BRAZIL_CNPJ
CNPJ
CNPJ/MF
CNPJ-MF
National Registry of Legal Entities
Taxpayers Registry
Legal entity
Legal entities
Registration Status
Business
Company
CNPJ
Cadastro Nacional da Pessoa Jurídica
Cadastro Geral de Contribuintes
CGC
Pessoa jurídica
Pessoas jurídicas
Situação cadastral
Inscrição
Empresa
Keywords:
KEYWORD_BRAZIL_CPF
CPF
Identification
Registration
Revenue
Cadastro de Pessoas Físicas
Imposto
Identificação
Inscrição
Receita
Keywords:
KEYWORD_BRAZIL_RG
National ID
Registration
Cédula de identidade
Registro Geral
RG
Registro de Identidade
RIC
Número de registo
Registro
Keywords:
KEYWORD_CANADA_BANK_ACCOUNT_NUMBER
Keywords:
KEYWORD_[PROVINCE_NAME]_DRIVERS_LICENSE_NAME KEYWORD_CANADA_DRIVERS_LICENSE
Keywords:
KEYWORD_CANADA_HEALTH_SERVICE_NUMBER
Keywords:
KEYWORD_CANADA_PASSPORT_NUMBER KEYWORD_PASSPORT
Keywords:
KEYWORD_CANADA_PHIN KEYWORD_CANADA_PROVINCES
Keywords:
KEYWORD_SIN KEYWORD_SIN_COLLABORATIVE
Keywords:
KEYWORD_CHILE_ID_CARD
Keywords:
KEYWORD_CHINA_RESIDENT_ID
Keywords:
KEYWORD_CC_VERIFICATION KEYWORD_CC_NAME
Keywords:
KEYWORD_CROATIA_ID_CARD
Keywords:
KEYWORD_CROATIA_OIB_NUMBER
Keywords:
KEYWORD_CZECH_ID_CARD
Keywords:
KEYWORD_DENMARK_ID
Keywords: None
EU Debit Card Number
Format: 16 digits
Pattern: Very complex and robust pattern
Checksum: Yes
Definition:
A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_eu_debit_card finds content that matches the pattern.
At least one of the following is true:
A keyword from Keyword_eu_debit_card is found.
A keyword from Keyword_card_terms_dict is found.
A keyword from Keyword_card_security_terms_dict is found.
A keyword from Keyword_card_expiration_terms_dict is found.
The function Func_eu_date1 finds a date in the right date format.
The function Func_eu_date2 finds a date in the right date format.
The checksum passes.
Keywords:
KEYWORD_CARD_SECURITY_TE KEYWORD_CARD_EXPIRATION
KEYWORD_EU_DEBIT_CARD KEYWORD_CARD_TERMS_DICT RMS_DICT _TERMS_DICT
Finland National ID
Format: Six digits plus a character indicating a century plus three digits plus a check digit
Pattern: Pattern must include all of the following:
Six digits in the format DDMMYY which are a date of birth
Century marker (either '-', '+' or 'a')
Three-digit personal identification number
A digit or letter (case insensitive) which is a check digit
Checksum: Yes
Definition:
A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_finnish_national_id finds content that matches the pattern.
A keyword from Keyword_finnish_national_id is found.
The checksum passes.
<!-- Finnish National ID-->
<Entity id="338FD995-4CB5-4F87-AD35-79BD1DD926C1" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_finnish_national_id" />
<Match idRef="Keyword_finnish_national_id" />
</Pattern>
</Entity>
Keywords:
KEYWORD_FINNISH_NATIONAL_ID
Sosiaaliturvatunnus
SOTU Henkilötunnus HETU
Personbeteckning
Personnummer
Keywords:
KEYWORD_FINLAND_PASSPORT_NUMBER
Passport
Passi
Keywords:
KEYWORD_FRENCH_DRIVERS_LICENSE
drivers licence
drivers license
driving licence
driving license
permis de conduire
licence number
license number
licence numbers
license numbers
Keywords:
KEYWORD_PASSPORT
Passport Number
Passport No
Passport #
Passport#
PassportID
Passportno
passportnumber
パスポート
パスポート番号
パスポートのNum
パスポート #
Numéro de passeport
Passeport n °
Passeport Non
Passeport #
Passeport#
PasseportNon
Passeportn °
Keywords:
KEYWORD_FR_INSEE
insee
securité sociale
securite sociale
national id
national identification
numéro d'identité
no d'identité
no. d'identité
numero d'identite
no d'identite
no. d'identite
social security number
social security code
social insurance number
le numéro d'identification nationale
d'identité nationale
numéro de sécurité sociale
le code de la sécurité sociale
numéro d'assurance sociale
numéro de sécu
code sécu
Keywords:
KEYWORD_GERMAN_DRIVERS_LICENSE_N KEYWORD_GERMAN_DRIVERS_LICENSE_CO
UMBER LLABORATIVE KEYWORD_GERMAN_DRIVERS_LICENSE
Keywords:
KEYWORD_GERMANY_ID_CARD
Identity Card
ID
Identification
Personalausweis
Identifizierungsnummer
Ausweis
Identifikation
Keywords:
KEYWORD_GERMAN_P
KEYWORD_GERMAN_P ASSPORT_COLLABORAT KEYWORD_GERMAN_P KEYWORD_GERMAN_PA KEYWORD_GERMAN_PA
ASSPORT IVE ASSPORT_NUMBER SSPORT1 SSPORT2
Keywords:
KEYWORD_GREECE_ID_CARD
Keywords:
KEYWORD_HONG_KONG_ID_CARD
Keywords:
KEYWORD_INDIA_PERMANENT_ACCOUNT_NUMBER
Keywords:
KEYWORD_INDIA_AADHAR
Aadhar
Aadhaar
UID
Indonesia Identity Card (KTP) Number
Format: 16 digits containing optional periods
Pattern: 16 digits:
Two-digit province code
A period (optional)
Two-digit regency or city code
Two-digit subdistrict code
A period (optional)
Six digits in the format DDMMYY which are the date of birth
A period (optional)
Four digits
Checksum: No
Definition:
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The regular expression Regex_indonesia_id_card finds content that matches the pattern.
A keyword from Keyword_indonesia_id_card is found.
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters: The regular expression Regex_indonesia_id_card finds content that matches the pattern.
Keywords:
KEYWORD_INDONESIA_ID_CARD
KTP
Kartu Tanda Penduduk
Nomor Induk Kependudukan
Keywords: None
IP Address
Format: IPv4 or IPv6 address
Pattern:
IPv4: Complex pattern which accounts for formatted (periods) and unformatted (no periods) versions of
the IPv4 addresses.
IPv6: Complex pattern which accounts for formatted IPv6 numbers (which include colons).
Checksum: No
Definition:
For IPv4, a DLP policy is 95% confident that it's detected this type of sensitive information if, within a proximity of
300 characters:
The regular expression Regex_ipv4_address finds content that matches the pattern.
A keyword from Keyword_ipaddress is found.
For IPv6, a DLP policy is 95% confident that it's detected this type of sensitive information if, within a proximity of
300 characters:
The regular expression Regex_ipv6_address finds content that matches the pattern.
No keyword from Keyword_ipaddress is found.
For IPv4, a DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of
300 characters:
The regular expression Regex_ipv4_address finds content that matches the pattern.
No keyword from Keyword_ipaddress is found.
For IPv6, a DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of
300 characters:
The regular expression Regex_ipv6_address finds content that matches the pattern.
No keyword from Keyword_ipaddress is found.
Keywords:
KEYWORD_IPADDRESS
ip address
internet protocol
IP-כתובת ה
Keywords:
KEYWORD_IRELAND_PPS
Keywords:
KEYWORD_ISRAEL_BANK_ACCOUNT_NUMBER
Israel National ID
Format: Nine digits
Pattern: Nine consecutive digits
Checksum: Yes
Definition:
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_israeli_national_id_number finds content that matches the pattern.
A keyword from Keyword_Israel_National_ID is found.
The checksum passes.
Keywords:
KEYWORD_ISRAEL_NATIONAL_ID
מספר זהות
National ID Number
Keywords:
KEYWORD_ITALY_DRIVERS_LICENSE_NUMBER
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_jp_bank_account finds content that matches the pattern.
A keyword from Keyword_jp_bank_account is found.
Keywords:
KEYWORD_JP_BANK_ACCOUNT KEYWORD_JP_BANK_BRANCH_CODE
Keywords:
KEYWORD_JP_DRIVERS_LICENSE_NUMBER
driver license
drivers license
driver's license
drivers licenses
driver's licenses
driver licenses
dl#
dls#
lic#
lics#
運転免許証
運転免許
免許証
免許
運転免許証番号
運転免許番号
免許証番号
免許番号
運転免許証ナンバー
運転免許ナンバー
免許証ナンバー
運転免許証No.
運転免許No.
免許証No.
免許No.
運転免許証#
運転免許#
免許証#
免許#
Keywords:
KEYWORD_JP_PASSPORT
パスポート
パスポート番号
パスポートのNum
パスポート#
Keywords:
KEYWORD_JP_RESIDENT_REGISTRATION_NUMBER
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_jp_sin_pre_1997 finds content that matches the pattern.
A keyword from Keyword_jp_sin is found.
Keywords:
KEYWORD_JP_SIN
Keywords:
KEYWORD_MALAYSIA_ID_CARD_NUMBER
MyKad
Identity Card
ID Card
Identification Card
Digital Application Card
Kad Akuan Diri
Kad Aplikasi Digital
Keywords:
KEYWORD_NETHERLANDS_BSN
Keywords:
KEYWORD_NZ_TERMS
NHI
New Zealand
Health
treatment
Keywords:
KEYWORD_NORWAY_ID_NUMBER
Keywords:
KEYWORD_PHILIPPINES_ID
Unified Multi-Purpose ID
UMID
Identity Card
Pinag-isang Multi-Layunin ID
Keywords:
KEYWORD_POLISH_NATIONAL_ID_PASSPORT_NUMBER
Keywords:
KEYWORD_PESEL_IDENTIFICATION_NUMBER
Nr PESEL
PESEL
Poland Passport
Format: Two letters and seven digits
Pattern: Two letters (not case sensitive) followed by seven digits
Checksum: Yes
Definition:
A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_polish_passport_number finds content that matches the pattern.
A keyword from Keyword_polish_national_id_passport_number is found.
The checksum passes.
Keywords:
KEYWORD_POLISH_NATIONAL_ID_PASSPORT_NUMBER
Keywords:
KEYWORD_PORTUGAL_CITIZEN_CARD
Citizen Card
National ID Card
CC
Cartão de Cidadão
Bilhete de Identidade
Keywords:
KEYWORD_SAUDI_ARABIA_NATIONAL_ID
Identification Card
I card number
ID number
اﻟﻮﻃﻨﻴﺔ اﻟﻬﻮ ﻳﺔ ﺑﻄﺎﻗﺔ رﻗﻢ
Keywords:
KEYWORD_SINGAPORE_NRIC
KEYWORD_SOUTH_AFRICA_IDENTIFICATION_NUMBER
Identity card
ID
Identification
Keywords:
KEYWORD_SOUTH_KOREA_RESIDENT_NUMBER
National ID card
Citizen's Registration Number
Jumin deungnok beonho
RRN
주민등록번호
Keywords: None
Sweden National ID
Format: 10 or 12 digits and an optional delimiter
Pattern: 10 or 12 digits and an optional delimiter:
2-4 digits (optional)
Six digits in date format YYMMDD
Delimiter of "-" or "+" (optional), plus
Four digits
Checksum: Yes
Definition:
A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_swedish_national_identifier finds content that matches the pattern.
The checksum passes.
Keywords: None
Keywords:
KEYWORD_SWEDEN_PASSPORT KEYWORD_PASSPORT
SWIFT Code
Format: Four letters followed by 5-31 letters or digits
Pattern: Four letters followed by 5-31 letters or digits:
Four-letter bank code (not case sensitive)
An optional space
4-28 letters or digits (the Basic Bank Account Number (BBAN ))
An optional space
1-3 letters or digits (remainder of the BBAN )
Checksum: No
Definition:
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The regular expression Regex_swift finds content that matches the pattern.
A keyword from Keyword_swift is found.
Keywords:
KEYWORD_SWIFT
Taiwan National ID
Format: One letter (in English) followed by nine digits
Pattern: One letter (in English) followed by nine digits:
One letter (in English, not case sensitive)
The digit "1" or "2"
Eight digits
Checksum: Yes
Definition:
A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_taiwanese_national_id finds content that matches the pattern.
A keyword from Keyword_taiwanese_national_id is found.
The checksum passes.
<!-- Taiwanese National ID -->
<Entity id="4C7BFC34-8DD1-421D-8FB7-6C6182C2AF03" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_taiwanese_national_id" />
<Match idRef="Keyword_taiwanese_national_id" />
</Pattern>
</Entity>
Keywords:
KEYWORD_TAIWANESE_NATIONAL_ID
身份證字號
身份證
身份證號碼
身份證號
身分證字號
身分證
身分證號碼
身份證號
身分證統一編號
國民身分證統一編號
簽名
蓋章
簽名或蓋章
簽章
Keywords:
KEYWORD_TAIWAN_PASSPORT
Keywords:
KEYWORD_TAIWAN_RESIDENT_CERTIFICATE
Resident Certificate
Resident Cert
Resident Cert.
Identification card
Alien Resident Certificate
ARC
Taiwan Area Resident Certificate
TARC
居留證
外僑居留證
台灣地區居留證
Keywords:
KEYWORD_UK_DRIVERS_LICENSE
DVLA
light vans
quadbikes
motor cars
125cc
sidecar
tricycles
motorcycles
photocard licence
learner drivers
licence holder
licence holders
driving licences
driving licence
dual control car
Keywords:
KEYWORD_UK_ELECTORAL
council nomination
nomination form
electoral register
electoral roll
Keywords:
Keywords:
KEYWORD_UK_NINO
Keywords:
KEYWORD_PASSPORT
Passport Number
Passport No
Passport #
Passport#
PassportID
Passportno
passportnumber
パスポート
パスポート番号
パスポートのNum
パスポート#
Numéro de passeport
Passeport n °
Passeport Non
Passeport #
Passeport#
PasseportNon
Passeportn °
Keywords:
KEYWORD_USA_BANK_ACCOUNT
<Pattern confidenceLevel="75">
<IdMatch idRef="Func_new_york_drivers_license_number" />
<Match idRef="Keyword_new_york_drivers_license_name" />
<Match idRef="Keyword_us_drivers_license" />
</Pattern>
<Pattern confidenceLevel="65">
<IdMatch idRef="Func_new_york_drivers_license_number" />
<Match idRef="Keyword_new_york_drivers_license_name" />
<Match idRef="Keyword_us_drivers_license_abbreviations" />
<Any minMatches="0" maxMatches="0">
<Match idRef="Keyword_us_drivers_license" />
</Any>
</Pattern>
Keywords:
KEYWORD_US_DRIVERS_LICENSE_ABBREVI KEYWORD_[STATE_NAME]_DRIVERS_LICEN
ATIONS KEYWORD_US_DRIVERS_LICENSE SE_NAME
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_unformatted_itin finds content that matches the pattern.
At least one of the following is true:
A keyword from Keyword_itin_collaborative is found.
The function Func_us_address finds an address in the right date format.
The function Func_us_date finds a date in the right date format.
Keywords:
KEYWORD_ITIN KEYWORD_ITIN_COLLABORATIVE
taxpayer License
tax id DL
tax identification DOB
itin Birthdate
ssn Birthday
tin Date of Birth
social security
tax payer
itins
taxid
individual taxpayer
NOTE
If issued before mid-2011, an SSN has strong formatting where certain parts of the number must fall within certain ranges
to be valid (but there's no checksum).
Checksum: No
Definition:
A DLP policy is 85% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_ssn finds content that matches the pattern.
At least one of the following is true:
A keyword from Keyword_ssn is found.
The function Func_us_date finds a date in the right date format.
The function Func_us_address finds an address in the right date format.
A DLP policy is 75% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_unformatted_ssn finds content that matches the pattern.
A keyword from Keyword_ssn is found.
At least one of the following is true:
The function Func_us_date finds a date in the right date format.
The function Func_us_address finds an address in the right date format.
A DLP policy is 65% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_randomized_formatted_ssn finds content that matches the pattern.
The function Func_ssn does not find content that matches the pattern.
At least one of the following is true:
A keyword from Keyword_ssn is found.
The function Func_us_date finds a date in the right date format.
The function Func_us_address finds an address in the right date format.
A DLP policy is 55% confident that it's detected this type of sensitive information if, within a proximity of 300
characters:
The function Func_randomized_unformatted_ssn finds content that matches the pattern.
A keyword from Keyword_ssn is found.
The function Func_unformatted_ssn does not find content that matches the pattern.
At least one of the following is true:
The function Func_us_date finds a date in the right date format.
The function Func_us_address finds an address in the right date format.
<!-- U.S. Social Security Number (SSN) -->
<Entity id="a44669fe-0d48-453d-a9b1-2cc83f2cba77" patternsProximity="300" recommendedConfidence="75">
<Pattern confidenceLevel="85">
<IdMatch idRef="Func_ssn" />
<Any minMatches="1">
<Match idRef="Keyword_ssn" />
<Match idRef="Func_us_date" />
<Match idRef="Func_us_address" />
</Any>
</Pattern>
<Pattern confidenceLevel="75">
<IdMatch idRef="Func_unformatted_ssn" />
<Match idRef="Keyword_ssn" />
<Any minMatches="1">
<Match idRef="Func_us_date" />
<Match idRef="Func_us_address" />
</Any>
</Pattern>
<Pattern confidenceLevel="65">
<IdMatch idRef="Func_randomized_formatted_ssn" />
<Any minMatches="0" maxMatches="0">
<Match idRef="Func_ssn" />
</Any>
<Any minMatches="1">
<Match idRef="Keyword_ssn" />
<Match idRef="Func_us_date" />
<Match idRef="Func_us_address" />
</Any>
</Pattern>
<Pattern confidenceLevel="55">
<IdMatch idRef="Func_randomized_unformatted_ssn" />
<Match idRef="Keyword_ssn" />
<Any minMatches="0" maxMatches="0">
<Match idRef="Func_unformatted_ssn" />
</Any>
<Any minMatches="1">
<Match idRef="Func_us_date" />
<Match idRef="Func_us_address" />
</Any>
</Pattern>
</Entity>
Keywords:
KEYWORD_SSN
Social Security
Social Security#
Soc Sec
SSN
SSNS
SSN#
SS#
SSID
Information Rights Management in Exchange Server
8/23/2019 • 12 minutes to read • Edit Online
Every day, people use email to exchange sensitive information, such as confidential information or reports. Because
email is accessible from just about anywhere, mailboxes have transformed into repositories that contain large
amounts of potentially sensitive information. As a result, information leakage can be a serious threat to
organizations. To help prevent information leakage, Exchange Server includes Information Rights Management
(IRM ) features, which provide persistent online and offline protection for email messages and attachments. These
IRM features are basically unchanged from Exchange 2013.
Transport Layer Security (TLS) TLS is an Internet standard protocol TLS only protects the SMTP session
that's used to encrypt network between two SMTP hosts. In other
communications. In a messaging words, TLS protects information in
environment, TLS is used to encrypt motion, and it doesn't provide
server/server and client/server protection at the message-level or for
communications. information at rest. Unless the
By default, Exchange uses TLS for all messages are encrypted using another
internal message transfers. method, messages in sender and
Opportunistic TLS is also enabled by recipient mailboxes remain unprotected.
default for SMTP sessions with external For email sent outside the organization,
hosts (TLS encryption is tried first, but if you can require TLS only for the first
it isn't available, unencrypted hop. After a remote SMTP host receives
communication is allowed). You can also the message, it can relay it to another
configure domain security to enforce SMTP host over an unencrypted
mutual TLS with external organizations. session.
Because TLS is a transport layer
technology that's used in mail flow, it
can't provide control over what the
recipient does with the message.
Message encryption Users can use technologies such as Users decide whether a message gets
S/MIME to encrypt messages. encrypted.
There are additional costs of a public
key infrastructure (PKI) deployment,
with the accompanying overhead of
certificate management for users and
protection of private keys.
After a message is decrypted, there's no
control over what the recipient can do
with the information. Decrypted
information can be copied, printed, or
forwarded. By default, saved
attachments aren't protected.
Messaging servers can't open and
inspect messages that are encrypted by
S/MIME. Therefore, the messaging
servers can't enforce messaging policies,
scan messages for viruses, or take other
actions that require access to the
content in messages.
Finally, traditional solutions often lack enforcement tools that apply uniform messaging policies to prevent
information leakage. For example, a user marks a message with Company Confidential and Do Not Forward.
After the message is delivered to the recipient, the sender or the organization no longer has control over the
message. The recipient can willfully or accidentally forward the message (using features such as automatic
forwarding rules) to external email accounts, which subjects your organization to substantial information leakage
risks.
IRM in Exchange
IRM in Exchange helps prevent information leakage by offering these features:
Prevent an authorized recipient of IRM -protected content from forwarding, modifying, printing, faxing,
saving, or cutting and pasting the content.
Protect supported attachment file formats with the same level of protection as the message.
Support expiration of IRM -protected messages and attachments so they can no longer be viewed after the
specified period.
Prevent IRM -protected content from being copied using the Snipping Tool inWindows.
However, IRM in Exchange can't prevent the disclosure of information by using these methods:
Third-party screen capture programs.
Photographing IRM -protected content that's displayed on the screen.
Users remembering or manually transcribing the information.
IRM uses Active Directory Rights Management Services (AD RMS ), an information protection technology in
Windows Server that uses extensible rights markup language (XrML )-based certificates and licenses to certify
computers and users, and to protect content. When a document or message is protected using AD RMS, an XrML
license containing the rights that authorized users have to the content is attached. To access IRM -protected
content, AD RMS -enabled applications must procure a use license for the authorized user from the AD RMS
server. Office applications, such as Word, Excel, PowerPoint and Outlook are RMS -enabled and can be used to
create and consume protected content.
NOTE
The Exchange Prelicense Agent attaches a use license to messages that are protected by the AD RMS server in your
organization. For more information, see the Prelicensing section later in this topic.
To learn more about Active Directory Rights Management Services, see Active Directory Rights Management
Services.
Active Directory Rights Management Services rights policy templates
AD RMS servers provide a Web service that's used to enumerate and acquire the XrML -based rights policy
templates that you use to apply IRM protection to messages. By applying the appropriate rights policy template,
you can control whether a recipient is allowed to reply to, reply to all, forward, extract information from, save, or
print the message.
By default, Exchange ships with the Do Not Forward template. When this template is applied to a message, only
the recipients addressed in the message can decrypt the message. The recipients can't forward the message, copy
content from the message, or print the message. You can create additional RMS templates on the AD RMS servers
in your organization to meet your requirements.
For more information about rights policy templates, see AD RMS Policy Template Considerations.
For more information about creating AD RMS rights policy templates, see AD RMS Rights Policy Templates
Deployment Step-by-Step Guide.
NOTE
IRM protection isn't applied again to messages that are already IRM-protected. For example, if a user IRM-protects a
message in Outlook or Outlook on the web, a transport protection rule won't apply IRM protection to the same
message.
Sending messages within the same on- Yes For the requirements, see the IRM
premises Exchange organization requirements section later in this topic.
Sending messages between different Yes For the requirements, see Configuring
Active Directory forests in an on- AD RMS to Integrate with Exchange
premises organization. Server 2010 Across Multiple Forests.
Sending messages between an on- Yes For more information, see IRM in
premises Exchange organization and an Exchange 2013 Hybrid Deployments.
Office 365 organization in a hybrid
deployment.
Prelicensing
To allow authorized users to view IRM -protected messages and attachments, Exchange automatically attaches a
prelicense to protected messages. This prevents the client from making repeated trips to the AD RMS server to
retrieve a use license, and enables offline viewing of IRM -protected messages. Prelicensing also allows users to
view IRM -protected messages in Outlook on the web. When you enable IRM features, prelicensing is enabled by
default.
IRM agents
IRM features use the built-in transport agents that exist in the Transport service on Mailbox servers. Most of the
built-in transport agents are invisible and unmanageable by the transport agent management cmdlets in the
Exchange Management Shell (*-TransportAgent).
The built-in transport agents that are associated with IRM are described in this table:
IRM requirements
By default, an Exchange organization is enabled for IRM. To actually implement IRM in your Exchange Server
organization, your deployment must meet the requirements that are described in this table.
SERVER REQUIREMENTS
AD RMS cluster AD RMS cluster is the term that's used for any AD RMS
deployment, including a single AD RMS server. AD RMS is a
Web service, so you don't need to set up a Windows Server
failover cluster. For high availability and load-balancing, you
can deploy multiple AD RMS servers in the cluster and use
network load balancing (NLB).
Service connection point: AD RMS-aware applications like
Exchange use the service connection point that's registered in
Active Directory to discover an AD RMS cluster and URLs.
There's only one service connection point for AD RMS in an
Active Directory forest. You can register the service connection
point during AD RMS Setup, or after setup is complete.
Permissions: Read and Execute permissions to the AD RMS
server certification pipeline (the ServerCertification.asmx
file at \inetpub\wwwroot\_wmcs\certification\ ) must be
assigned to these security principals:
• The Exchange Servers group or individual Exchange servers.
• The AD RMS Service group on AD RMS servers.
For details, see Set Permissions on the AD RMS Server
Certification Pipeline.
AD RMS super users: To enable transport decryption, journal
report decryption, IRM in Outlook on the web, and IRM
decryption for Exchange Search, you need to add the
Federation mailbox to the Super Users group on the AD RMS
server. For details, see Add Federated Delivery Mailbox to AD
RMS Super Users.
Exchange IRM features support Office file formats. You can extend IRM protection to other file formats by
deploying custom protectors. For more information about custom protectors, see Information Protection and
Control Partners in Microsoft partners.
Journaling in Exchange Server can help your organization respond to legal, regulatory, and organizational
compliance requirements by recording all or targeted email messages. Journaling in Exchange Server is basically
unchanged from Exchange Server 2010.
Exchange provides the following journaling options:
Standard journaling: Journal all messages that are sent to and received by mailboxes on a specific mailbox
database. To journal all messages in your organization, you need to configure journaling on all mailbox
databases on all Exchange servers.
Premium journaling: Use journal rules to journal messages based on recipients (all recipients or specified
recipients), and scope (internal messages, external messages, or all messages). Premium journaling requires
Exchange Enterprise client access licenses (CALs). For more information about CALs, see Exchange Server
Licensing.
To configure journaling, see Journaling procedures in Exchange Server.
When you plan for messaging retention and compliance, it's important to understand journaling, and how
journaling fits in your organization's compliance policies.
Journaling agent
The Journaling agent is the built-in Exchange transport agent that processes messages as they flow through the
Transport service on Mailbox servers. The journaling configuration settings are stored in Active Directory, and are
read by the Journaling agent. The Journaling agent is registered on the OnSubmittedMessage and
OnRoutedMessage categorizer events in the transport pipeline. For more information about the transport
pipeline, see Mail flow and the transport pipeline.
Note that built-in transport agents like the Journaling agent are invisible and unmanageable by the transport
agent management cmdlets (*-TransportAgent).
Journal reports
A journal report is the message that's recorded by journaling. The journal report contains the original message as
an unaltered file attachment. The body of the journal report contains summary information from the original
message (for example, the sender's email address, message subject, Message-ID, and recipient email addresses).
This type of journaling is known as envelope journaling, and is the only journaling method that's supported by
Exchange.
Journal reports and IRM -protected messages
You need to consider the effects of IRM -protected messages on journal reports. Third-party archiving systems that
don't have built-in RMS support can't decrypt the IRM -protected messages in journal reports, which negatively
affects the search and discovery of content in journaled messages. In Exchange, you can configure journal report
decryption to save a clear-text copy of the message in the journal report. For more information, see Enable journal
report decryption.
Journal rules
The basic components of a journal rule are:
Journal recipient: Who you want to journal.
Journal rule scope: What you want to journal.
Journaling mailbox: Where you want to store the journaled messages.
Journal recipient
The journal recipient specifies who you want to journal. Messages that are sent to or received by the journal
recipient are journaled (the direction doesn't matter). You can configure a journal rule to journal messages for all
senders and recipients in the Exchange organization, or you can limit a journal rule to an Exchange mailbox, group,
mail user, or mail contact. If you specify a distribution group, you enable journaling for the members of the
distribution group (not for the group itself).
By targeting specific recipients or groups of recipients, you can configure a journaling environment that helps you
meet your organization's regulatory and legal requirements, while minimizing the storage and other costs that are
associated with retaining large amounts of data.
Journal recipients that are enabled for Unified Messaging in Exchange 2016
By default, if your Exchange 2016 organization uses Unified Messaging (UM ) to consolidate the email, voice mail,
and fax infrastructure, Exchange is configured to journal voice mail notification and missed call notification
messages. You can disable journaling for these types of messages, but messages that contain UM -generated faxes
are always journaled.
To disable journaling for voice mail and missed call notifications, see Enable or disable journaling for voice mail
and missed call notifications.
NOTE
Unified Messaging is not available in Exchange 2019.
Troubleshooting
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server. If you're having
trouble with the alternate journaling mailbox, see KB2829319.
Journaling procedures in Exchange Server
8/23/2019 • 11 minutes to read • Edit Online
Journaling in Exchange Server records inbound and outbound email messages. For more information, see
Journaling in Exchange Server.
This topic shows you how to configure standard journaling (journal messages for all mailboxes on a mailbox
database) and premium journaling (use journal rules to specify the recipients that are journaled). Some
configuration settings are available in the Exchange admin center (EAC ), while others are only available in the
Exchange Management Shell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection. If you're having trouble with the JournalingReportDNRTo mailbox, see Transport and Mailbox Rules in
Exchange Online don't work as expected.
Disabling journaling on a mailbox database may result in your organization being out of compliance with any
applicable messaging retention policies.
Use the EAC enable or disable journaling on mailbox databases
1. In the EAC, go to Servers > Databases.
2. Select the mailbox database, and then click Edit ( ).
3. In the mailbox database properties window that opens, click the Maintenance tab, and then perform one of
the following procedures:
Enable journaling: Click Browse next to the Journal recipient field. In the resulting dialog box,
select the mailbox where you want to store the journaled messages, and then click OK.
Disable journaling: Click Remove X next to the value in Journal recipient field.
This example enables journaling on the mailbox database named Sales Database, and configures the mailbox
named Sales Database Journal Mailbox as the journaling mailbox that stores the journaled messages.
This example disables journaling on the mailbox database named Sales Database.
This example disables journaling on all mailbox databases in the Exchange organization.
Send a message to a mailbox on the database, open the journaling mailbox in Outlook or Outlook Web App
(formerly known as Outlook on the web), and verify that the journaled message (journal report) is or isn't
delivered to the journaling mailbox.
This example creates the journal rule named Regulation 123 with the following settings:
Journal recipient: The user Connie Mayr, whose email address is cmayr@contoso.com.
Journal rule scope: Internal and external messages (we didn't use the Scope parameter, and the default
value is Global ).
Journaling mailbox: The mailbox named Journal Mailbox.
The journal rule is enabled (we didn't use the Enabled parameter, and the default value is $true ).
Note: To create a journal rule that applies to all recipients, don't use the Recipient parameter.
For detailed syntax and parameter information, see New -JournalRule.
How do you know this worked?
To verify that you've successfully created a journal rule, use any of the following procedures:
In the EAC, go to Compliance management > Journal rules and verify that the new journal rule you
created is listed.
In the Exchange Management Shell, run the following command to verify that the new journal rule is listed:
Send a message to a recipient that's in the scope of the journal rule, open the journaling mailbox in Outlook
or Outlook Web App, and verify that the journaled message (journal report) is delivered to the journaling
mailbox.
Enable or disable journal rules
By default, when you create a journal rule in the EAC or the Exchange Management Shell, the rule is enabled. You
can only use the Exchange Management Shell to create a journal rule that's disabled (the Enabled parameter value
is $false in the New-JournalRule command).
After you create a journal rule, you can use the EAC or the Exchange Management Shell to disable or enable the
rule.
IMPORTANT
When a journal rule is disabled, any messages that would have normally been journaled by the rule aren't journaled. Verify
that you don't compromise the regulatory or compliance requirements of your organization by disabling a journaling rule.
Send a message to a recipient that's in the scope of the journal rule, open the journaling mailbox in Outlook
or Outlook Web App, and verify that the journaled message (journal report) is or isn't delivered to the
journaling mailbox.
Modify journal rules
No additional settings are available when you modify a journal rule. They're the same settings that were available
when you created the rule:
EAC: Go to Compliance management > Journal rules, and then click Edit ( ). The available settings
are the same as when you created the rule. For more information, see the Use the EAC to create journal
rules section.
Exchange Management Shell: The syntax to modify a journal rule is:
You can't use the Set-Journal cmdlet to enable or disable the rule (there's no Enabled parameter). To
enable or disable the rule, you use the Enable-JournalRule and Disable-JournalRule cmdlets as
described in the Enable or disable journal rules section.
For detailed syntax and parameter information, see Set-JournalRule.
Remove journal rules
Use the EAC to remove journal rules
1. In the EAC, go to Compliance management > Journal rules.
2. In the list view, select the rule or rules that you want to remove, and then click Delete ( ).
Use the Exchange Management Shell to remove journal rules
To remove journal rules in the Exchange Management Shell, use the following syntax:
This example removes the journal rule named Brokerage Journal Rule.
Send a message to a recipient that was in the scope of the deleted journal rule, open the journaling mailbox
in Outlook or Outlook Web App, and verify that the journaled message (journal report) isn't delivered to the
journaling mailbox.
Enable or disable journaling for voice mail and missed call notifications
By default, premium journaling will journal voice mail notification and missed call notification messages that are
generated by Unified Messaging (UM ) in Exchange 2016. However, you can disable journaling for these types of
messages. Note that even if you disable journaling for UM notification messages, messages containing faxes that
were generated by the UM service are always journaled.
NOTE
Unified Messaging is not available in Exchange 2019.
You can only change this setting in the Exchange Management Shell.
To disable journaling for voice mail and missed call notifications, run the following command:
To enable journaling for voice mail and missed call notifications, run the following command:
If the alternate journaling mailbox also becomes unavailable and rejects the NDRs for undeliverable journal
reports, the original journal reports are lost and can't be retrieved.
Use the EAC to specify the alternate journaling mailbox
1. In the EAC, go to Compliance management > Journal rules.
2. Click Select address next to Send undeliverable journal reports to.
3. In the NDRs for undeliverable journal reports window that opens, click Browse, select the mailbox in
the dialog box that appears, click OK, and then click Save.
Note: To remove the functionality of the alternate journaling mailbox, click on the email address next to Send
undeliverable journal reports to. In the In the NDRs for undeliverable journal reports window that opens,
click Remove X next to the email address, and then click Save.
Use the Exchange Management Shell to specify an alternate journaling mailbox
To specify the alternate journaling mailbox in the Exchange Management Shell, use the following syntax:
This example specifies the mailbox that has the email address altjournalingmbx@contoso.com as the alternate
journaling mailbox.
You can use mail flow rules (also known as transport rules) to identify and take action on messages that flow
through the transport pipeline in your Exchange 2016 and Exchange 2019 organization. Mail flow rules are
similar to the Inbox rules that are available in Outlook and Outlook on the web (formerly known as Outlook Web
App). The main difference is mail flow rules take action on messages while they're in transit, and not after the
message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions,
which provides you with the flexibility to implement many types of messaging policies.
This article explains the components of mail flow rules, and how they work.
You can use the Exchange admin center (EAC ) or the Exchange Management Shell to manage mail flow rules.
For instructions on how to manage mail flow rules, see Procedures for mail flow rules in Exchange Server.
For each rule, you have the option of enforcing it, testing it, or testing it and notifying the sender. To learn more
about the testing options, see Test a mail flow rule and Policy Tips.
For steps to implement specific messaging policies, see the following topics:
Organization-wide disclaimers, signatures, footers, or headers in Exchange Server
Common message approval scenarios
Using mail flow rules to inspect message attachments
One condition with multiple values OR Some conditions allow you to specify
more than one value. The message
must match any one (not all) of the
specified values. For example, if an
email message has the subject Stock
price information, and the The subject
includes any of these words
condition is configured to match the
words Contoso or stock, the condition
is satisfied because the subject contains
at least one of the specified values.
Activate this rule on the following ActivationDate Specifies the date range when the rule
date ExpiryDate is active.
Deactivate this rule on the following
date
On check box selected or not selected New rules: Enabled parameter on the You can create a disabled rule, and
New-TransportRule cmdlet. enable it when you're ready to test it.
Existing rules: Use the Enable- Or, you can disable a rule without
TransportRule or Disable- deleting it to preserve the settings. For
TransportRule cmdlets. instructions, see Enable or disable mail
The value is displayed in the State flow rules.
property of the rule.
Defer the message if rule RuleErrorAction You can specify how the message
processing doesn't complete should be handled if the rule
processing can't be completed. By
default, the rule will be ignored, but
you can choose to resubmit the
message for processing.
PARAMETER NAME IN THE EXCHANGE
PROPERTY NAME IN THE EAC MANAGEMENT SHELL DESCRIPTION
Stop processing more rules SenderAddressLocation This is an action for the rule, but it
looks like a property in the EAC. You
can choose to stop applying additional
rules to a message after a rule
processes a message.
Transport Rule agent on Mailbox The OnResolvedMessage categorizer In Active Directory. Rules are available
servers event. to all Mailbox servers in the Active
In Exchange 2010, the Transport Rule Directory forest.
agent was invoked on the
OnRoutedMessage categorizer event.
The change to OnResolvedMessage
allowed new rule actions that can
change how a message is routed (for
example, require TLS).
Edge Rule agent on Edge Transport The OnEndOfData SMTP event In the local instance of Active Directory
servers Lightweight Directory Services (AD
LDS) on the server. Rules are only
applied to messages that flow through
the local server.
S/MIME encrypted messages Rules can only access envelope headers and process
messages based on conditions that inspect those headers.
Rules with conditions that require inspection of the message's
content, or actions that modify the message's content can't
be processed.
RMS Protected messages: Messages that are protected by Rules can always access envelope headers and process
applying an Active Directory Rights Management Services messages based on conditions that inspect those headers.For
(AD RMS) rights policy template. a rule to inspect or modify a protected message's content,
your need to:
• Have transport decryption set to Mandatory or Optional.
By default, Transport decryption is set to Optional.
• Have the encryption key.
NOTE
This section applies to Exchange 2016 only.
When you coexist with Exchange 2010, all mail flow rules are stored in Active Directory and replicated
across your organization regardless of the Exchange Server version you used to create the rules. However,
all mail flow rules are associated with the Exchange server version that was used to create them and are
stored in a version-specific container in Active Directory. When you first deploy Exchange 2016 in your
organization, any existing rules are imported to Exchange 2016 as part of the setup process. However, any
changes afterwards would need to be made with both versions. For example, if you change an existing
rule in Exchange 2016 (Exchange Management Shell or the EAC ), you need to make the same change in
Exchange 2010 (Exchange Management Shell or the Exchange Management Console).
Exchange 2010 can't process rules that have the Version or RuleVersion value 15.n.n.n. To be sure all
your rules can be processed, only use rules that have the value 14.n.n.n.
Mail flow rule conditions and exceptions (predicates) in Exchange
Server
8/23/2019 • 29 minutes to read • Edit Online
Conditions and exceptions in mail flow rules (also known as transport rules) identify the messages that the rule is applied to or not
applied to. For example, if the rule adds a disclaimer to messages, you can configure the rule to only apply to messages that contain
specific words, messages sent by specific users, or to all messages except those sent by the members of a specific group. Collectively, the
conditions and exceptions in mail flow rules are also known as predicates, because for every condition, there's a corresponding exception
that uses the exact same settings and syntax. The only difference is conditions specify messages to include, while exceptions specify
messages to exclude.
Most conditions and exceptions have one property that requires one or more values. For example, the The sender is condition requires
the sender of the message. Some conditions have two properties. For example, the A message header includes any of these words
condition requires one property to specify the message header field, and a second property to specify the text to look for in the header
field. Some conditions or exceptions don't have any properties. For example, the Any attachment has executable content condition
simply looks for attachments in messages that have executable content.
For more information about mail flow rules in Exchange Server, see Mail flow rules in Exchange Server.
For more information about conditions and exceptions in mail flow rules in Exchange Online Protection or Exchange Online, see Mail
flow rule conditions and exceptions (predicates) in Exchange Online.
The sender is From Addresses Messages that are sent by Exchange 2010 or later
ExceptIfFrom the specified mailboxes,
The sender > is this mail users, or mail contacts
person in the Exchange
organization.
The sender is located FromScope UserScopeFrom Messages that are sent by Exchange 2010 or later
ExceptIfFromScope either internal senders or
The sender > is external senders.
external/internal
The sender is a member FromMemberOf Addresses Messages that are sent by Exchange 2010 or later
of ExceptIfFromMemberOf a member of the specified
group.
The sender > is a
member of this group
The sender address FromAddressContainsWor Words Messages that contain the Exchange 2010 or later
includes ds specified words in the
ExceptIfFromAddressConta sender's email address.
The sender > address insWords
includes any of these
words
The sender address FromAddressMatchesPatte Patterns Messages where the Exchange 2010 or later
matches rns sender's email address
ExceptIfFromAddressMatch contains text patterns that
The sender > address esPatterns match the specified regular
matches any of these expressions.
text patterns
The sender's specified SenderADAttributeContai First property: Messages where the Exchange 2010 or later
properties include any nsWords ADAttribute specified Active Directory
of these words ExceptIfSenderADAttribute attribute of the sender
ContainsWords Second property: Words contains any of the
The sender > has specified words.
specific properties
including any of these Note that the Country
words attribute requires the two-
letter country code value
(for example, DE for
Germany).
The sender's specified SenderADAttributeMatche First property: Messages where the Exchange 2010 or later
properties match these sPatterns ADAttribute specified Active Directory
text patterns ExceptIfSenderADAttribute attribute of the sender
MatchesPatterns Second property: contains text patterns that
The sender > has Patterns match the specified regular
specific properties expressions.
matching these text
patterns
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
The sender has HasSenderOverride n/a Messages where the Exchange 2013 or later
overridden the Policy ExceptIfHasSenderOverrid sender has chosen to
Tip e override a data loss
prevention (DLP) policy.
The sender > has For more information
overridden the Policy about DLP policies, see
Tip Data loss prevention in
Exchange Server.
Sender's IP address is in SenderIPRanges IPAddressRanges Messages where the Exchange 2013 or later
the range ExceptIfSenderIPRanges sender's IP address
matches the specified IP
The sender > IP address address, or falls within the
is in any of these ranges specified IP address range.
or exactly matches
The sender's domain is SenderDomainIs DomainName Messages where the Exchange 2013 or later
ExceptIfSenderDomainIs domain of the sender's
The sender > domain is email address matches the
specified value.
Recipients
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
The recipient is SentTo Addresses Messages where one of Exchange 2010 or later
ExceptIfSentTo the recipients is the
The recipient > is this specified mailbox, mail user,
person or mail contact in the
Exchange organization. The
recipients can be in the To,
Cc, or Bcc fields of the
message.
The recipient is located SentToScope UserScopeTo Messages that are sent to Exchange 2010 or later
ExceptIfSentToScope internal recipients, external
The recipient > is recipients, external
external/external recipients in partner
organizations, or external
recipients in non-partner
organizations.
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
The recipient is a SentToMemberOf Addresses Messages that contain Exchange 2010 or later
member of ExceptIfSentToMemberOf recipients who are
members of the specified
The recipient > is a group. The group can be in
member of this group the To, Cc, or Bcc fields of
the message.
The recipient address RecipientAddressContains Words Messages that contain the Exchange 2010 or later
includes Words specified words in the
ExceptIfRecipientAddressC recipient's email address.
The recipient > address ontainsWords
includes any of these Note: This condition or
words exception doesn't consider
messages that are sent to
recipient proxy addresses.
It only matches messages
that are sent to the
recipient's primary email
address.
The recipient address RecipientAddressMatchesP Patterns Messages where a Exchange 2010 or later
matches atterns recipient's email address
ExceptIfRecipientAddressM contains text patterns that
The recipient > address atchesPatterns match the specified regular
matches any of these expressions.
text patterns
Note: This condition or
exception doesn't consider
messages that are sent to
recipient proxy addresses.
It only matches messages
that are sent to the
recipient's primary email
address.
The recipient's specified RecipientADAttributeCont First property: Messages where the Exchange 2010 or later
properties include any ainsWords ADAttribute specified Active Directory
of these words ExceptIfRecipientADAttrib attribute of a recipient
uteContainsWords Second property: Words contains any of the
The recipient > has specified words.
specific properties
including any of these Note that the Country
words attribute requires the two-
letter country code value
(for example, DE for
Germany).
The recipient's specified RecipientADAttributeMatc First property: Messages where the Exchange 2010 or later
properties match these hesPatterns ADAttribute specified Active Directory
text patterns ExceptIfRecipientADAttrib attribute of a recipient
uteMatchesPatterns Second property: contains text patterns that
The recipient > has Patterns match the specified regular
specific properties expressions.
matching these text
patterns
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
A recipient's domain is RecipientDomainIs DomainName Messages where the Exchange 2013 or later
ExceptIfRecipientDomainIs domain of a recipient's
The recipient > domain email address matches the
is specified value.
NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
The subject or body SubjectOrBodyContainsW Words Messages that have the Exchange 2010 or later
includes ords specified words in the
ExceptIfSubjectOrBodyCon Subject field or message
The subject or body > tainsWords body.
subject or body includes
any of these words
The subject or body SubjectOrBodyMatchesPat Patterns Messages where the Exchange 2010 or later
matches terns Subject field or message
ExceptIfSubjectOrBodyMat body contain text patterns
The subject or body > chesPatterns that match the specified
subject or body matches regular expressions.
these text patterns
The subject includes SubjectContainsWords Words Messages that have the Exchange 2010 or later
ExceptIfSubjectContainsW specified words in the
The subject or body > ords Subject field.
subject includes any of
these words
The subject matches SubjectMatchesPatterns Patterns Messages where the Exchange 2010 or later
ExceptIfSubjectMatchesPat Subject field contains text
The subject or body > terns patterns that match the
subject matches these specified regular
text patterns expressions.
Attachments
For more information about how mail flow rules inspect message attachments, see Using mail flow rules to inspect message
attachments.
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
Any attachments content AttachmentMatchesPatter Patterns Messages where an Exchange 2010 or later
matches ns attachment contains text
ExceptIfAttachmentMatche patterns that match the
Any attachment > sPatterns specified regular
content matches these expressions.
text patterns
Note: Only the first 150
kilobytes (KB) of the
attachments are scanned.
Any attachment's file AttachmentNameMatches Patterns Messages where an Exchange 2010 or later
name matches Patterns attachment's file name
ExceptIfAttachmentName contains text patterns that
Any attachment > file MatchesPatterns match the specified regular
name matches these text expressions.
patterns
Any attachment's file AttachmentExtensionMatc Words Messages where an Exchange 2013 or later
extension matches hesWords attachment's file extension
ExceptIfAttachmentExtensi matches any of the
Any attachment > file onMatchesWords specified words.
extension includes these
words
Any attachment is AttachmentSizeOver Size Messages where any Exchange 2010 or later
greater than or equal to ExceptIfAttachmentSizeOv attachment is greater than
er or equal to the specified
Any attachment > size is value.
greater than or equal to
In the EAC, you can only
specify the size in kilobytes
(KB).
The message didn't AttachmentProcessingLimi n/a Messages where the rules Exchange 2013 or later
complete scanning tExceeded engine couldn't complete
ExceptIfAttachmentProcess the scanning of the
Any attachment > didn't ingLimitExceeded attachments. You can use
complete scanning this condition to create
rules that work together to
identify and process
messages where the
content couldn't be fully
scanned.
Any attachment has AttachmentHasExecutable n/a Messages where an Exchange 2013 or later
executable content Content attachment is an
ExceptIfAttachmentHasExe executable file. The system
Any attachment > has cutableContent inspects the file's
executable content properties rather than
relying on the file's
extension.
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
has these properties, AttachmentPropertyConta First property: Messages where the Exchange 2016 or later
including any of these insWords DocumentProperties specified property of an
words ExceptIfAttachmentPropert attached Office document
yContainsWords Second property: Words contains the specified
Any attachment > has words. This condition helps
these properties, you integrate mail flow
including any of these rules with SharePoint, File
words Classification Infrastructure
(FCI) in Windows Server
2012 R2 or later, or a
third-party classification
system.
Any recipients
The conditions and exceptions in this section provide a unique capability that affects all recipients when the message contains at least
one of the specified recipients. For example, let's say you have a rule that rejects messages. If you use a recipient condition from the
Recipients section, the message is only rejected for those specified recipients. For example, if the rule finds the specified recipient in a
message, but the message contains five other recipients. The message is rejected for that one recipient, and is delivered to the five other
recipients.
If you add a recipient condition from this section, that same message is rejected for the detected recipient and the five other recipients.
Conversely, a recipient exception from this section prevents the rule action from being applied to all recipients of the message, not just
for the detected recipients.
Note: This condition or exception doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that
are sent to the recipient's primary email address.
Any recipient address AnyOfRecipientAddressCo Words Messages that contain the Exchange 2013 or later
includes ntainsWords specified words in the To,
ExceptIfAnyOfRecipientAd Cc, or Bcc fields of the
Any recipient > address dressContainsWords message.
includes any of these
words
Any recipient address AnyOfRecipientAddressMa Patterns Messages where the To, Exchange 2013 or later
matches tchesPatterns Cc, or Bcc fields contain
ExceptIfAnyOfRecipientAd text patterns that match
Any recipient > address dressMatchesPatterns the specified regular
matches any of these expressions.
text patterns
Message sensitive information types, To and Cc values, size, and character sets
The conditions in this section that look for values in the To and Cc fields behave like the conditions in the Any recipients section (all
recipients of the message are affected by the rule, not just the detected recipients).
Note: The recipient conditions in this section do not consider messages that are sent to recipient proxy addresses. They only match
messages that are sent to the recipient's primary email address.
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
The message contains MessageContainsDataCla SensitiveInformationTypes Messages that contain Exchange 2013 or later
sensitive information ssifications sensitive information as
ExceptIfMessageContainsD defined by data loss
The message > contains ataClassifications prevention (DLP) policies.
any of these types of
sensitive information This condition is required
for rules that use the
Notify the sender with a
Policy Tip (NotifySender)
action.
The To box contains AnyOfToHeader Addresses Messages where the To Exchange 2010 or later
ExceptIfAnyOfToHeader field includes any of the
The message > To box specified recipients.
contains this person
The To box contains a AnyOfToHeaderMemberOf Addresses Messages where the To Exchange 2010 or later
member of ExceptIfAnyOfToHeaderMe field contains a recipient
mberOf who is a member of the
The message > To box specified group.
contains a member of
this group
The Cc box contains AnyOfCcHeader Addresses Messages where the Cc Exchange 2010 or later
ExceptIfAnyOfCcHeader field includes any of the
The message > Cc box specified recipients.
contains this person
The Cc box contains a AnyOfCcHeaderMemberOf Addresses Messages where the Cc Exchange 2010 or later
member of ExceptIfAnyOfCcHeaderMe field contains a recipient
mberOf who is a member of the
The message > contains specified group.
a member of this group
The To or Cc box AnyOfToCcHeader Addresses Messages where the To or Exchange 2010 or later
contains ExceptIfAnyOfToCcHeader Cc fields contain any of the
specified recipients.
The message > To or Cc
box contains this person
The To or Cc box AnyOfToCcHeaderMember Addresses Messages where the To or Exchange 2010 or later
contains a member of Of Cc fields contain a recipient
ExceptIfAnyOfToCcHeader who is a member of the
The message > To or Cc MemberOf specified group.
box contains a member
of this group
The message size is MessageSizeOver Size Messages where the total Exchange 2013 or later
greater than or equal to ExceptIfMessageSizeOver size (message plus
attachments) is greater
The message > size is than or equal to the
greater than or equal to specified value.
The message character ContentCharacterSetCont CharacterSets Messages that have any of Exchange 2013 or later
set name includes any of ainsWords the specified character set
these words ExceptIfContentCharacterS names.
etContainsWords
The message >
character set name
includes any of these
words
The sender is one of the SenderManagementRelati ManagementRelationship Messages where the either Exchange 2010 or later
recipient's onship sender is the manager of a
ExceptIfSenderManagemen recipient, or the sender is
The sender and the tRelationship managed by a recipient.
recipient > the sender's
relationship to a
recipient is
The message is between BetweenMemberOf1 and Addresses Messages that are sent Exchange 2010 or later
members of these BetweenMemberOf2 between members of the
groups ExceptIfBetweenMemberOf specified groups.
1 and
The sender and the ExceptIfBetweenMemberOf
recipient > the message 2
is between members of
these groups
The manager of the ManagerForEvaluatedUser First property: Messages where either a Exchange 2010 or later
sender or recipient is and ManagerAddress EvaluatedUser specified user is the
ExceptIfManagerForEvalua manager of the sender, or
The sender and the tedUser and Second property: a specified user is the
recipient > the manager ExceptIfManagerAddress Addresses manager of a recipient.
of the sender or
recipient is this person
The sender's and any ADAttributeComparisonAt First property: Messages where the Exchange 2010 or later
recipient's property tribute and ADAttribute specified Active Directory
compares as ADComparisonOperator attribute for the sender
ExceptIfADAttributeComp Second property: and recipient either match
The sender and the arisonAttribute and Evaluation or don't match.
recipient > the sender ExceptIfADComparisonOp
and recipient property erator
compares as
Message properties
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
The message type is MessageTypeMatches MessageType Messages of the specified Exchange 2010 or later
ExceptIfMessageTypeMatch type.
The message properties es
> include the message Note: When Outlook or
type Outlook on the web is
configured to forward a
message, the
ForwardingSmtpAddress
property is added to the
message. The message
type isn't changed to
AutoForward .
CONDITION AND EXCEPTION
PARAMETERS IN THE
CONDITION OR EXCEPTION EXCHANGE MANAGEMENT
IN THE EAC SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
The message is classified HasClassification MessageClassification Messages that have the Exchange 2010 or later
as ExceptIfHasClassification specified message
classification. This is a
The message properties custom message
> include this classification that you can
classification create in your organization
by using the New-
MessageClassification
cmdlet.
The message isn't HasNoClassification n/a Messages that don't have Exchange 2010 or later
marked with any ExceptIfHasNoClassificatio a message classification.
classifications n
The message has an SCL SCLOver SCLValue Messages that are Exchange 2010 or later
greater than or equal to ExceptIfSCLOver assigned a spam
confidence level (SCL)
The message properties that's greater than or equal
> include an SCL greater to the specified value.
than or equal to
The message WithImportance Importance Messages that are marked Exchange 2010 or later
importance is set to ExceptIfWithImportance with the specified
Importance level.
The message properties
> include the
importance level
Message headers
NOTE
The search for words or text patterns in the subject or other header fields in the message occurs after the message has been decoded from the MIME
content transfer encoding method that was used to transmit the binary message between SMTP servers in ASCII text. You can't use conditions or
exceptions to search for the raw (typically, Base64) encoded values of the subject or other header fields in messages.
A message header HeaderContainsMessageH First property: Messages that contain the Exchange 2010 or later
includes eader and MessageHeaderField specified header field, and
HeaderContainsWords the value of that header
A message header > ExceptIfHeaderContainsMe Second property: Words field contains the specified
includes any of these ssageHeader and words.
words ExceptIfHeaderContainsW
ords The name of the header
field and the value of the
header field are always
used together.
A message header HeaderMatchesMessageHe First property: Messages that contain the Exchange 2010 or later
matches ader and MessageHeaderField specified header field, and
HeaderMatchesPatterns the value of that header
A message header > ExceptIfHeaderMatchesMe Second property: field contains the specified
matches these text ssageHeader and Patterns regular expressions.
patterns ExceptIfHeaderMatchesPat
terns The name of the header
field and the value of the
header field are always
used together.
Conditions and exceptions for mail flow rules on Edge Transport servers
The conditions and exceptions that are available in mail flow rules on Edge Transport servers are a small subset of what's available on
Mailbox servers. There's no EAC on Edge Transport servers, so you can only manage mail flow rules in the Exchange Management Shell
on the local Edge Transport server. The conditions and exceptions are described in the following table. The properties types are described
in the Property types section.
AnyOfRecipientAddressMatchesPa Patterns Messages where the To, Cc, or Bcc Exchange 2013 or later
tterns fields contain text patterns that
ExceptIfAnyOfRecipientAddressMa match the specified regular
tchesPatterns expressions.
FromAddressMatchesPatterns Patterns Messages where the sender's email Exchange 2010 or later
ExceptIfFromAddressMatchesPatte address contains text patterns that
rns match the specified regular
expressions.
FromScope UserScopeFrom Messages that are sent by either Exchange 2010 or later
ExceptIfFromScope internal senders or external
senders.
HeaderContainsMessageHeader First property: Messages that contain the Exchange 2010 or later
and HeaderContainsWords MessageHeaderField specified header field, and the
ExceptIfHeaderContainsMessageH value of that header field contains
eader and Second property: Words the specified words.
ExceptIfHeaderContainsWords
The name of the header field and
the value of the header field are
always used together.
HeaderMatchesMessageHeader First property: Messages that contain the Exchange 2010 or later
and HeaderMatchesPatterns MessageHeaderField specified header field, and the
ExceptIfHeaderMatchesMessageHe value of that header field contains
ader and Second property: Patterns the specified regular expressions.
ExceptIfHeaderMatchesPatterns
The name of the header field and
the value of the header field are
always used together.
CONDITION AND EXCEPTION
PARAMETERS IN THE EXCHANGE
MANAGEMENT SHELL PROPERTY TYPE DESCRIPTION AVAILABLE IN
MessageSizeOver Size Messages where the total size Exchange 2013 or later
ExceptIfMessageSizeOver (message plus attachments) is
greater than or equal to the
specified value.
SCLOver SCLValue Messages that are assigned an SCL Exchange 2010 or later
ExceptIfSCLOver that's greater than or equal to the
specified value.
SubjectMatchesPatterns Patterns Messages where the Subject field Exchange 2010 or later
ExceptIfSubjectMatchesPatterns contains text patterns that match
the specified regular expressions.
SubjectOrBodyMatchesPatterns Patterns Messages where the Subject field Exchange 2010 or later
ExceptIfSubjectOrBodyMatchesPatt or message body contain text
erns patterns that match the specified
regular expressions.
Property types
The property types that are used in conditions and exceptions are described in the following table.
NOTE
If the property is a string, trailing spaces are not allowed.
ADAttribute Select from a predefined list of Active Directory You can check against any of the following
attributes Active Directory attributes:
City
Company
Country
CustomAttribute1 - CustomAttribute15
Department
DisplayName
Email
FaxNumber
FirstName
HomePhoneNumber
Initials
LastName
Manager
MobileNumber
Notes
Office
OtherFaxNumber
OtherHomePhoneNumber
OtherPhoneNumber
PagerNumber
PhoneNumber
POBox
State
Street
Title
UserLogonName
ZipCode
For example,
"City:San Francisco,Palo Alto" or
"City:San Francisco,Palo Alto" ,
"Department:Sales,Finance" .
CharacterSets Array of character set names One or more content character sets that exist in
a message. For example:
Arabic/iso-8859-6
Chinese/big5
Chinese/euc-cn
Chinese/euc-tw
Chinese/gb2312
Chinese/iso-2022-cn
Cyrillic/iso-8859-5
Cyrillic/koi8-r
Cyrillic/windows-1251
Greek/iso-8859-7
Hebrew/iso-8859-8
Japanese/euc-jp
Japanese/iso-022-jp
Japanese/shift-jis
Korean/euc-kr
Korean/johab
Korean/ks_c_5601-1987
Turkish/windows-1254
Turkish/iso-8859-9
Vietnamese/tcvn
PROPERTY TYPE VALID VALUES DESCRIPTION
EvaluatedUser Single value of Sender or Recipient Specifies whether the rule is looking for the
manager of the sender or the manager of the
recipient.
Evaluation Single value of Equal or Not equal ( NotEqual ) When comparing the Active Directory attribute
of the sender and recipients, this specifies
whether the values should match, or not match.
Importance Single value of Low, Normal, or High The Importance level that was assigned to the
message by the sender in Outlook or Outlook
on the web.
IPAddressRanges Array of IP addresses or address ranges You enter the IPv4 addresses using the
following syntax:
• Single IP address: For example,
192.168.1.1 .
• IP address range: For example,
192.168.0.1-192.168.0.254 .
• Classless InterDomain Routing (CIDR) IP
address range: For example, 192.168.0.1/25 .
ManagementRelationship Single value of Manager or Direct report( Specifies the relationship between the sender
DirectReport ) and any of the recipients. The rule checks the
Manager attribute in Active Directory to see if
the sender is the manager of a recipient, or if
the sender is managed by a recipient.
MessageClassification Single message classification In the EAC, you select from the list of message
classifications that you've created.
MessageHeaderField Single string Specifies the name of the header field. The name
of the header field is always paired with the
value in the header field (word or text pattern
match).
MessageType Single message type value Specifies one of the following message types:
• Automatic reply ( OOF )
• Auto-forward ( AutoForward )
• Encrypted
• Calendaring
• Permission controlled (
PermissionControlled )
• Voicemail
• Signed
• Approval request ( ApprovalRequest )
• Read receipt ( ReadReceipt )
Patterns Array of regular expressions Specifies one or more regular expressions that
are used to identify text patterns in values. For
more information, see Regular Expression
Syntax.
SCLValue One of the following values: Specifies the spam confidence level (SCL) that's
• Bypass spam filtering ( -1 ) assigned to a message. A higher SCL value
• Integers 0 through 9 indicates that a message is more likely to be
spam.
PROPERTY TYPE VALID VALUES DESCRIPTION
SensitiveInformationTypes Array of sensitive information types Specifies one or more sensitive information
types that are defined in your organization. For
a list of built-in sensitive information types, see
Sensitive information types in Exchange Server.
Size Single size value Specifies the size of an attachment or the whole
message.
UserScopeFrom Single value of Inside the organization ( A sender is considered to be inside the
InOrganization ) or Outside the organization if either of the following conditions
organization ( NotInOrganization ) is true:
• The sender is a mailbox, mail user, group, or
mail-enabled public folder that exists in the
organization's Active Directory.
• The sender's email address is in an accepted
domain that's configured as an authoritative
domain or an internal relay domain, and the
message was sent or received over an
authenticated connection. For more information
about accepted domains, see Accepted domains
in Exchange Server.
Words Array of strings Specifies one or more words to look for. The
words aren't case-sensitive, and can be
surrounded by spaces and punctuation marks.
Wildcards and partial matches aren't supported.
Actions in mail flow rules (also known as transport rules) specify what you want to do to messages that match
conditions of the rule. For example, you can create a rule that forwards message from specific senders to a
moderator, or adds a disclaimer or personalized signature to all outbound messages.
Actions typically require additional properties. For example, when the rule redirects a message, you need to
specify where to redirect the message. Some actions have multiple properties that are available or required. For
example, when the rule adds a header field to the message header, you need to specify both the name and value
of the header. When the rule adds a disclaimer to messages, you need to specify the disclaimer text, but you can
also specify where to insert the text, or what to do if the disclaimer can't be added to the message. Typically, you
can configure multiple actions in a rule, but some actions are exclusive. For example, one rule can't reject and
redirect the same message.
For more information about mail flow rules in Exchange Server, see Mail flow rules in Exchange Server.
For more information about conditions and exceptions in mail flow rules, see Mail flow rule conditions and
exceptions (predicates) in Exchange Server.
For more information about actions in mail flow rules in Exchange Online Protection or Exchange Online, see
Mail flow rule actions in Exchange Online.
ACTION PARAMETER IN
THE EXCHANGE
ACTION IN THE EAC MANAGEMENT SHELL PROPERTY DESCRIPTION AVAILABLE IN
ACTION PARAMETER IN
THE EXCHANGE
ACTION IN THE EAC MANAGEMENT SHELL PROPERTY DESCRIPTION AVAILABLE IN
Reject the message RejectMessageReason String Returns the message Exchange 2010 or
with the Text to the sender in a later
explanation non-delivery report
(also known as an
Block the message NDR or bounce
> reject the message) with the
message and specified text as the
include an rejection reason. The
explanation recipient doesn't
receive the original
message or
notification.
Reject the message RejectMessageEnhanc DSNEnhancedStatusCode Returns the message Exchange 2010 or
with the enhanced edStatusCode to the sender in an later
status code NDR with the
specified enhanced
Block the message delivery status
> reject the notification (DSN)
message with the code. The recipient
enhanced status doesn't receive the
code of original message or
notification.
Delete the message DeleteMessage n/a Silently drops the Exchange 2010 or
without notifying message without later
anyone sending a notification
to the recipient or the
Block the message sender.
> delete the
message without
notifying anyone
Add the sender's AddManagerAsRecipi AddedManagerAction Adds the sender's Exchange 2010 or
manager as a entType manager to the later
recipient message as the
specified recipient
Add recipients > type (To, Cc, Bcc), or
add the sender's redirects the message
manager as a to the sender's
recipient manager without
notifying the sender
or the recipient.
Append the ApplyHtmlDisclaimer First property: Applies the specified Exchange 2010 or
disclaimer Text DisclaimerText HTML disclaimer to later
the end of the
Apply a disclaimer ApplyHtmlDisclaimer Second property: message.
to the message > FallbackAction DisclaimerFallbackAction
append a When you create or
disclaimer ApplyHtmlDisclaimer Third property modify the rule in the
TextLocation (Exchange Exchange
Management Shell Management Shell,
only): use the
DisclaimerTextLocation ApplyHtmlDisclaimer
TextLocation
parameter with the
value Append .
Prepend the ApplyHtmlDisclaimer First property: Applies the specified Exchange 2010 or
disclaimer Text DisclaimerText HTML disclaimer to later
the beginning of the
Apply a disclaimer ApplyHtmlDisclaimer Second property: message.
to the message > FallbackAction DisclaimerFallbackAction
prepend a When you create or
disclaimer ApplyHtmlDisclaimer Third property modify the rule in the
TextLocation (Exchange Exchange
Management Shell Management Shell,
only): use the
DisclaimerTextLocation ApplyHtmlDisclaimer
TextLocation
parameter with the
value Prepend .
Set the message SetHeaderName First property: Adds or modifies the Exchange 2010 or
header to this value MessageHeaderField specified header field later
SetHeaderValue in the message
Modify the Second property: header, and sets the
message properties String header field to the
> set a message specified value.
header
Set the spam SetSCL SCLValue Sets the spam Exchange 2010 or
confidence level confidence level (SCL) later
(SCL) to of the message to the
specified value.
Modify the
message properties
> set the spam
confidence level
(SCL)
Prepend the subject PrependSubject String Adds the specified Exchange 2010 or
of the message with text to the beginning later
of the Subject field of
the message.
Consider using a
space or a colon (:) as
the last character of
the specified text to
differentiate it from
the original subject
text.
Notify the sender NotifySender First property: Notifies the sender or Exchange 2013 or
with a Policy Tip NotifySenderType blocks the message later
RejectMessageReason when the message
Text Second property: matches a DLP policy.
String
RejectMessageEnhanc When you use this
edStatusCode Third property action, you need to
(Exchange (Exchange use the The
Management Shell Management Shell message contains
only) only): sensitive
DSNEnhancedStatusCode information
(MessageContainsDa
taClassification
condition.
In the Exchange
Management Shell,
you can also use the
RejectMessageEnhanc
edStatusCode
parameter to specify
the enhanced status
code. If you don't use
this parameter, the
default enhanced
status code 5.7.1 is
used.
An incident report is
generated for
messages that match
data loss prevention
(DLP) policies in your
organization.
ACTION PARAMETER IN
THE EXCHANGE
MANAGEMENT SHELL PROPERTY DESCRIPTION AVAILABLE ON AVAILABLE IN
AddToRecipients Addresses Adds one or more Mailbox servers and Exchange 2010 or
recipients to the To Edge Transport later
field of the message. servers
The original recipients
can see the additional
addresses.
BlindCopyTo Addresses Adds one or more Mailbox servers and Exchange 2010 or
recipients to the Bcc Edge Transport later
field of the message. servers
The original recipients
aren't notified, and
they can't see the
additional addresses.
CopyTo Addresses Adds one or more Mailbox servers and Exchange 2010 or
recipients to the Cc Edge Transport later
field of the message. servers
The original recipients
can see the additional
address.
DeleteMessage n/a Silently drops the Mailbox servers and Exchange 2010 or
message without Edge Transport later
sending a notification servers
to the recipient or the
sender.
PrependSubject String Adds the specified Mailbox servers and Exchange 2010 or
text to the beginning Edge Transport later
of the Subject field of servers
the message.
Consider using a
space or a colon (:) as
the last character of
the specified text to
differentiate it from
the original subject.
If the quarantine
mailbox isn't
configured, the
message is returned
to the sender in an
NDR.
ACTION PARAMETER IN
THE EXCHANGE
MANAGEMENT SHELL PROPERTY DESCRIPTION AVAILABLE ON AVAILABLE IN
SetHeaderName First property: Adds or modifies the Mailbox servers and Exchange 2010 or
MessageHeaderField specified header field Edge Transport later
SetHeaderValue in the message servers
Second property: header, and sets the
String header field to the
specified value.
SetSCL SCLValue Sets the SCL of the Mailbox servers and Exchange 2010 or
message to the Edge Transport later
specified value. servers
ACTION PARAMETER IN
THE EXCHANGE
MANAGEMENT SHELL PROPERTY DESCRIPTION AVAILABLE ON AVAILABLE IN
SmtpRejectMessageR First property: Ends the SMTP Edge Transport Exchange 2010 or
ejectText String connection between servers only later
the sending server
SmtpRejectMessageR Second property: and the Edge
ejectStatusCode SMTPStatusCode Transport server with
the specified SMTP
status code and the
specified rejection
text. The recipient
doesn't receive the
original message or
notification.
StopRuleProcessing n/a Specifies that after Mailbox servers and Exchange 2013 or
the message is Edge Transport later
affected by the rule, servers
the message is
exempt from
processing by other
rules.
Property values
The property values that are used for actions in mail flow rules are described in the following table.
AddedManagerAction One of the following values: Specifies how to include the sender's
• To manager in messages.
• Cc
• Bcc If you select To, Cc, or Bcc, the
• Redirect sender's manager is added as a
recipient in the specified field.
AuditSeverityLevel One of the following values: The values Low, Medium, or High
• Uncheck Audit this rule with specify the severity level that's assigned
severity level, or select Audit this to the incident report and to the
rule with severity level with the value corresponding entry in the message
Not specified ( DoNotAudit ) tracking log.
• Low
• Medium The other value prevents an incident
• High report from being generated, and
prevents the corresponding entry from
being written to the message tracking
log.
PROPERTY VALID VALUES DESCRIPTION
DSNEnhancedStatusCode Single DSN code value: Specifies the DSN code that's used. You
• 5.7.1 can create custom DSNs by using the
• 5.7.900 through 5.7.999 New-SystemMessage cmdlet.
IncidentReportContent One or more of the following values: Specifies the original message
• Sender properties to include in the incident
• Recipients report. You can choose to include any
• Subject combination of these properties. In
• Cc'd recipients ( Cc ) addition to the properties you specify,
• Bcc'd recipients ( Bcc ) the message ID is always included. The
• Severity available properties are:
• Sender override information (
Override ) Sender: The sender of the original
• Matching rules ( RuleDetections ) message.
• False positive reports (
FalsePositive )
Recipients, Cc'd recipients, and
Bcc'd recipients: All recipients of the
• Detected data classifications (
message, or only the recipients in the
DataClassifications )
Cc or Bcc fields. For each property,
• Matching content ( IdMatch ) only the first 10 recipients are included
• Original mail ( in the incident report.
AttachOriginalMail )
Subject: The Subject field of the
original message.
MessageClassification Single message classification object In the EAC, you select from the list of
available message classifications.
NotificationMessageText Any combination of plain text, HTML Specified the text to use in a recipient
tags, and keywords notification message.
NotifySenderType One of the following values: Specifies the type of Policy Tip that the
• Notify the sender, but allow them sender receives if the message violates
to send ( NotifyOnly ) a DLP policy. The settings are described
• Block the message ( in the following list:
RejectMessage )
• Block the message unless it's a Notify the sender, but allow them to
false positive ( send The sender is notified, but the
RejectUnlessFalsePositiveOverride message is delivered normally.
)
• Block the message, but allow the Block the message The message is
sender to override and send ( rejected, and the sender is notified.
RejectUnlessSilentOverride )
• Block the message, but allow the Block the message unless it's a false
sender to override with a business positive The message is rejected
justification and send ( unless it's marked as a false positive by
RejectUnlessExplicitOverride )
the sender.
SCLValue One of the following values: Specifies the spam confidence level
• Bypass spam filtering ( -1 ) (SCL) that's assigned to the message. A
• Integers 0 through 9 higher SCL value indicates that a
message is more likely to be spam.
PROPERTY VALID VALUES DESCRIPTION
You can add an email disclaimer, legal disclaimer, disclosure statement, signature, or other information to the top or
bottom of email messages that enter or leave your organization. You might be required to do this for legal,
business, or regulatory requirements, to identify potentially unsafe email messages, or for other reasons that are
unique to your organization.
To create a disclaimer, you create a mail flow rule (also known as transport rule) with an action that adds the
specified text to email messages. You can configure the rule to apply the disclaimer to all messages (no conditions),
or you can define conditions that determine when the disclaimer is added (for example, when the sender is a
member of a specific group, when the message includes specific words or text patterns, or outgoing messages
only). You can also define exceptions that prevent the disclaimer from being added to messages (for example,
messages from specific senders, messages sent to specific recipients, or messages that already contain the
disclaimer). To apply multiple disclaimers to the same message, you need to use multiple rules. For more
information about mail flow rules, see Mail flow rules in Exchange Server.
Looking for procedures? See Configure a Disclaimer or Other Email Header or Footer.
Examples
Note: The examples in this topic are not intended for use as-is. Modify them for your needs.
Legal - outgoing messages This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error,
please notify the system manager.
Legal - incoming messages Employees are expressly required not to make defamatory
statements and not to infringe or authorize any infringement
of copyright or any other legal right by email communications.
Employees who receive such an email must notify their
supervisor immediately.
Notice that message was sent to an alias This message was sent to the Sales discussion group.
Plain text The maximum length is 5,000 characters, including any HTML
tags and inline Cascading Style Sheets (CSS).
HTML and inline CSS You can use HTML and inline CSS styles to format the text. For
example, use the <HR> tag to add a line before the disclaimer.
HTML is ignored if the disclaimer is added to a plain text
message.
User information for personalized signatures You can use tokens to add unique attributes from each user's
Active Directory account, such as DisplayName , FirstName ,
LastName , PhoneNumber , Email , FaxNumber , and
Department . The syntax is to enclose the attribute name in
two percent signs (for example, %%DisplayName%% ).
For a complete list of attributes that can be used in disclaimers
and personalized signatures, see the description for the
ADAttribute property in Mail flow rule conditions and
exceptions (predicates) in Exchange Server.
Here's an example of an HTML disclaimer that includes a signature, an IMG tag, and embedded CSS.
<div style="font-size:9pt; font-family: 'Calibri',sans-serif;">
%%displayname%%</br>
%%title%%</br>
%%company%%</br>
%%street%%</br>
%%city%%, %%state%% %%zipcode%%</div>
</br>
<div style="background-color:#D5EAFF; border:1px dotted #003333; padding:.8em; ">
<div><img alt="Fabrikam" src="http://fabrikam.com/images/fabrikamlogo.png"></div>
<span style="font-size:12pt; font-family: 'Cambria','times new roman','garamond',serif; color:#ff0000;">HTML
Disclaimer Title</span></br>
<p style="font-size:8pt; line-height:10pt; font-family: 'Cambria','times roman',serif;">This message contains
confidential information and is intended only for the individual(s) addressed in the message. If you aren't
the named addressee, you should not disseminate, distribute, or copy this e-mail. If you aren't the intended
recipient, you aren'tified that disclosing, distributing, or copying this e-mail is strictly prohibited. </p>
<span style="padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family:
'Calibri',Arial,sans-serif; "><a href="http://www.fabrikam.com">Fabrikam, Inc. </a></span></br></br>
</div>
The recipient is located outside your Condition: The recipient is located > -FromScope NotInOrganization -
Exchange organization. An exception is Outside the organization ExceptIf -SubjectOrBodyMatches
"CONTOSO LEGAL NOTICE"
configured so messages that already Exception: The subject or body >
contain the disclaimer text "CONTOSO Subject or body matches these text
LEGAL NOTICE" don't have the patterns > CONTOSO LEGAL NOTICE
disclaimer applied again.
Incoming messages with executable Condition 1: The sender is located > -FromScope NotInOrganization -
attachments Outside the organization AttachmentHasExecutableContent
Condition 2: Any attachment > has
executable content
Sender is in the marketing department Condition: The sender > is a member -FromMemberOf "Marketing Team"
of this group > group name
Every message that comes from an Condition 1: The sender is located > -FromScope NotInOrganization -
external sender to the sales discussion Outside the organization SentTo "Sales Discussion Group"
group Condition 2: The message > To or Cc
box contains this person > group
name
For a complete list of conditions and exceptions that you can use to target the disclaimer, see Mail flow rule
conditions and exceptions (predicates) in Exchange Server.
Mail flow rules (also known as transport rules) identify and take action on messages that flow through your
Exchange organization. For more information about mail flow rules, see Mail flow rules in Exchange Server.
On Mailbox servers, you can manage mail flow rules in the Exchange admin center (EAC ) and in the Exchange
Management Shell. On Edge Transport servers, you can only use the Exchange Management Shell.
TIP
Verify that your rules work the way you expect. Be sure to thoroughly test each rule and the interactions between rules.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
New-TransportRule -Name "Mark messages from the Internet to Sales DG" -FromScope NotInOrganization -SentTo
"Sales Department" -PrependSubject "External message to Sales DG: "
Replace <RuleName> with the name of the rule, and run the following command to see the details of
the rule:
In the EAC, the Version property is only visible in the details pane. This property indicates the compatibility
of the rule with previous versions of Exchange (14.n.n.n is Exchange 2010, 15.0.n.n is Exchange 2013).
Use the Exchange Management Shell to view mail flow rules
To return a summary list of all mail flow rules, run the following command:
Get-TransportRule
To return detailed information about a specific rule, use the following syntax:
This example returns all the property values for the rule named "Sender is a member of marketing".
Get-TransportRule -Identity "Sender is a member of marketing" | Format-List
This example returns only the specified properties for the same rule.
Get-TransportRulePredicate
Get-TransportRuleAction
This example adds an exception to the rule named "Sender is a member of marketing" so that it won't apply to
messages that are sent by the user named Kelly Rollin.
This example sets the priority of the rule named "Sender is a member of marketing" to 2. All existing rules that
have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).
Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-TransportRule
cmdlet.
How do you know this worked?
To verify that you have successfully modified the priority of a mail flow rule, use either of the following procedures:
In the EAC, go to Mail flow > Rules, and verify the Priority value of the rule in the list.
In the Exchange Management Shell, use either of the following procedures:
Run the following command to see the list of rules and their Priority values:
Get-TransportRule
Replace <RuleName> with the name of the rule, and run the following command:
This example disables the mail flow rule named "Sender is a member of marketing".
This example enables the mail flow rule named "Sender is a member of marketing".
For detailed syntax and parameter information, see Enable-TransportRule and Disable-TransportRule.
How do you know this worked?
To verify that you have successfully enabled or disabled a mail flow rule, use either of the following procedures:
In the EAC, go to Mail flow > Rules, and in the list of rules verify the status of the check box in the On
column.
In the Exchange Management Shell, use either of the following procedures:
Run the following command to see the list of rules and their State values:
Get-TransportRule
Replace <RuleName> with the name of the rule, and run the following command:
This example removes the mail flow rule named "Sender is a member of marketing":
Get-TransportRule
$File = Export-TransportRuleCollection
For example, to save the exported mail flow rule collection to the file C:\My Documents\Exported Rules.xml,
run the following command:
For example, to import the mail flow rule collection from C:\My Documents\Exported Rules.xml, run the
following command:
To protect from accidental or malicious deletion and to facilitate discovery efforts commonly undertaken before
or during litigation or investigations, Exchange Server and Exchange Online use the Recoverable Items folder.
The Recoverable Items folder replaces the feature that was known as the dumpster in earlier versions of
Exchange. The following Exchange features use the Recoverable Items folder:
Deleted item retention
Single item recovery
In-Place Hold
Litigation Hold
Mailbox audit logging
Calendar logging
Terminology
Knowledge of the following terms will help you understand the content in this topic.
Delete
Describes when an item is deleted from any folder and placed in the Deleted Items default folder.
Soft delete
Describes when an item is deleted from the Deleted Items default folder and placed in the Recoverable Items
folder. Also describes when an Outlook user deletes an item by pressing Shift+Delete, which bypasses the
Deleted Items folder and places the item directly in the Recoverable Items folder.
Hard delete
Describes when an item is marked to be purged from the mailbox database. This is also known as a store
hard delete.
MANAGED FOLDER
ASSISTANT
USERS CAN PURGE AUTOMATICALLY
RECOVERABLE ITEMS RECOVERABLE ITEMS ITEMS FROM THE PURGES ITEMS FROM
STATE OF SINGLE ITEM FOLDER CONTAINS FOLDER CONTAINS RECOVERABLE ITEMS THE RECOVERABLE
RECOVERY SOFT-DELETED ITEMS HARD-DELETED ITEMS FOLDER ITEMS FOLDER
In Exchange Server, single item recovery isn't enabled by default for new mailboxes or mailboxes moved from a
previous version of Exchange. You need to use the Exchange Management Shell to enable single item recovery
for a mailbox, and then configure or modify the deleted item retention period. For details about how to perform
a single item recovery, see Recover deleted messages in a user's mailbox.
In-Place Hold and Litigation Hold
In Exchange Server and Exchange Online, discovery managers can use In-Place eDiscovery with delegated
Discovery Management role group permissions to perform eDiscovery searches of mailbox content. In Exchange
Server and Exchange Online, you can use In-Place Hold to preserve mailbox items that match query parameters
and protect the items from deletion by users or automated processes. You can also use Litigation Hold to
preserve all items in user mailboxes and protect the items from deletion by users or automated processes.
Putting a mailbox on In-Place Hold or Litigation Hold stops the Managed Folder Assistant from automatically
purging messages from the DiscoveryHolds and Purges subfolders. Additionally, copy-on-write page protection
is also enabled for the mailbox. Copy-on-write page protection creates a copy of the original item before any
modifications are written to the Exchange store. After the mailbox is removed from hold, the Managed Folder
Assistant resumes automated purging.
NOTE
If you put a mailbox on both In-Place Hold and Litigation Hold, Litigation Hold takes preference because this puts the
entire mailbox on hold.
The following table lists the contents of and actions that can be performed in the Recoverable Items folder if
Litigation Hold is enabled.
Recoverable Items folder and holds
MANAGED FOLDER
ASSISTANT
RECOVERABLE ITEMS USERS CAN PURGE AUTOMATICALLY
RECOVERABLE ITEMS FOLDER CONTAINS ITEMS FROM THE PURGES ITEMS FROM
FOLDER CONTAINS MODIFIED AND HARD- RECOVERABLE ITEMS THE RECOVERABLE
STATE OF HOLD SOFT-DELETED ITEMS DELETED ITEMS FOLDER ITEMS FOLDER
To learn more about In-Place eDiscovery, In-Place Hold, and Litigation Hold, see the following topics:
In-Place eDiscovery in Exchange Server
In-Place Hold and Litigation Hold in Exchange Server
Copy-on-write page protection and modified items
If a user who is placed on In-Place Hold or Litigation Hold modifies specific properties of a mailbox item, a copy
of the original mailbox item is created before the changed item is written. The original copy is saved in the
Versions subfolder. This process is known as copy-on-write page protection. Copy-on-write page protection
applies to items residing in any mailbox folder. The Versions subfolder isn't visible to users.
The following table lists the message properties that trigger copy-on-write page protection.
Properties that trigger copy-on-write page protection
ITEM TYPE PROPERTIES THAT TRIGGER COPY-ON-WRITE PAGE PROTECTION
Items other than messages and posts Any change to a visible property, except the following:
• Item location (when an item is moved between folders)
• Item status change (read or unread)
• Changes to a retention tag applied to an item
Items in the Drafts default folder None. Items in the Drafts folder are exempt from copy-on-
write page protection.
IMPORTANT
Copy-on-write page protection doesn't save a version of the meeting when a meeting organizer receives responses from
attendees and the meeting's tracking information is updated. Also, changes to RSS feeds aren't captured by copy-on-write
page protection.
When a mailbox is no longer on In-Place Hold or litigation hold, copies of modified items stored in the Versions
folder are removed.
If the mailbox is placed on In-Place Hold or Litigation Hold, copy-on-write page protection can't maintain
versions of modified items. To maintain versions of modified items, you need to reduce the size of the
Recoverable Items folder. You can use the Search-Mailbox cmdlet to copy messages from the Recoverable Items
folder of a mailbox to a discovery mailbox, and then delete the items from the mailbox. Alternatively, you can
also raise the Recoverable Items quota for the mailbox. For details, see Clean up or delete items from the
Recoverable Items folder.
More information
Copy-on-write is only enabled when a mailbox is on In-Place Hold or Litigation Hold.
If users need to recover deleted items from the Recoverable Items folder, point them to the following
topics:
Restore deleted items in Outlook 2013 or Outlook Server
Recover deleted items or email in Outlook on the web
Clean up or delete items from the Recoverable Items
folder
8/23/2019 • 8 minutes to read • Edit Online
The Recoverable Items folder (known in earlier versions of Exchange as the dumpster) exists to protect from
accidental or malicious deletions and to facilitate discovery efforts commonly undertaken before or during
litigation or investigations.
How you clean up a user's Recoverable Items folder depends on whether the mailbox is placed on In-Place Hold or
Litigation Hold, or had single item recovery enabled:
If a mailbox isn't placed on In-Place Hold or Litigation Hold or doesn't have single item recovery enabled,
you can simply delete items from the Recoverable Items folder. After items are deleted, you can't use single
item recovery to recover them.
If the mailbox is placed on In-Place Hold or Litigation Hold or has single item recovery enabled, you'll want
to preserve the mailbox data until the hold is removed or single item recovery is disabled. In this case, you
need to perform more detailed steps to clean up the Recoverable Items folder.
To learn more about In-Place Hold and Litigation Hold, see In-Place Hold and Litigation Hold in Exchange Server.
To learn more about single item recovery, see "Single Item Recovery" in Recoverable Items folder in Exchange
Server.
NOTE
To delete items from the mailbox without copying them to another mailbox, use the preceding command without the
TargetMailbox and TargetFolder parameters.
2. Retrieve the mailbox access settings for the mailbox. Be sure to note these settings for later.
3. Retrieve the current size of the Recoverable Items folder. Note the size so you can raise the quotas in Step 6.
4. Retrieve the current Managed Folder Assistant work cycle configuration. Be sure to note the setting for later.
5. Disable client access to the mailbox to make sure no changes can be made to mailbox data for the duration
of this procedure.
6. To make sure no items are deleted from the Recoverable Items folder, increase the Recoverable Items quota,
increase the Recoverable Items warning quota, and set the deleted item retention period to a value higher
than the current size of the user's Recoverable Items folder. This is particularly important for preserving
messages for mailboxes placed on In-Place Hold or Litigation Hold. We recommend raising these settings
to twice their current size.
IMPORTANT
If the mailbox resides on a mailbox database in a database availability group (DAG), you must disable the Managed
Folder Assistant on each DAG member that hosts a copy of the database. If the database fails over to another server,
this prevents the Managed Folder Assistant on that server from deleting mailbox data.
8. Disable single item recovery and remove the mailbox from Litigation Hold.
Set-Mailbox "Gurinder Singh" -SingleItemRecoveryEnabled $false -LitigationHoldEnabled $false
IMPORTANT
After you run this command, it may take up to one hour to disable single item recovery or Litigation Hold. We
recommend that you perform the next step only after this period has elapsed.
9. Copy items from the Recoverable Items folder to a folder in the Discovery Search Mailbox and delete the
contents from the source mailbox.
If you need to delete only messages that match specified conditions, use the SearchQuery parameter to
specify the conditions. This example deletes messages that have the string "Your bank statement" in the
Subject field.
NOTE
It isn't required to copy items to the Discovery Search Mailbox. You can copy messages to any mailbox. However, to
prevent access to potentially sensitive mailbox data, we recommend copying messages to a mailbox that has access
restricted to authorized records managers. By default, access to the default Discovery Search Mailbox is restricted to
members of the Discovery Management role group. For details, see In-Place eDiscovery in Exchange Server.
10. If the mailbox was placed on Litigation Hold or had single item recovery enabled earlier, enable these
features again.
IMPORTANT
After you run this command, it may take up to one hour to enable single item recovery or Litigation Hold. We
recommend that you enable the Managed Folder Assistant and allow client access (Steps 11 and 12) only after this
period has elapsed.
12. Enable the Managed Folder Assistant by setting the work cycle back to the value you noted in Step 4. This
example sets the work cycle to one day.
For detailed syntax and parameter information, see the following topics:
Get-Mailbox
Get-CASMailbox
Get-MailboxFolderStatistics
Get-MailboxServer
Set-CASMailbox
Set-Mailbox
Set-MailboxServer
Search-Mailbox
As an administrator in Exchange Server, you can enable Secure/Multipurpose Internet Mail Extensions (S/MIME )
for your organization. S/MIME is a widely accepted method (more precisely, a protocol) for sending digitally
signed and encrypted messages. S/MIME allows you to encrypt emails and digitally sign them. When you use
S/MIME, it helps the people who receive the message by:
Ensuring that the message in their inbox is the exact message that started with the sender.
Ensuring that the message came from the specific sender and not from someone pretending to be the
sender.
To do this, S/MIME provides for cryptographic security services such as authentication, message integrity, and
non-repudiation of origin (using digital signatures). S/MIME also helps enhance privacy and data security (using
encryption) for electronic messaging.
S/MIME requires a certificate and publishing infrastructure that is often used in business-to-business and
business-to-consumer situations. The user controls the cryptographic keys in S/MIME and can choose whether to
use them for each message they send. Email programs such as Outlook search a trusted root certificate authority
location to perform digital signing and verification of the signature.
For a more complete background about the history and architecture of S/MIME in the context of email, see
Understanding S/MIME.
Transport Layer Security (TLS ): Encrypts the tunnel or the route between email servers in order to help
prevent snooping and eavesdropping, and encrypts the connection between email clients and servers.
Note: Secure Sockets Layer (SSL ) is being replaced by Transport Layer Security (TLS ) as the protocol that's used
to encrypt data sent between computer systems. They're so closely related that the terms "SSL" and "TLS"
(without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange
topics, the Exchange admin center, and the Exchange Management Shell have often been used to encompass both
the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided
(for example, SSL 3.0). To find out why you should disable the SSL protocol and switch to TLS, check out
Protecting you against the SSL 3.0 vulnerability.
BitLocker: Encrypts the data on a hard drive in a datacenter so that if someone gets unauthorized access, they
can't read it.
High availability and site resilience
8/23/2019 • 12 minutes to read • Edit Online
You can protect your Exchange Server mailbox databases and the data they contain by configuring your Exchange
servers and databases for high availability and site resilience. Exchange Server minimizes the cost and complexity
of deploying a highly available and resilient messaging solution while providing high levels of service and data
availability and support for very large mailboxes.
Exchange Server enables customers of all sizes and in all segments to economically deploy a messaging continuity
service in their organization by building on the native replication capabilities and high availability architecture
introduced in Exchange 2010. For a list of changes since Exchange 2010, see Changes to high availability and site
resilience over previous versions.
Key terminology
The following key terms are important to understand high availability or site resilience:
Active Manager
An internal Exchange component which runs inside the Microsoft Exchange Replication service that's
responsible for failure monitoring and corrective action through failover within a database availability group
(DAG ).
AutoDatabaseMountDial
A property setting of a Mailbox server that determines whether a passive database copy will automatically
mount as the new active copy, based on the number of log files missing by the copy being mounted.
In block mode, as each update is written to the active database copy's active log buffer, it's also shipped to a log
buffer on each of the passive mailbox copies in block mode. When the log buffer is full, each database copy
builds, inspects, and creates the next log file in the generation sequence.
In file mode, closed transaction log files are pushed from the active database copy to one or more passive
database copies.
Database mobility
The ability of an Exchange Server mailbox database to be replicated to and mounted on other Exchange
servers.
Datacenter
Typically this refers to an Active Directory site; however, it can also refer to a physical site. In the context of this
documentation, datacenter equals Active Directory site.
A property of the DAG setting that, when enabled, forces the Microsoft Exchange Replication service to acquire
permission to mount databases at startup.
Disaster recovery
Any process used to manually recover from a failure. This can be a failure that affects a single item, or it can be
a failure that affects an entire physical location.
An Exchange-provided API that enables use of third-party synchronous replication for a DAG instead of
continuous replication.
High availability
A solution that provides service availability, data availability, and automatic recovery from failures that affect
the service or data (such as a network, storage, or server failure).
Incremental deployment
The ability to deploy high availability and site resilience after Exchange Server is installed.
A passive mailbox database copy that has a log replay lag time greater than zero.
A mailbox database (.edb file and logs), which is either active or passive.
Mailbox resiliency
The name of a unified high availability and site resilience solution in Exchange Server.
Managed availability
A set of internal processes made up of probes, monitors, and responders that incorporate monitoring and high
availability across all server roles and all protocols.
Short for switchovers and failovers. A switchover is a manual activation of one or more database copies. A
failover is an automatic activation of one or more database copies after a failure.
Safety Net
Formerly known as transport dumpster, this is a feature of the transport service that stores a copy of all
messages for X days. The default setting is 2 days.
Shadow redundancy
A transport server feature that provides redundancy for messages for the entire time they're in transit.
Site resilience
A configuration that extends the messaging infrastructure to multiple Active Directory sites to provide
operational continuity for the messaging system in the event of a failure affecting one of the sites.
Active Manager
Exchange Server leverages Active Manager to manage the database and database copy health, status, continuous
replication, and other aspects of high availability. For more information about Active Manager, see Active Manager.
Site resilience
In Exchange 2010, you could deploy a DAG across two datacenters and host the witness in a third datacenter and
enable failover for the Mailbox server role for either datacenter. But you didn't get failover for the solution itself
because the namespace still needed to be manually changed for the non-Mailbox server roles.
In Exchange 2016 and Exchange 2019, the namespace doesn't need to move with the DAG. Exchange leverages
fault tolerance built into the namespace through multiple IP addresses, load balancing (and if need be, the ability to
take servers in and out of service). Modern HTTP clients work with this redundancy automatically. The HTTP stack
can accept multiple IP addresses for a fully qualified domain name (FQDN ), and if the first IP address it tries fails
hard (that is, it can't connect), it will try the next IP address in the list. In a soft failure (connection is lost after the
session is established, perhaps due to an intermittent failure in the service where, for example, a device is dropping
packets and needs to be taken out of service), the user might need to refresh their browser.
This means the namespace is no longer a single point of failure as it was in Exchange 2010. In Exchange 2010,
perhaps the biggest single point of failure in the messaging system is the FQDN that you give to users because it
tells the user where to go. In the Exchange 2010 paradigm, changing where that FQDN goes isn't easy because
you have to change DNS, and then handle DNS latency, which in some parts of the world is challenging. And you
have name caches in browsers that are typically about 30 minutes or more that also have to be handled.
In Exchange Server, clients have more than one place to go. Almost all the client access protocols in Exchange
Server are HTTP based. Examples include Outlook, EAS, EWS, Outlook on the web, and EAC ). All supported HTTP
clients have the ability to use multiple IP addresses, thereby providing failover on the client side. You can configure
DNS to hand multiple IP addresses to a client during name resolution. The client asks for mail.contoso.com and
gets back two IP addresses, or four IP addresses, for example. However many IP addresses the client gets back will
be used reliably by the client. This makes the client a lot better off because if one of the IP addresses fails, the client
has one or more alternative IP addresses to try to connect to. If a client tries one and it fails, it waits about 20
seconds and then tries the next one in the list. Thus, if you lose the VIP for the Client Access service array, recovery
for the clients happens automatically, and in about 21 seconds.
The benefits include the following:
In Exchange Server, if you lose the load balancer in your primary site, you simply turn it off (or maybe turn
off the VIP ) and repair or replace it. Clients that aren't already using the VIP in the secondary datacenter will
automatically fail over to the secondary VIP without any change of namespace, and without any change in
DNS. Not only does that mean you no longer have to perform a switchover, but it also means that all of the
time normally associated with a datacenter switchover recovery isn't spent. In Exchange 2010, you had to
handle DNS latency (hence, the recommendation to set the Time to Live (TTL ) to 5 minutes, and the
introduction of the failback URL ). In Exchange 2016 and Exchange 2019, you don't need to do that because
you get fast failover (20 seconds) of the namespace between VIPs (datacenters).
Because you can fail over the namespace between datacenters, all that's needed to achieve a datacenter
failover is a mechanism for failover of the Mailbox server role across datacenters. To get automatic failover
for the DAG, you simply architect a solution where the DAG is evenly split between two datacenters, and
then place the witness server in a third location so that it can be arbitrated by DAG members in either
datacenter, regardless of the state of the network between the datacenters that contain the DAG members. If
you only have two datacenters and a third physical location isn't available, you can place the witness server
on a Microsoft Azure virtual machine. See Using a Microsoft Azure VM as a DAG witness server for more
information.
In this scenario, the administrator's efforts are geared toward simply fixing the problem, and not spent
restoring service. You simply fix the thing that failed; while service has been running and data integrity has
been maintained. The urgency and stress level you feel when fixing a broken device is nothing like the
urgency and stress you feel when you're working to restore service. It's better for the end user, and less
stressful for the administrator.
You can allow failover to occur without having to perform switchbacks (sometimes mistakenly referred to as
failbacks). If you lose servers in your primary datacenter, resulting in a 20 second interruption for clients, you might
not even care about failing back. At this point, your primary concern would be fixing the core issue (for example,
replacing the failed load balancer). After it's back online and functioning, some clients will start using it, and other
clients might remain operational through the second datacenter.
Exchange Server also provides functionality that enables administrators to deal with intermittent failures. An
intermittent failure is where, for example, the initial TCP connection can be made, but nothing happens afterward.
An intermittent failure requires some sort of extra administrative action to be taken because it might be the result
of a replacement device being put into service. While this repair process is occurring, the device might be powered
on and accepting some requests, but not really ready to service clients until the necessary configuration steps are
performed. In this scenario, the administrator can perform a namespace switchover by simply removing the VIP
for the device being replaced from DNS. Then during that service period, no clients will be trying to connect to it.
After the replacement process has completed, the administrator can add the VIP back to DNS, and clients will
eventually start using it.
For details about planning and deploying site resilience, see Plan for high availability and site resilience and
Deploying high availability and site resilience.
TOPIC DESCRIPTION
Database availability groups Learn about DAGs, Active Manager, Datacenter Activation
Coordination (DAC) mode, and mailbox database copies.
Plan for high availability and site resilience Learn about the general, hardware, network, software, witness
server, and other requirements and best practices for DAGs.
Deploying high availability and site resilience Explore an example deployment scenario for deploying and
configuring DAGs.
TOPIC DESCRIPTION
Managing high availability and site resilience Learn about DAG management tasks, switchovers and
failovers, and maintenance mode.
Monitor database availability groups Learn about the built-in cmdlets and scripts for monitoring
DAGs and database copies.
Backup, restore, and disaster recovery Learn about backing up and restoring Exchange databases,
recovery databases, and server recovery.
Changes to high availability and site resilience over
previous versions of Exchange Server
8/23/2019 • 23 minutes to read • Edit Online
Exchange Server 2013 and later uses DAGs and mailbox database copies (along with other features such as single
item recovery, retention policies, and lagged database copies) to provide high availability, site resilience, and
Exchange native data protection. The high availability platform, Exchange Information Store and Extensible
Storage Engine (ESE ) have all been enhanced since Exchange 2010 to provide availability and less complex
management, and to reduce costs. These enhancements include:
Reduction in IOPS: This enables you to leverage larger disks in terms of capacity and IOPS as efficiently
as possible.
Managed availability: With managed availability, internal monitoring and recovery-oriented features are
tightly integrated to help prevent failures, proactively restore services, and initiate server failovers
automatically or alert administrators to take action. The focus is on monitoring and managing the end-user
experience rather than just server and component uptime to help keep the service continuously available.
Managed Store: The Managed Store is the name of the rewritten Information Store processes in Exchange
2013 or later. The Managed Store is written in C# and tightly integrated with the Microsoft Exchange
Replication service (MSExchangeRepl.exe) to provide higher availability through improved resiliency.
Support for multiple databases per disk: Enhancements enable you to support multiple databases
(mixtures of active and passive copies) on the same disk, thereby leveraging larger disks in terms of
capacity and IOPS as efficiently as possible.
AutoReseed: Automatic reseeding capability enables you to quickly restore database redundancy after disk
failure. If a disk fails, the database copy stored on that disk is copied from the active database copy to a
spare disk on the same server. If multiple database copies were stored on the failed disk, they can all be
automatically reseeded on a spare disk. This enables faster reseeds, as the active databases are likely to be
on multiple servers and the data is copied in parallel.
Automatic recovery from storage failures: This feature continues the innovation that was introduced in
Exchange 2010 to allow the system to recover from failures that affect resiliency or redundancy. Exchange
now includes additional recovery behaviors for long I/O times, excessive memory consumption by
MSExchangeRepl.exe, and severe cases where the system is in such a bad state that threads can't be
scheduled.
Lagged copy enhancements: Lagged copies can now care for themselves to a certain extent using
automatic log play down. Lagged copies will automatically play down log files in a variety of situations, such
as page patching and low disk space scenarios. If the system detects that page patching is required for a
lagged copy, the logs will be automatically replayed into the lagged copy to perform page patching. Lagged
copies will also invoke this auto replay feature when a low disk space threshold has been reached, and when
the lagged copy has been detected as the only available copy for a specific period of time. In addition,
lagged copies can leverage Safety Net, making recovery or activation much easier.
Single copy alert enhancements: The single copy alert introduced in Exchange 2010 is no longer a
separate scheduled script. It's now integrated into the managed availability components within the system
and is a native function within Exchange.
DAG network auto-configuration: DAG networks can be automatically configured by the system based
on configuration settings. In addition to manual configuration options, DAGs can also distinguish between
MAPI and replication networks and configure DAG networks automatically.
Reduction in IOPS
In Exchange 2010, passive database copies have a very low checkpoint depth, which is required for fast failover. In
addition, the passive copy performs aggressive pre-reading of data to keep up with a 5-megabyte (MB ) checkpoint
depth. As a result of using a low checkpoint depth and performing these aggressive pre-read operations, IOPS for
a passive database copy was equal to IOPS for an active copy in Exchange 2010.
In Exchange 2013 or later, the system is able to provide fast failover while using a high checkpoint depth on the
passive copy (100 MB ). Because passive copies have 100-MB checkpoint depth, they've been de-tuned to no
longer be so aggressive. As a result of increasing the checkpoint depth and de-tuning the aggressive pre-reads,
IOPS for a passive copy is about 50 percent of the active copy IOPS.
Having a higher checkpoint depth on the passive copy also results in other changes. On failover in Exchange 2010,
the database cache is flushed as the database is converted from a passive copy to an active copy. Starting in
Exchange 2013, ESE logging was rewritten so that the cache is persisted through the transition from passive to
active. Because ESE doesn't need to flush the cache, you get fast failover.
One other change was made to the background database maintenance (BDM ) process. BDM now processes
around 1-2 MB per second per copy.
As a result of these changes, Exchange now provides a significant reduction in IOPS over Exchange 2010.
Managed Availability
Managed Availability is the integration of built-in, active monitoring and the Exchange high availability platform.
With Managed Availability, the system can make a determination on when to fail over a database based on service
health. Managed Availability is an internal infrastructure that's deployed in the Client Access (frontend) services
and backend services on Mailbox servers. Managed Availability includes three main asynchronous components
that are constantly doing work:
1. The first component is the probe engine, which is responsible for taking measurements on the server and
collecting data. The results of those measurements flow into the second component, the monitor.
2. The monitor contains all of the business logic used by the system based on what is considered healthy on
the data collected. Similar to a pattern recognition engine, the monitor looks for the various different
patterns on all the collected measurements, and then it decides whether something is considered healthy.
3. Finally, there is the responder engine, which is responsible for recovery actions.
When something is unhealthy, the first action is to attempt to recover that component. This could include multi-
stage recovery actions; for example:
1. Restart the application pool.
2. Restart the service.
3. Restart the server.
4. Take the server offline so that it no longer accepts traffic.
If the recovery actions are unsuccessful, the system escalates the issue to a human through event log notifications.
Managed availability is implemented in the form of two services:
Exchange Health Manager Service (MSExchangeHMHost.exe): This is a controller process that's
used to manage worker processes. It's used to build, execute, and start and stop the worker process as
needed. It's also used to recover the worker process in case that process crashes, to prevent the worker
process from being a single point of failure.
Exchange Health Manager Worker process (MSExchangeHMWorker.exe): This is the worker process
that's responsible for performing the runtime tasks.
Managed availability uses persistent storage to perform its functions:
XML configuration files are used to initialize the work item definitions during startup of the worker process.
The registry is used to store runtime data, such as bookmarks.
The crimson channel event log infrastructure is used to store the work item results.
For more information about managed availability, see Managed availability.
Managed Store
Exchang 2010 and earlier versions support running a single instance of the Information Store process (Store.exe)
on the Mailbox server role. This single Store instance hosts all databases on the server: active, passive, lagged, and
recovery. In these Exchange architectures, there is little, if any, isolation between the different databases hosted on
a Mailbox server. An issue with a single mailbox database has the potential to negatively affect all other databases,
and crashes resulting from a mailbox corruption can affect service for all users whose databases are hosted on that
server.
Another challenge with a single Store instance is the lack of processor scalability with the Extensible Storage
Engine (ESE ). ESE scales well to 8-12 processor cores, but beyond that, cross-processor communication and cache
synchronization issues lead to negative performance. Given today's servers with 16+ core systems available, this
would impose the administrative challenge of managing the affinity of 8-12 cores for ESE and using the other
cores for non-Store processes (for example, Assistants, Search Foundation, Managed Availability, etc.). Moreover,
the previous architecture restricted scale-up for the Store process.
The Store.exe process has evolved considerably throughout the years as Exchange Server itself evolved, but as a
single process, ultimately its scalability is limited, and it represents a single point of failure. Because of these limits,
Store.exe was removed in Exchange 2013 and replaced by the Managed Store.
For more information, see Managed Store.
The configuration in the diagram provides a symmetrical design. All four servers have the same four databases all
hosted on a single disk per server. The key is that the number of copies of each database that you have should be
equal to the number of database copies per disk.
In the configuration in the diagram, there are four copies of each database: one active copy, two passive copies,
and one lagged copy. Because there are four copies of each database, the proper configuration is one that has four
copies per volume.
In addition, activation preference is configured so that it's balanced across the DAG and across each server. For
example:
The active copy will have an activation preference value of 1.
The first passive copy will have an activation preference value of 2.
The second passive copy will have an activation preference value of 3.
The lagged copy will have an activation preference value of 4.
In addition to having a better distribution of users across the existing volumes, another benefit of using multiple
databases per disk is a reduction in the amount of time to restore data protection for failures that require a reseed
(for example, disk failure).
As a database gets bigger, reseeding the database takes longer. For example, a 2 terabyte database could take 23
hours to reseed, whereas an 8 terabyte database could take as long as 93 hours (almost 4 days). Both seeds would
occur at about 20 MB per second. This generally means that a very large database can't be seeded within an
operationally reasonable amount of time.
In the case of a single database copy per disk scenario, the seeding operation is effectively source-bound, because
it's always seeding the disk from a single source.
By dividing the volume into multiple database copies, and by having the active copy of the passive databases on a
specified volume stored on separate DAG members, the system is no longer source bound in the context of
reseeding the disk. When a failed disk is replaced, it can be reseeded from multiple sources. This allows the system
to reseed and restore data protection for these databases in a much shorter amount of time.
When you use multiple databases per volume, we recommend that you follow these best practices and
requirements:
A single logical disk partition per physical disk must be used. Don't create multiple partitions on the disk.
Each database copy and its companion files (such as transaction logs and content index) should be hosted in
a unique directory on the single partition.
The number of database copies configured per volume should be equal to the number of copies of each
database. For example, if you have four copies of your databases, you should use four database copies per
volume.
Database copies should have the same neighbors. (For example, they should all share the same disk on
each server.)
Activation preference across the DAG should be balanced, such that each database copy on a specified disk
has a unique activation preference value.
AutoReseed
Automatic reseed (also known as AutoReseed) is the replacement for what is normally an administrator-driven
action in response to a disk failure, database corruption event, or other issue that requires a reseed of a database
copy. AutoReseed is designed to automatically restore database redundancy after a disk failure by using spare
disks that have been provisioned on the system.
For more information, see AutoReseed. For detailed steps to configure AutoReseed, see Configure AutoReseed for
a database availability group.
ESE Database Hung IO ESE checks for outstanding Generates a failure item in 240 seconds
Detection I/Os the crimson channel to
restart the server
Failure Item Channel Ensures failure items can be Replication service 30 seconds
Heartbeat written to and read from heartbeats crimson channel
crimson channel and restart server on failures
NAME CHECK ACTION THRESHOLD
System Disk Heartbeat Verifies server's system disk Periodically sends 120 seconds
state unbuffered I/O to system
disk; restarts server on
heartbeat time out
Exchange 2013 and later enhances server and storage resilience by including behaviors for other serious
conditions. These conditions and behaviors are described in the following table.
System bad state No threads, including non- Restart the server 302 seconds
managed threads, can be
scheduled
Long I/O times I/O operation latency Restart the server 41 seconds
measurements
Replication service memory Measure the working set of 1: Log event 4395 in the 4 gigabyte (GB)
use MSExchangeRepl.exe crimson channel with a
service termination request
2: Initiate termination of
MSExchangeRepl.exe
3: If service termination fails,
restart the server
System Event 129 (Bus Check for Event 129 in Restart the server When event occurs
reset) System event log
Cluster database hang Global Update Manager Restart the server When event occurs
updates are blocked
After being enabled, play down occurs when there are fewer than three copies. You can change the default value of
3, by modifying the following DWORD registry value.
HKLM\Software\Microsoft\ExchangeServer\v15\Replay\Parameters\ReplayLagManagerNumAvailable
Copies
To enable play down for low disk space thresholds, you must configure the following registry entry.
HKLM\Software\Microsoft\ExchangeServer\v15\Replay\Parameters\ReplayLagLowSpacePlaydownThr
esholdInMB
After configuring either of these registry settings, restart the Microsoft Exchange DAG Management service for
the changes to take effect.
As an example, consider an environment where a given database has 4 copies (3 highly available copies and 1
lagged copy), and the default setting is used for ReplayLagManagerNumAvailableCopies. If a non-lagged copy is
out-of-service for any reason (for example, it is suspended, etc.) then the lagged copy will automatically play down
its log files in 24 hours.
A database availability group (DAG ) is the base component of the Mailbox server high availability and site
resilience framework built into Microsoft Exchange Server. A DAG is a group of up to 16 Mailbox servers that
hosts a set of databases and provides automatic database-level recovery from failures that affect individual
servers or databases.
IMPORTANT
All servers within a DAG must be running the same version of Exchange. For example, you can't mix Exchange 2013 servers
and Exchange 2016 servers in the same DAG.
A DAG is a boundary for mailbox database replication, database and server switchovers and failovers, and an
internal component called Active Manager. Active Manager, which runs on every Mailbox server, manages
switchovers and failovers within DAGs. For more information about Active Manager, see Active Manager.
Any server in a DAG can host a copy of a mailbox database from any other server in the DAG. When a server is
added to a DAG, it works with the other servers in the DAG to provide automatic recovery from failures that affect
mailbox databases, such as a disk, server, or network failure.
NOTE
For more information about creating DAGs, managing DAG membership, configuring DAG properties, creating and
monitoring mailbox database copies, and performing switchovers, see Managing high availability and site resilience.
NOTE
It's supported to create a DAG that contains a combination of physical Mailbox servers and virtualized Mailbox servers,
provided that the servers and solution comply with the Exchange Server system requirements and the requirements set
forth in Exchange Server virtualization. As with all Exchange high availability configurations, you must ensure that all Mailbox
servers in the DAG are sized appropriately to handle the necessary workload during scheduled and unscheduled outages.
A DAG is created by using the New -DatabaseAvailabilityGroup cmdlet. A DAG is initially created as an empty
object in Active Directory. This directory object is used to store relevant information about the DAG, such as
server membership information and some DAG configuration settings. When you add the first server to a DAG, a
failover cluster is automatically created for the DAG. This failover cluster is used exclusively by the DAG, and the
cluster must be dedicated to the DAG. Use of the cluster for any other purpose isn't supported.
In addition to a failover cluster being created, the infrastructure that monitors the servers for network or server
failures is initiated. The failover cluster heartbeat mechanism and cluster database are then used to track and
manage information about the DAG that can change quickly, such as database mount status, replication status,
and last mounted location.
During creation, the DAG is given a unique name, and either assigned one or more static IP addresses or
configured to use Dynamic Host Configuration Protocol (DHCP ), or created without a cluster administrative
access point. DAGs without an administrative access point can be created only on servers running Exchange 2019,
Exchange 2016, or Exchange 2013 Service Pack 1 or later, with Windows Server 2012 R2 Standard or Datacenter
edition. DAGs without cluster administrative access points have the following characteristics:
There is no IP address assigned to the cluster/DAG, and therefore no IP Address Resource in the cluster
core resource group.
There is no network name assigned to the cluster, and therefore no Network Name Resource in the cluster
core resource group
The name of the cluster/DAG is not registered in DNS, and it is not resolvable on the network.
A cluster name object (CNO ) is not created in Active Directory.
The cluster cannot be managed using the Failover Cluster Management tool. It must be managed using
Windows PowerShell, and the PowerShell cmdlets must be run against individual cluster members.
This example shows you how to use the Exchange Management Shell to create a DAG with a cluster
administrative access point that will have three servers. Two servers (EX1 and EX2) are on the same subnet
(10.0.0.0), and the third server (EX3) is on a different subnet (192.168.0.0).
The commands to create a DAG without a cluster administrative access point are very similar:
The cluster for DAG1 is created when EX1 is added to the DAG. During cluster creation, the Add-
DatabaseAvailabilityGroupServer cmdlet retrieves the IP addresses configured for the DAG and ignores the
ones that don't match any of the subnets found on EX1. In the first example above, the cluster for DAG1 is created
with an IP address of 10.0.0.5, and 192.168.0.5 is ignored. In the second example above, the value of the
DatabaseAvailabilityGroupIPAddresses parameter instructs the task to create a failover cluster for the DAG that
does not have an administrative access point. Thus, the cluster is created with an IP address or network name
resource in the core cluster resource group.
Then, EX2 is added, and the Add-DatabaseAvailabilityGroupServer cmdlet again retrieves the IP addresses
configured for the DAG. There are no changes to the cluster's IP addresses because in EX2 is on the same subnet
as EX1.
Then, EX3 is added, and the Add-DatabaseAvailabilityGroupServer cmdlet again retrieves the IP addresses
configured for the DAG. Because a subnet matching 192.168.0.5 is present on EX3, the 192.168.0.5 address is
added as an IP address resource in the cluster group. In addition, an OR dependency for the Network Name
resource for each IP address resource is automatically configured. The 192.168.0.5 address will be used by the
cluster when the cluster core resource group moves to EX3.
For DAGs with cluster administrative access points, Windows failover clustering registers the IP addresses for the
cluster in the Domain Name System (DNS ) when the Network Name resource is brought online. In addition,
when EX1 is added to the cluster, a cluster name object (CNO ) is created in Active Directory. The network name,
IP address(es), and CNO for the cluster are not used for DAG functions. Administrators and end users don't need
to interface with or connect to the cluster/DAG name or IP address for any reason. Some third party applications
connect to the cluster administrative access point to perform management tasks, such as backup or monitoring. If
you do not use any third party applications that require a cluster administrative access point, and your DAG is
running Exchange 2016 or Exchange 2019 on Windows Server 2012 R2, then we recommend creating a DAG
without an administrative access point. This simplifies DAG configuration, eliminates the need for one or more IP
addresses, and reduces the attack surface of a DAG.
DAGs are also configured to use a witness server and a witness directory. The witness server and witness
directory are either automatically configured by the system, or they can be manually configured by the
administrator. In the examples above, EX4 (a server that is not and will not be a member of the DAG ) is being
manually configured as the DAG's witness server.
By default, a DAG is designed to use the built-in continuous replication feature to replicate mailbox databases
among servers in the DAG. If you're using third-party data replication that supports the Third Party Replication
API in Exchange Server, you must create the DAG in third-party replication mode by using the New -
DatabaseAvailabilityGroup cmdlet with the ThirdPartyReplication parameter. After this mode is enabled, it can't be
disabled.
After the DAG is created, Mailbox servers can be added to the DAG. When the first server is added to the DAG, a
cluster is formed for use by the DAG. DAGs make use of Windows failover clustering technology, such as the
cluster heartbeat, cluster networks, and the cluster database (for storing data that changes, such as database state
changes from active to passive or vice versa, or from mounted to dismounted and vice versa). As each subsequent
server is added to the DAG, it's joined to the underlying cluster, the cluster's quorum model is automatically
adjusted by Exchange, and the server is added to the DAG object in Active Directory.
After Mailbox servers are added to a DAG, you can configure a variety of DAG properties, such as whether to use
network encryption or network compression for database replication within the DAG. You can also configure DAG
networks and create additional DAG networks.
After you add members to a DAG and configure the DAG, the active mailbox databases on each server can be
replicated to the other DAG members. After you create mailbox database copies, you can monitor the health and
status of the copies using a variety of built-in monitoring tools. In addition, you can perform database and server
switchovers.
Database availability group quorum models
Underneath every DAG is a Windows failover cluster. Failover clusters use the concept of quorum, which uses a
consensus of voters to ensure that only one subset of the cluster members (which could mean all members or a
majority of members) is functioning at one time. Quorum isn't a new concept for Exchange Server. Highly
available Mailbox servers in previous versions of Exchange also use failover clustering and its concept of quorum.
Quorum represents a shared view of members and resources, and the term quorum is also used to describe the
physical data that represents the configuration within the cluster that's shared between all cluster members. As a
result, all DAGs require their underlying failover cluster to have quorum. If the cluster loses quorum, all DAG
operations terminate and all mounted databases hosted in the DAG dismount. In this event, administrator
intervention is required to correct the quorum problem and restore DAG operations.
Quorum is important to ensure consistency, to act as a tie-breaker to avoid partitioning, and to ensure cluster
responsiveness:
Ensuring consistency: A primary requirement for a Windows failover cluster is that each of the members
always has a view of the cluster that's consistent with the other members. The cluster hive acts as the
definitive repository for all configuration information relating to the cluster. If the cluster hive can't be
loaded locally on a DAG member, the Cluster service doesn't start, because it isn't able to guarantee that
the member meets the requirement of having a view of the cluster that's consistent with the other
members.
Acting as a tie-breaker: A quorum witness resource is used in DAGs with an even number of members to
avoid split brain syndrome scenarios and to make sure that only one collection of the members in the DAG
is considered official. When the witness server is needed for quorum, any member of the DAG that can
communicate with the witness server can place a Server Message Block (SMB ) lock on the witness server's
witness.log file. The DAG member that locks the witness server (referred to as the locking node) retains an
additional vote for quorum purposes. The DAG members in contact with the locking node are in the
majority and maintain quorum. Any DAG members that can't contact the locking node are in the minority
and therefore lose quorum.
Ensuring responsiveness: To ensure responsiveness, the quorum model makes sure that, whenever the
cluster is running, enough members of the distributed system are operational and communicative, and at
least one replica of the cluster's current state can be guaranteed. No additional time is required to bring
members into communication or to determine whether a specific replica is guaranteed.
DAGs with an even number of members use the failover cluster's Node and File Share Majority quorum mode,
which employs an external witness server that acts as a tie-breaker. In this quorum mode, each DAG member gets
a vote. In addition, the witness server is used to provide one DAG member with a weighted vote (for example, it
gets two votes instead of one). The cluster quorum data is stored by default on the system disk of each member of
the DAG, and is kept consistent across those disks. However, a copy of the quorum data isn't stored on the witness
server. A file on the witness server is used to keep track of which member has the most updated copy of the data,
but the witness server doesn't have a copy of the cluster quorum data. In this mode, a majority of the voters (the
DAG members plus the witness server) must be operational and able to communicate with each other to maintain
quorum. If a majority of the voters can't communicate with each other, the DAG's underlying cluster loses quorum,
and the DAG will require administrator intervention to become operational again.
DAGs with an odd number of members use the failover cluster's Node Majority quorum mode. In this mode, each
member gets a vote, and each member's local system disk is used to store the cluster quorum data. If the
configuration of the DAG changes, that change is reflected across the different disks. The change is only
considered to have been committed and made persistent if that change is made to the disks on half the members
(rounding down) plus one. For example, in a five-member DAG, the change must be made on two plus one
members, or three members total.
Quorum requires a majority of voters to be able to communicate with each other. Consider a DAG that has four
members. Because this DAG has an even number of members, an external witness server is used to provide one
of the cluster members with a fifth, tie-breaking vote. To maintain a majority of voters (and therefore quorum), at
least three voters must be able to communicate with each other. At any time, a maximum of two voters can be
offline without disrupting service and data access. If three or more voters are offline, the DAG loses quorum, and
service and data access will be disrupted until you resolve the problem.
Active Manager
8/23/2019 • 9 minutes to read • Edit Online
Microsoft Exchange Server includes a component called Active Manager that manages the high availability
platform that includes the database availability group (DAG ) and mailbox database copies. Active Manager runs
inside the Microsoft Exchange Replication service (MSExchangeRepl.exe) on all Mailbox servers. On Mailbox
servers that aren't members of a DAG, there is a single Active Manager role: Standalone Active Manager.
On servers that are members of a DAG, there are two Active Manager roles: Primary Active Manager (PAM ) and
Standby Active Manager (SAM ). PAM is the Active Manager role in a DAG that decides which copies will be active
and passive. PAM is responsible for getting topology change notifications and reacting to server failures. The DAG
member that holds the PAM role is always the member that currently owns the cluster quorum resource (default
cluster group). If the server that owns the cluster quorum resource fails, the PAM role automatically moves to a
surviving server that takes ownership of the cluster quorum resource. In addition, if you need to take the server
that hosts the cluster quorum resource offline for maintenance or an upgrade, you must first move the PAM to
another server in the DAG. The PAM controls all movement of the active designations between a database's
copies. (Only one copy can be active at any specified time, and that copy may be mounted or dismounted.) The
PAM also performs the functions of the SAM role on the local system (detecting local database and local
Information Store failures).
The SAM provides information on which server hosts the active copy of a mailbox database to other components
of Exchange that are running an Active Manager client component (for example, Client Access or Transport
services). The SAM detects failures of local databases and the local Information Store. It reacts to failures by
asking the PAM to initiate a failover (if the database is replicated). A SAM doesn't determine the target of failover,
nor does it update a database's location state in the PAM. It will access the active database copy location state to
answer queries for the active copy of the database that it receives.
NOTE
Exchange Server isn't a clustered application. Instead, it uses the cluster library functions implemented in clusapi.dll for
cluster, group, cluster network (heartbeating), node management, cluster registry, and a few control code functions. In
addition, Active Manager stores current mailbox database information (for example, active and passive data, and mounted
data) in the cluster database (also known as the cluster registry). Although the information is stored directly in the cluster
database, it isn't accessed directly by any other components.
In Exchange Server, the Microsoft Exchange Replication service periodically monitors the health of all mounted
databases. In addition, it also monitors the Extensible Storage Engine (ESE ) for any I/O errors or failures. When
the service detects a failure, it notifies Active Manager. Active Manager then determines which database copy
should be mounted and what it requires to mount that database. In addition, it tracks the active copy of a mailbox
database (based on the last mounted copy of the database) and provides the tracking results information to Client
Access services on the Mailbox server to which the client is connected.
Datacenter Activation Coordination (DAC ) mode is a property of a database availability group (DAG ). DAC mode is
disabled by default but should be enabled for all DAGs with two or more members that use continuous replication.
DAC mode shouldn't be enabled for DAGs that use third-party replication mode unless specified by the third-party
vendor.
DAC mode is used to control the database mount on startup behavior of a DAG. This control is designed to
prevent split brain from occurring at the database level during a datacenter switchback. Split brain, also known as
split brain syndrome, is a condition that results in a database being mounted as an active copy on two members of
the same DAG that are unable to communicate with one another. Split brain is prevented using DAC mode,
because DAC mode requires DAG members to obtain permission to mount databases before they can be
mounted.
For example, when a primary datacenter contains two DAG members and the witness server, and a second
datacenter contains two other DAG members, the DAG is not in DAC mode. The primary datacenter loses power,
so you activate the DAG in the second datacenter. Eventually power to the primary datacenter is restored, and the
DAG members in the primary datacenter, which had quorum before the power failure, will start up and mount
their databases. Because the primary datacenter was restored without network connectivity to the second
datacenter, and because the DAG was not in DAC mode, the active databases within the DAG enters a split brain
condition.
IMPORTANT
Because the witness server's boot time is used to determine whether a DAG member can mount its active databases on
startup, you should never restart the witness server and the sole DAG member at the same time. Doing so may leave the
DAG member in a state where it can't mount databases on startup. If this happens, you must run the Restore-
DatabaseAvailabilityGroup cmdlet on the DAG. This resets the DACP bit and permits the DAG member to mount databases.
Microsoft Exchange Server leverages the concept of database mobility, which is Exchange-managed database-level
failovers. Database mobility disconnects databases from servers, adds support for up to 16 copies of a single
database, and provides a native experience for adding database copies to a database.
Key characteristics
The key characteristics of mailbox database copies are:
Up to 16 copies of an Exchange Server mailbox database can be created on multiple Mailbox servers,
provided the servers are grouped into a database availability group (DAG ), which is a boundary for
continuous replication. Exchange Server mailbox databases can be replicated only to the same version
Exchange Mailbox servers within a DAG. You can't replicate a database outside of a DAG, nor can you
replicate an Exchange 2016 or Exchange 2019 mailbox database to a server running Exchange 2013 or
earlier. For detailed information about DAGs, see Database availability groups.
All Mailbox servers in a DAG must be in the same Active Directory domain.
Mailbox database copies support the concepts of replay lag time and truncation lag time. Appropriate
planning must be performed before enabling these features.
All database copies can be backed up using an Exchange-aware, Volume Shadow Copy Service (VSS )-
based backup application.
Database copies can be created only on Mailbox servers that don't host the active copy of a database. You
can't create two copies of the same database on the same server.
All copies of a database use the same path on each server containing a copy. The database and log file paths
for a database copy on each Mailbox server must not conflict with any other database paths.
Database copies can be created in the same or different Active Directory sites, and on the same or different
network subnets.
Database copies aren't supported between Mailbox servers with round trip network latency greater than
500 milliseconds (ms).
Automatic Reseed, or AutoReseed, is a feature that replaces standard actions administrators take in response to a
disk failure, or a database corruption event, or another issue that necessitates a reseed of a database copy.
Overview of Autoreseed
In an AutoReseed configuration, a standardized storage presentation structure is used, and the administrator picks
the starting point. AutoReseed is about restoring redundancy as soon as possible after a drive fails. This involves
using mount points to pre-map a set of volumes (including spare volumes) and databases. In the event of a disk
failure where the disk is no longer available to the operating system, or is no longer writable, a spare volume is
allocated by the system, and the affected database copies are reseeded automatically.
1. The Microsoft Exchange Replication service periodically scans for copies that have a status of
FailedAndSuspended. If all database copies on a volume configured for AutoReseed are in a
FailedandSuspended state for 15 consecutive minutes, the AutoReseed workflow is initiated.
2. AutoReseed will try to resume the failed and suspended copies up to three times, with a 5-minute sleep in
between each attempt. Sometimes, after a FailedandSuspended database copy is resumed, the copy remains
in a Failed state. This can happen for a variety of reasons, so this step is designed to handle those cases;
AutoReseed will automatically suspend a database copy that has been Failed for 10 consecutive minutes to
keep the workflow running. If the suspend and resume actions don't result in a healthy database copy, the
workflow continues.
3. When it finds a copy with that status, it performs some prerequisite checks. For example, it will verify that a
spare disk is available, that the database and its log files are configured on the same volume, and in the
appropriate locations that match the required naming conventions.
4. If the prerequisite checks pass successfully, the Disk Reclaimer function within the Microsoft Exchange
Replication service allocates, remaps and formats a spare disk according to the timelines in the table below.
AutoReseed will attempt to assign a spare volume up to 5 times, with 1-hour sleeps in between each try.
5. Once a spare has been assigned, AutoReseed will perform an InPlaceSeed operation using the
SafeDeleteExistingFiles seeding switch. All databases that were on the affected disk are re-seeded using the
active copy of the database as the seeding source.
6. After the seeding operation has been completed, the Microsoft Exchange Replication service verifies that the
newly seeded copy is healthy.
Once all retries are exhausted, the workflow stops. If, after 3 days, the database copy is still FailedandSuspended,
the workflow state is reset and it starts again from Step 1. This reset/resume behavior is useful (and intentional)
since it can take a few days to replace a failed disk, controller, etc.
At this point, if the failure was a disk failure, it would require manual intervention by an operator or administrator
to remove and replace the failed disk and reconfigure the replacement disk as a spare.
AutoReseed is configured using three properties of the DAG. Two of the properties refer to the two mount points
that are in use. Exchange Server leverages the fact that Windows Server allows multiple mount points per volume.
The AutoDagVolumesRootFolderPath property refers to the mount point that contains all of the available volumes.
This includes volumes that host databases and spare volumes. The AutoDagDatabasesRootFolderPath property
refers to the mount point that contains the databases. A third DAG property, AutoDagDatabaseCopiesPerVolume,
is used to configure the number of database copies per volume.
An example AutoReseed configuration is illustrated below.
Example AutoReseed configuration
In this example, there are three volumes, two of which will contain databases (VOL1 and VOL2), and one of which
is a blank, formatted spare (VOL3).
To configure AutoReseed:
1. All three volumes are mounted under a single mount point. In this example, a mount point of C:\ExchVols is
used. This represents the directory used to get storage for Exchange databases.
2. The root directory of the mailbox databases is mounted as another mount point. In this example, a mount
point of C:\ExchDBs is used. Next, a directory structure is created so that a parent directory is created for the
database, and under the parent directory, two subdirectories are created: one database file and one for the
log files.
3. Databases are created. The above example illustrates a simple design using a single database per volume.
Thus, on VOL1, there are three directories: the parent directory and two subdirectories (one for MDB1's
database file, and one for its logs). Although not depicted in the example image, on VOL2, there would also
be three directories: the parent directory, and under that, a directory for MDB2's database file, and one for
its log files.
In this configuration, if MDB1 or MDB2 were to experience a failure, a copy of the failed database will be
automatically reseeded to VOL3.
Disk Reclaimer
The AutoReseed component that allocates and formats spare disks is called the Disk Reclaimer. The Disk Reclaimer
component automatically formats spare disks in preparation for automatic reseeding at different intervals,
depending on the state of the disk. In order for the Disk Reclaimer to format a disk, certain conditions must met:
The Disk Reclaimer must be enabled. It is enabled by default, but it can be disabled using Set-
DatabaseAvailabilityGroup.
The volume must have a mount point in the root volumes path (by default, C:\ExchangeVolumes).
The volume must not have any mount points in the database volumes path (by default,
C:\ExchangeDatabases).
If the volume contains any files, none of the files must have been touched for 24 hours.
In addition to the above conditions, the Disk Reclaimer will only attempt to format a given volume once a day. The
following table describes the formatting behavior of the Disk Reclaimer.
The MetaCacheDatabase (MCDB ) feature is included in Exchange Server 2019. It allows a database availability
group (DAG ) to be accelerated by utilizing solid state disks (SSDs). Manage-MetaCacheDatabase.ps1 is an automation
script created for Exchange Server administrators to set up and manage MCDB instances in their Exchange 2019
DAGs.
After installing Exchange Server 2019, you can find Manage-MetaCacheDatabase.ps1 here: drive:\Program
Files\Microsoft\Exchange Server\V15\Scripts.
You use this script to configure MCDB prerequisites on a properly configured DAG, to enable or disable MCDB,
and to configure and repair MCDB on your servers.
SSD guidance
All SSDs used for MCDB need to be of the same capacity and type. A symmetrical configuration between servers is
required, which means there needs to be an identical number of SSDs in each server, and the SSDs all need to be
the same size.
NOTE
The Manage-MCDB cmdlet will only work with devices exposed as MediaType SSD by Windows.
It is recommended to target a 1:3 ratio between SSD and HDD devices per server. Therefore, deploy one SSD for
every three HDDs. In order to avoid having to reduce the number of HDDs in the server, consider using M.2 form
factor SSDs.
Providing 5% to 6% of SSD capacity relative to total HDD capacity is sufficient for on-premises deployments. For
example, if your server contains 100 TB of HDD capacity for mailbox databases, an allocation of 5 TB to 6 TB for
SSD capacity is enough.
The SSDs you use should qualify for "mixed use" and support one drive write per day (DWPD ) or greater in terms
of write endurance.
Prerequisites
The following prerequisites are required for successful configuration and use of MCDB:
1. The DAG is configured for auto-reseed.
2. RAW SSD drives are installed, and SSD count and size is equal for each server in the DAG.
3. Exchange Server 2019.
MCDB setup
The process of setting up MCDB can be broken down into four basic steps:
1. Update Active Directory (AD ) settings and wait for propagation (by running ConfigureMCDBPrerequisite ).
2. Allow MCDB acceleration for each server of the DAG (by running ServerAllowMCDB ).
3. Create the necessary infrastructure (Volumes, Mount Points) for MCDB on each server (by running
ConfigureMCDBOnServer ).
Scope:
DAG: ConfigureMCDBPrerequisite operates on a DAG object.
NOTE
MCDB will utilize up to 95% of an SSD's physical capacity. The remaining 5% is kept free to account for file system and
partition overhead, as well as for a small amount of additional buffer and over-provisioning.
Example:
Scope:
Server: You need to run ServerAllowMCDB on each server in the DAG.
Examples:
Scope:
Server: You need to run ConfigureMCDBOnServer on each server in the DAG.
Example:
STATE DESCRIPTION
Offline Errors at the logical level, for example missing MCDB instances.
STATE DESCRIPTION
During the planning phase, the system architects, administrators, and other key stakeholders should identify the
business requirements and the architectural requirements for the deployment; in particular, the requirements
about high availability and site resilience.
There are general requirements that must be met for deploying these features, as well as hardware, software, and
networking requirements that must also be met.
General requirements
Before deploying a database availability group (DAG ) and creating mailbox database copies, make sure that the
following system-wide recommendations are met:
Domain Name System (DNS ) must be running. Ideally, the DNS server should accept dynamic updates. If
the DNS server doesn't accept dynamic updates, you must create a DNS host (A) record for each Exchange
server. Otherwise, Exchange won't function properly.
Each Mailbox server in a DAG must be a member server in the same domain.
Adding an Exchange Mailbox server that's also a directory server to a DAG isn't supported.
The name you assign to the DAG must be a valid, available, and unique computer name of 15 characters or
less.
Hardware requirements
Generally, there are no special hardware requirements specific to DAGs or mailbox database copies. The servers
used must meet all of the requirements set forth in Exchange Server prerequisites.
Storage requirements
Generally, there are no special storage requirements specific to DAGs or mailbox database copies. DAGs don't
require or use cluster-managed shared storage. Cluster-managed shared storage is supported for use in a DAG
only when the DAG is configured to use a solution that leverages the Third Party Replication API built into
Exchange Server.
Software requirements
Each member of a DAG must be running the same operating system. Exchange Server 2016 is supported on the
Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. Exchange Server 2019 is supported
on the Windows Server 2019 operating system. Within a specific DAG, all members must be running the same
supported operating system.
In addition to meeting the prerequisites for installing Exchange Server, there are operating system requirements
that must be met. DAGs use Windows Failover Clustering technology, and as a result, they require the Standard or
Datacenter version of the Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, or Windows
Server 2019 operating systems.
Network requirements
There are specific networking requirements that must be met for each DAG and for each DAG member. Each DAG
must have a single MAPI network, which is used by a DAG member to communicate with other servers (for
example, other Exchange servers or directory servers), and zero or more Replication networks, which are networks
dedicated to log shipping and seeding.
In previous versions of Exchange, we recommended at least two networks (one MAPI network and one
Replication network) for DAGs. In Exchange 2016 and Exchange 2019, multiple networks are supported, but our
recommendation depends on your physical network topology. If you have multiple physical networks between
DAG members that are physically separate from one another, then using a separate MAPI and Replication
network provides additional redundancy. If you have multiple networks that are partially physically separate but
converge into a single physical network (for example, a single WAN link), then using a single network (preferably
10 gigabit Ethernet) for both MAPI and Replication traffic is recommended. This provides simplicity for the
network and the network path.
Consider the following when designing the network infrastructure for your DAG:
Each member of the DAG must have at least one network adapter that's able to communicate with all other
DAG members. If you're using a single network path, we recommend that you use a minimum of 1 gigabit
Ethernet, but preferably 10 gigabit Ethernet. In addition, when using a single network adapter in each DAG
member, we recommend that you design the overall solution with the single network adapter and path in
mind.
Using two network adapters in each DAG member provides you with one MAPI network and one
Replication network, with redundancy for the Replication network and the following recovery behaviors:
In the event of a failure affecting the MAPI network, a server failover will occur (assuming there are
healthy mailbox database copies that can be activated).
In the event of a failure affecting the Replication network, if the MAPI network is unaffected by the
failure, log shipping and seeding operations will revert to use the MAPI network, even if the MAPI
network has it's ReplicationEnabled property set to False. When the failed Replication network is
restored to health and ready to resume log shipping and seeding operations, you must manually
switch over to the Replication network. To change replication from the MAPI network to a restored
Replication network, you can either suspend and resume continuous replication by using the
Suspend-MailboxDatabaseCopy and Resume-MailboxDatabaseCopy cmdlets, or restart the
Microsoft Exchange Replication service. We recommend using suspend and resume operations to
avoid the brief outage caused by restarting the Microsoft Exchange Replication service.
Each DAG member must have the same number of networks. For example, if you plan on using a single
network adapter in one DAG member, all members of the DAG must also use a single network adapter.
Each DAG must have no more than one MAPI network. The MAPI network must provide connectivity to
other Exchange servers and other services, such as Active Directory and DNS.
Additional Replication networks can be added, as needed. You can also prevent an individual network
adapter from being a single point of failure by using network adapter teaming or similar technology.
However, even when using teaming, this doesn't prevent the network itself from being a single point of
failure. Moreover, teaming adds unnecessary complexity to the DAG.
Each network in each DAG member server must be on its own network subnet. Each server in the DAG can
be on a different subnet, but the MAPI and Replication networks must be routable and provide connectivity,
such that:
Each network in each DAG member server is on its own network subnet that's separate from the
subnet used by each other network in the server.
Each DAG member server's MAPI network can communicate with each other DAG member's MAPI
network.
Each DAG member server's Replication network can communicate with each other DAG member's
Replication network.
There is no direct routing that allows heartbeat traffic from the Replication network on one DAG
member server to the MAPI network on another DAG member server, or vice versa, or between
multiple Replication networks in the DAG.
Regardless of their geographic location relative to other DAG members, each member of the DAG must
have round trip network latency no greater than 500 milliseconds between each other member. As the
round trip latency between two Mailbox servers hosting copies of a database increases, the potential for
replication not being up to date also increases. Regardless of the latency of the solution, customers should
validate that the networks between all DAG members is capable of satisfying the data protection and
availability goals of the deployment. Configurations with higher latency values may require special tuning
of DAG, replication, and network parameters, such as increasing the number of databases or decreasing the
number of mailboxes per database, to achieve the desired goals.
Round trip latency requirements may not be the most stringent network bandwidth and latency
requirement for a multi-datacenter configuration. You must evaluate the total network load, which includes
client access, Active Directory, transport, continuous replication, and other application traffic, to determine
the necessary network requirements for your environment.
DAG networks support Internet Protocol version 4 (IPv4) and IPv6. IPv6 is supported only when IPv4 is
also used; a pure IPv6 environment isn't supported. Using IPv6 addresses and IP address ranges is
supported only when both IPv6 and IPv4 are enabled on that computer, and the network supports both IP
address versions. If Exchange Server is deployed in this configuration, all server roles can send data to and
receive data from devices, servers, and clients that use IPv6 addresses.
Automatic Private IP Addressing (APIPA) is a feature of Windows that automatically assigns IP addresses
when no Dynamic Host Configuration Protocol (DHCP ) server is available on the network. APIPA
addresses (including manually assigned addresses from the APIPA address range) aren't supported for use
by DAGs or by Exchange Server.
DAG name and IP address requirements
During creation, each DAG is given a unique name, and either assigned one or more static IP addresses, or
configured to use DHCP. Regardless of whether you use static or dynamically assigned addresses, any IP address
assigned to the DAG must be on the MAPI network.
Each DAG running on Windows Server 2012 requires a minimum of one IP address on the MAPI network. A
DAG requires additional IP addresses when the MAPI network is extended across multiple subnets. DAGs running
on Windows Server 2012 R2, Windows Server 2016 or Windows Server 2019 that are created without a cluster
administrative access point do not require an IP address.
The following figure illustrates a DAG where all nodes in the DAG have the MAPI network on the same subnet.
DAG with MAPI network on same subnet
In this example, the MAPI network in each DAG member is on the 172.19.18. x subnet. As a result, the DAG
requires a single IP address on that subnet.
The next figure illustrates a DAG that has a MAPI network that extends across two subnets: 172.19.18. x and
172.19.19. x.
DAG with MAPI network on multiple subnets
In this example, the MAPI network in each DAG member is on a separate subnet. As a result, the DAG requires
two IP addresses, one for each subnet on the MAPI network.
Each time the DAG's MAPI network is extended across an additional subnet, an additional IP address for that
subnet must be configured for the DAG. Each IP address that's configured for the DAG is assigned to and used by
the DAG's underlying failover cluster. The name of the DAG is also used as the name for the underlying failover
cluster.
At any specific time, the cluster for the DAG will use only one of the assigned IP addresses. Windows Failover
Clustering registers this IP address in DNS when the cluster IP address and Network Name resources are
brought online. In addition to using an IP address and network name, a cluster name object (CNO ) is created in
Active Directory. The name, IP address, and CNO for the cluster are used internally by the system to secure the
DAG and for internal communication purposes. Administrators and end users don't need to interface with or
connect to the DAG name or IP address.
NOTE
Although the cluster's IP address and network name are used internally by the system, there is no hard dependency in
Exchange Server that these resources be available. Even if the underlying cluster's administrative access point (for example,
its IP address and Network Name resources) is offline, internal communication still occurs within the DAG by using the DAG
member server names. However, we recommend that you periodically monitor the availability of these resources to ensure
that they aren't offline for more than 30 days. If the underlying cluster is offline for more than 30 days, the cluster CNO
account may be invalidated by the garbage collection mechanism in Active Directory.
The TCP/IP v4 properties for a MAPI network adapter are configured as follows:
The IP address for a DAG member's MAPI network can be manually assigned or configured to use DHCP.
If DHCP is used, we recommend using persistent reservations for the server's IP address.
The MAPI network typically uses a default gateway, although one isn't required.
At least one DNS server address must be configured. Using multiple DNS servers is recommended for
redundancy.
The Register this connection's addresses in DNS check box should be selected.
Replication network adapter configuration
A network adapter intended for use by a Replication network should be configured as described in the following
table.
The TCP/IP v4 properties for a Replication network adapter are configured as follows:
The IP address for a DAG member's Replication network can be manually assigned or configured to use
DHCP. If DHCP is used, we recommend using persistent reservations for the server's IP address.
Replication networks typically don't have default gateways, and if the MAPI network has a default gateway,
no other networks should have default gateways. Routing of network traffic on a Replication network can
be configured by using persistent, static routes to the corresponding network on other DAG members
using gateway addresses that have the ability to route between the Replication networks. All other traffic
not matching this route will be handled by the default gateway that's configured on the adapter for the
MAPI network.
DNS server addresses shouldn't be configured.
The Register this connection's addresses in DNS check box shouldn't be selected.
Some applications that integrate with Exchange have specific certificate requirements that may require using
additional certificates. Exchange Server can co-exist with Office Communications Server (OCS ). OCS requires
certificates with 1024-bit or greater certificates that use the OCS server name for the Certificate Principal Name.
Because using an OCS server name for the Certificate Principal Name would prevent Outlook Anywhere from
working properly, you would need to use an additional and separate certificate for the OCS environment.
Network planning
In addition to the specific networking requirements that must be met for each DAG, as well as for each server
that's a member of a DAG, there are some requirements and recommendations that are specific to site resilience
configurations. As with all DAGs, whether the DAG members are deployed in a single site or in multiple sites, the
round-trip return network latency between DAG members must be no greater than 500 milliseconds. In addition,
there are specific configuration settings that are recommended for DAGs that are extended across multiple sites:
MAPI networks should be isolated from Replication networks: Windows network policies, Windows
firewall policies, or router access control lists (ACLs) should be used to block traffic between the MAPI
network and the Replication networks. This configuration is necessary to prevent network heartbeat cross
talk.
Client-facing DNS records should have a Time to Live (TTL ) value of 5 minutes: The amount of
downtime that clients experience is dependent not just on how quickly a switchover can occur, but also on
how quickly DNS replication occurs and the clients query for updated DNS information. DNS records for
all Exchange client services, including Outlook on the web (formerly known as Outlook Web App),
Exchange ActiveSync, Exchange Web Services, Outlook Anywhere, SMTP, POP3, and IMAP4 in both the
internal and external DNS servers should be set with a TTL of 5 minutes.
Use static routes to configure connectivity across Replication networks: To provide network
connectivity between each of the Replication network adapters, use persistent static routes. This is a quick
and one-time configuration that's performed on each DAG member when using static IP addresses. If
you're using DHCP to obtain IP addresses for your Replication networks, you can also use it to assign static
routes for the replication, thereby simplifying the configuration process.
General site resilience planning
In addition to the requirements listed above for high availability, there are other recommendations for deploying
Exchange Server in a site resilient configuration (for example, extending a DAG across multiple datacenters). What
you do during the planning phase will directly affect the success of your site resilience solution. For example, poor
namespace design can cause difficulties with certificates, and an incorrect certificate configuration can prevent
users from accessing services.
To minimize the time it takes to activate a second datacenter, and allow the second datacenter to host the service
endpoints of a failed datacenter, the appropriate planning must be completed. The following are examples:
The SLA goals for the site resilience solution must be well understood and documented.
The servers in the second datacenter must have sufficient capacity to host the combined user population of
both datacenters.
The second datacenter must have all services enabled that are provided in the primary datacenter (unless
the service isn't included as part of the site resilience SLA). This includes Active Directory, networking
infrastructure (for example, DNS or TCP/IP ), telephony services (if Unified Messaging in Exchange 2016 is
in use), and site infrastructure (such as power or cooling).
For some services to be able to service users from the failed datacenter, they must have the proper server
certificates configured. Some services don't allow instancing (for example, POP3 and IMAP4) and only
allow the use of a single certificate. In these cases, either the certificate must be a SAN certificate that
includes multiple names, or the multiple names must be similar enough so that a wildcard certificate can be
used (assuming the security policies of the organization allows the use of wildcard certificates).
The necessary services must be defined in the second datacenter. For example, if the first datacenter has
three different SMTP URLs on different transport servers, the appropriate configuration must be defined in
the second datacenter to enable at least one (if not all three) transport server to host the workload.
The necessary network configuration must be in place to support the datacenter switchover. This might
mean making sure that the load balancing configurations are in place, that global DNS is configured, and
that the Internet connection is enabled with the appropriate routing configured.
The strategy for enabling the DNS changes necessary for a datacenter switchover must be understood. The
specific DNS changes, including their TTL settings, must be defined and documented to support the SLA in
effect.
A strategy for testing the solution must also be established and factored into the SLA. Periodic validation of
the deployment is the only way to guarantee that the quality and viability of the deployment doesn't
degrade over time. After the deployment is validated, we recommend that the part of the configuration that
directly affects the success of the solution be explicitly documented. In addition, we recommend that you
enhance your change management processes around those segments of the deployment.
Deploying high availability and site resilience
8/23/2019 • 11 minutes to read • Edit Online
Microsoft Exchange Server uses the concept known as incremental deployment for both high availability and site
resilience. You simply install two or more Exchange Mailbox servers as stand-alone servers, and then
incrementally configure them and mailbox databases for high availability and site resilience, as needed.
Network configuration
As illustrated in the previous figure, the solution involves the use of multiple subnets and multiple networks. Each
Mailbox server in the DAG has two network adapters on separate subnets. In each Mailbox server, one network
adapter will be used for the MAPI network (192.168. x. x) and one network adapter will be used for the Replication
network (10.0. x. x). Only the MAPI network provides connectivity to Active Directory, DNS services, other
Exchange servers and clients. The adapter used for the Replication network in each member provides connectivity
only to the Replication network adapters in the other members of the DAG.
The settings for each network adapter in each node are detailed in the following table.
As shown in the preceding table, adapters used for Replication networks don't use default gateways. To provide
network connectivity between each of the Replication network adapters, Contoso uses persistent static routes,
which they configure by using the Netsh.exe tool.
To configure routing for the Replication network adapters on MBX1 and MBX2, the following command was run
on each server.
To configure routing for the Replication network adapters on MBX3 and MBX4, the following command was run
on each server.
The preceding command creates the DAG DAG1, configures MBX5 to act as the witness server, configures a
specific witness directory (C:\DAGWitness\DAG1.contoso.com), and configures two IP addresses for the DAG (one
for each subnet on the MAPI network).
The preceding command configures DAG1 to use an alternate witness server of MBX10 and an alternate witness
directory on MBX10 that uses the same path that was configured on MBX5.
NOTE
Using the same path isn't required; Contoso has chosen to do this to standardize their configuration.
The preceding commands add each of the Mailbox servers, one at a time, to the DAG. The commands also install
the Windows Failover Clustering component on each Mailbox server (if it isn't already installed), create a failover
cluster, and join each Mailbox server to the newly created cluster.
In the preceding examples for the Add-MailboxDatabaseCopy cmdlet, the ActivationPreference parameter
wasn't specified. The task automatically increments the activation preference number with each copy that's added.
The original database always has a preference number of 1. The first copy added with the Add-
MailboxDatabaseCopy cmdlet is automatically assigned a preference number of 2. Assuming no copies are
removed, the next copy added is automatically assigned a preference number of 3, and so forth. Thus, in the
preceding examples, the passive copy in the same datacenter as the active copy has an activation preference
number of 2; the non-lagged passive copy in the remote datacenter has an activation preference number of 3, and
the lagged passive copy in the remote datacenter has an activation preference number of 4.
Although there are two copies of each active database across the WAN in the other location, seeding over the
WAN was only performed once. This is because Contoso is leveraging the Exchange Server ability to use a passive
copy of a database as the source for seeding. Using the Add-MailboxDatabaseCopy cmdlet with the
SeedingPostponed parameter prevents the task from automatically seeding the new database copy being created.
Then, the administrator can suspend the un-seeded copy, and by using the Update-MailboxDatabaseCopy cmdlet
with the SourceServer parameter, the administrator can specify the local copy of the database as the source of the
seeding operation. As a result, seeding of the second database copy added to each location happens locally and
not over the WAN.
NOTE
In the preceding example, the non-lagged database copy is seeded over the WAN, and that copy is then used to seed the
lagged copy of the database that's in the same datacenter as the non-lagged copy.
Contoso has configured one of the passive copies of each mailbox database as a lagged database copy to provide
protection against the extremely rare but catastrophic case of database logical corruption. As a result, the
administrator is configuring the lagged copies as blocked for activation by using the Suspend-
MailboxDatabaseCopy cmdlet with the ActivationOnly parameter. This ensures that the lagged database copies
won't be activated if a database or server failover occurs.
Validating the solution
After the solution has been deployed and configured, the administrator performs several tasks that validate the
solution's readiness prior to moving production mailboxes to the databases in the DAG. The solution should be
tested and inspected using several methods, including failure simulations. To validate the solution, the
administrator performs several tasks.
To verify the overall health of the DAG, the administrator runs the Test-ReplicationHealth cmdlet. This cmdlet
checks several aspects of the replication and replay status to provide information about each Mailbox server and
database copy in the DAG.
To verify replication and replay activity, the administrator runs the Get-MailboxDatabaseCopyStatus cmdlet. This
cmdlet can provide real-time status information about a specific mailbox database copy or for all mailbox database
copies on a specific server. For more information about monitoring the health and status of replicated databases in
a DAG, see Monitor database availability groups.
To verify that switchovers work as expected, the administrator uses the Move-ActiveMailboxDatabase cmdlet to
perform a series of database switchovers and server switchovers. When these tasks have completed successfully,
the administrator uses the same cmdlet to move the active database copies back to their original locations.
To verify the expected behaviors in various failure scenarios, the administrator performs several tasks that either
simulate failures or actually cause failures to occur. For example, the administrator might:
Unplug the power cord on MBX1, thereby triggering a server failover. The administrator then verifies that
DB1 becomes active on another server (preferably MBX2, based on the activation preference values).
Unplug the network cable for the MAPI network adapter on MBX2, thereby triggering a server failover. The
administrator then verifies that DB2 becomes active on another server (preferably MBX1, based on the
activation preference values).
Take the disk used by the active copy of DB3 offline, thereby triggering a database failover. The
administrator then verifies that DB3 becomes active on another server (preferably MBX4, based on
activation preference values).
There may be other failure scenarios that are tested by an organization, based on the business needs. After
simulating a single failure (such as pulling the power plug), and verifying the solution's recovery behavior, the
administrator may revert the solution back to its original configuration. In some cases, the solution may be tested
for multiple concurrent failures. Ultimately, your solution test plan will dictate whether the solution is reverted
back to its original configuration after each failure simulation has been completed.
In addition, an administrator may decide to disconnect the network connection between the two datacenters,
thereby simulating a site failure. Performing a datacenter switchover is a much more involved and coordinated
process; however, we recommend the process if the solution being deployed is intended to provide site resilience
for the messaging services and data.
Transitioning to operations
After the solution has been deployed, it can be extended further using incremental deployment. At this point,
management of the solution would also transition to operation processes, in which the following tasks would be
performed:
Monitor the health and status of DAGs and mailbox database copies. For more information, see Monitor
database availability groups.
Perform database switchovers as needed. For detailed steps about how to perform a database switchover,
see Activate a mailbox database copy.
For more information about managing the solution, see Managing high availability and site resilience.
Managing high availability and site resilience
8/23/2019 • 7 minutes to read • Edit Online
After you build, validate, and deploy a Microsoft Exchange Server high availability or site resilience solution, the
solution transitions from the deployment phase to the operational phase of the overall solution lifecycle. The
operational phase consists of several tasks, and all tasks are related to one of the following areas: database
availability groups (DAGs), mailbox database copies, performing proactive monitoring, and managing switchovers
and failovers.
Proactive monitoring
Making sure that your servers are operating reliably and that your database copies are healthy are key objectives
for daily messaging operations. Exchange Server includes a number of features that can be used to perform a
variety of health monitoring tasks for DAGs and mailbox database copies, including:
Get-MailboxDatabaseCopyStatus
Test-ReplicationHealth
Crimson channel event logging
In addition to monitoring the health and status, it's also critical to monitor for situations that can compromise
availability. For example, we recommend that you monitor the redundancy of your replicated databases. It's critical
to avoid situations where you're down to a single copy of a database. This scenario should be treated with the
highest priority and resolved as soon as possible.
For more detailed information about monitoring the health and status of DAGs and mailbox database copies, see
Monitor database availability groups.
A database availability group (DAG ) is a set of up to 16 Exchange Mailbox servers that provides automatic,
database-level recovery from a database, server, or network failure. DAGs use continuous replication and a subset
of Windows failover clustering technologies to provide high availability and site resilience. Mailbox servers in a
DAG monitor each other for failures. When a Mailbox server is added to a DAG, that server works with the other
servers in the DAG to provide automatic, database-level recovery from database failures.
When you create a DAG, it's initially empty. When you add the first server to a DAG, a failover cluster is
automatically created for the DAG. In addition, the infrastructure that monitors the servers for network or server
failures is initiated. The failover cluster heartbeat mechanism and cluster database are then used to track and
manage information about the DAG that can change quickly, such as database mount status, replication status,
and last mounted location.
Creating DAGs
A DAG can be created using the New Database Availability Group wizard in the Exchange admin center (EAC ), or
by running the New-DatabaseAvailabilityGroup cmdlet in the Exchange Management Shell. When creating a
DAG, you provide a name for the DAG, and optional witness server and witness directory settings. In addition,
you can assign one or more IP addresses to the DAG, either by using static IP addresses or by allowing the DAG
to be automatically assigned the necessary IP addresses using Dynamic Host Configuration Protocol (DHCP ).
You can manually assign IP addresses to the DAG by using the DatabaseAvailabilityGroupIpAddresses parameter.
If you omit this parameter, the DAG attempts to obtain an IP address by using a DHCP server on your network.
If you're creating a DAG that will contain Mailbox servers that are running Windows Server 2012 R2, you also
have the option of creating a DAG without a cluster administrative access point. In that case, the cluster will not
have a cluster name object (CNO ) in Active Directory, and the cluster core resource group will not contain a
network name resource or an IP address resource.
For detailed steps about how to create a DAG, see Create a database availability group.
When you create a DAG, an empty object representing the DAG with the name you specified and an object class
of msExchMDBAvailabilityGroup is created in Active Directory.
DAGs use a subset of Windows failover clustering technologies in Windows Server 2008 R2 or later, such as the
cluster heartbeat, cluster networks, and cluster database (for storing data that changes or can change quickly, such
as database state changes from active to passive or the reverse, or from mounted to dismounted or the reverse).
Therefore you can create DAGs only on Exchange Mailbox servers installed on supported versions of Windows
that include Windows failover clustering.
NOTE
The failover cluster created and used by the DAG must be dedicated to the DAG. The cluster can't be used for any other
high availability solution or for any other purpose. For example, the failover cluster can't be used to cluster other
applications or services. Using a DAG's underlying failover cluster for purposes other than the DAG isn't supported.
NOTE
In the database mirroring topology, you can have a third server called the witness. The witness server enables automatic
failover from principal to mirror server or vice-versa. Unlike principal and mirror servers, the witness server does not serve
the database. The role of the witness is to verify whether a given partner server is up and functioning. Supporting
automatic failover is the only function for witness server, and it identifies which server holds the principal copy and which
server holds the mirror copy of the database.
IMPORTANT
If the witness server you specify isn't an Exchange 2010 or later server, you must add the Exchange Trusted Subsystem
universal security group (USG) to the local Administrators group on the witness server prior to creating the DAG. These
security permissions are necessary to ensure that Exchange can create a directory and share on the witness server as
needed.
Neither the witness server nor the witness directory needs to be fault tolerant or use any form of redundancy or
high availability. There's no need to use a clustered file server for the witness server or employ any other form of
resiliency for the witness server. There are several reasons for this. With larger DAGs (for example, six members
or more), several failures are required before the witness server is needed. Because a six-member DAG can
tolerate as many as two voter failures without losing quorum, it would take as many as three voters failing before
the witness server would be needed to maintain a quorum. Also, if there's a failure that affects your current
witness server (for example, you lose the witness server because of a hardware failure), you can use the Set-
DatabaseAvailabilityGroup cmdlet to configure a new witness server and witness directory (provided you have a
quorum).
NOTE
You can also use the Set-DatabaseAvailabilityGroup cmdlet to configure the witness server and witness directory in the
original location if the witness server lost its storage or if someone changed the witness directory or share permissions.
Single DAG deployed in a single datacenter Locate witness server in the same datacenter as DAG
members
Single DAG deployed across two datacenters; no additional Locate witness server on a Microsoft Azure virtual network to
locations available enable automatic datacenter failover, or
Locate witness server in primary datacenter
Multiple DAGs deployed in a single datacenter Locate witness server in the same datacenter as DAG
members. Additional options include:
• Using the same witness server for multiple DAGs
• Using a DAG member to act as a witness server for a
different DAG
Multiple DAGs deployed across two datacenters Locate witness server on a Microsoft Azure virtual network to
enable automatic datacenter failover, or
Locate witness server in the datacenter that is considered
primary for each DAG. Additional options include:
• Using the same witness server for multiple DAGs
• Using a DAG member to act as a witness server for a
different DAG
Single or Multiple DAGs deployed across more than two In this configuration, the witness server should be located in
datacenters the datacenter where you want the majority of quorum votes
to exist.
When a DAG has been deployed across two datacenters, you can now use a third location for hosting the witness
server. If your organization has a third location with a network infrastructure that is isolated from network failures
that affect the two datacenters in which your DAG is deployed, then you can deploy the DAG's witness server in
that third location, thereby configuring your DAG with the ability automatically failover databases to the other
datacenter in response to a datacenter-level failure event. If your organization only has two physical locations, you
can use a Microsoft Azure virtual network as a third location to place your witness server.
Specifying a witness server and witness directory during DAG creation
When creating a DAG, you must provide a name for the DAG. You can optionally also specify a witness server and
witness directory.
When creating a DAG, the following combinations of options and behaviors are available:
You can specify only a name for the DAG, and leave the Witness server and Witness directory fields
blank. In this scenario, the wizard searches the local Active Directory site for a Client Access server that
doesn't have the Mailbox server installed, and it automatically creates the default directory
(%SystemDrive%:\DAGFileShareWitnesses\< DAGFQDN>) and default share (< DAGFQDN>) on that
server and uses that Client Access server as the witness server. For example, consider the witness server
CAS3 on which the operating system has been installed onto drive C. A DAG named DAG1 in the
contoso.com domain would use a default witness directory of
C:\DAGFileShareWitnesses\DAG1.contoso.com, which would be shared as \CAS3\DAG1.contoso.com.
You can specify a name for the DAG, the witness server that you want to use, and the directory you want
created and shared on the witness server.
You can specify a name for the DAG and the witness server that you want to use, and leave the Witness
directory field blank. In this scenario, the wizard creates the default directory on the specified witness
server.
You can specify a name for the DAG, leave the Witness server field blank, and specify the directory you
want created and shared on the witness server. In this scenario, the wizard searches for a Client Access
server that doesn't have the Mailbox server installed, and it automatically creates the specified DAG on that
server, shares the directory, and uses that Client Access server as the witness server.
When a DAG is formed, it initially uses the Node Majority quorum model. When the second Mailbox server is
added to the DAG, the quorum is automatically changed to a Node and File Share Majority quorum model. When
this change occurs, the DAG's cluster begins using the witness server for maintaining quorum. If the witness
directory doesn't exist, Exchange automatically creates it, shares it, and provisions the share with full control
permissions for the CNO computer account for the DAG.
NOTE
Using a file share that's part of a Distributed File System (DFS) namespace isn't supported.
If Windows Firewall is enabled on the witness server before the DAG is created, it may block the creation of the
DAG. Exchange uses Windows Management Instrumentation (WMI) to create the directory and file share on the
witness server. If Windows Firewall is enabled on the witness server and there are no firewall exceptions
configured for WMI, the New-DatabaseAvailabilityGroup cmdlet fails with an error. If you specify a witness
server, but not a witness directory, you receive the following error message.
The task was unable to create the default witness directory on server <Server Name>. Please manually specify a
witness directory.
If you specify a witness server and witness directory, you receive the following warning message.
Unable to access file shares on witness server '<ServerName>'. Until this problem is corrected, the database
availability group may be more vulnerable to failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to
try the operation again. Error: The network path was not found.
If Windows Firewall is enabled on the witness server after the DAG is created but before servers are added, it
may block the addition or removal of DAG members. If Windows Firewall is enabled on the witness server and
there are no firewall exceptions configured for WMI, the Add-DatabaseAvailabilityGroupServer cmdlet
displays the following warning message.
Failed to create file share witness directory 'C:\DAGFileShareWitnesses\DAG_FQDN' on witness server
'<ServerName>'. Until this problem is corrected, the database availability group may be more vulnerable to
failures. You can use the Set-DatabaseAvailabilityGroup cmdlet to try the operation again. Error: WMI
exception occurred on server '<ServerName>': The RPC server is unavailable. (Exception from HRESULT:
0x800706BA)
DAG membership
After a DAG has been created, you can add servers to or remove servers from the DAG using the Manage
Database Availability Group wizard in the Exchange admin center (EAC ), or using the Add-
DatabaseAvailabilityGroupServer or Remove-DatabaseAvailabilityGroupServer cmdlets in the Exchange
Management Shell. For detailed steps about how to manage DAG membership, see Manage database availability
group membership.
NOTE
Each Mailbox server that's a member of a DAG is also a node in the underlying cluster used by the DAG. As a result, at any
one time, a Mailbox server can be a member of only one DAG.
If the Mailbox server being added to a DAG doesn't have the failover clustering component installed, the method
used to add the server (for example, the Add-DatabaseAvailabilityGroupServer cmdlet or the Manage
Database Availability Group wizard) installs the failover clustering feature.
When the first Mailbox server is added to a DAG, the following occurs:
The Windows failover clustering component is installed, if it isn't already installed.
A failover cluster is created using the name of the DAG. This failover cluster is used exclusively by the DAG,
and the cluster must be dedicated to the DAG. Use of the cluster for any other purpose isn't supported.
A CNO is created in the default computers container.
The name and IP address of the DAG is registered as a Host (A) record in Domain Name System (DNS ).
The server is added to the DAG object in Active Directory.
The cluster database is updated with information on the databases mounted on the added server.
In a large or multiple site environment, especially those in which the DAG is extended to multiple Active Directory
sites, you must wait for Active Directory replication of the DAG object containing the first DAG member to
complete. If this Active Directory object isn't replicated throughout your environment, adding the second server
may cause a new cluster (and new CNO ) to be created for the DAG. This is because the DAG object appears
empty from the perspective of the second member being added, thereby causing the Add-
DatabaseAvailabilityGroupServer cmdlet to create a cluster and CNO for the DAG, even though these objects
already exist. To verify that the DAG object containing the first DAG server has been replicated, use the Get-
DatabaseAvailabilityGroup cmdlet on the second server being added to verify that the first server you added is
listed as a member of the DAG.
When the second and subsequent servers are added to the DAG, the following occurs:
The server is joined to the Windows failover cluster for the DAG.
The quorum model is automatically adjusted:
A Node Majority quorum model is used for DAGs with an odd number of members.
A Node and File Share Majority quorum model is used for DAGs with an even number of members.
The witness directory and share are automatically created by Exchange when needed.
The server is added to the DAG object in Active Directory.
The cluster database is updated with information about mounted databases.
NOTE
The quorum model change should happen automatically. However, if the quorum model doesn't automatically change to
the proper model, you can run the Set-DatabaseAvailabilityGroup cmdlet with only the Identity parameter to correct the
quorum settings for the DAG.
If your DAG members are running Windows Server 2012, you must pre-stage the CNO prior to adding the first
server to the DAG. If your DAG members are running Windows Server 2012 R2, and you create a DAG without a
cluster administrative access point, then a CNO will not be created, and you do not need to create a CNO for the
DAG.
In environments where computer account creation is restricted, or where computer accounts are created in a
container other than the default computers container, you can pre-stage and provision the CNO. You create and
disable a computer account for the CNO, and then either:
Assign full control of the computer account to the computer account of the first Mailbox server you're
adding to the DAG.
Assign full control of the computer account to the Exchange Trusted Subsystem USG.
Assigning full control of the computer account to the computer account of the first Mailbox server you're adding
to the DAG ensures that the LOCAL SYSTEM security context will be able to manage the pre-staged computer
account. Assigning full control of the computer account to the Exchange Trusted Subsystem USG can be used
instead because the Exchange Trusted Subsystem USG contains the machine accounts of all Exchange servers in
the domain.
For detailed steps about how to pre-stage and provision the CNO for a DAG, see Pre-stage the cluster name
object for a database availability group.
Removing servers from a DAG
Mailbox servers can be removed from a DAG by using the Manage Database Availability Group wizard in the
EAC or the Remove-DatabaseAvailabilityGroupServer cmdlet in the Exchange Management Shell. Before a
Mailbox server can be removed from a DAG, all replicated mailbox databases must first be removed from the
server. If you attempt to remove a Mailbox server with replicated mailbox databases from a DAG, the task fails.
There are scenarios in which you must remove a Mailbox server from a DAG before performing certain
operations. These scenarios include:
Performing a server recovery operation: If a Mailbox server that's a member of a DAG is lost, or
otherwise fails and is unrecoverable and needs replacement, you can perform a server recovery operation
using the Setup /m:RecoverServer switch. However, before you can perform the recovery operation, you
must first remove the server from the DAG using the Remove-DatabaseAvailabilityGroupServer cmdlet
with the ConfigurationOnly parameter.
Removing the database availability group: There may be situations in which you need to remove a
DAG (for example, when disabling third-party replication mode). If you need to remove a DAG, you must
first remove all servers from the DAG. If you attempt to remove a DAG that contains any members, the
task fails.
SETTING DESCRIPTION
SETTING DESCRIPTION
DAG networks
A DAG network is a collection of one or more subnets used for either replication traffic or MAPI traffic. Each DAG
contains a maximum of one MAPI network and zero or more replication networks. In a single network adapter
configuration, the network is used for both MAPI and replication traffic. Although a single network adapter and
path is supported, we recommend that each DAG have a minimum of two DAG networks. In a two-network
configuration, one network is typically dedicated for replication traffic, and the other network is used primarily for
MAPI traffic. You can also add network adapters to each DAG member and configure additional DAG networks as
replication networks.
NOTE
When using multiple replication networks, there's no way to specify an order of precedence for network use. Exchange
randomly selects a replication network from the group of replication networks to use for log shipping.
In Exchange 2010, manual configuration of DAG networks was necessary in many scenarios. By default, in later
versions of Exchange, DAG networks are automatically configured by the system. Before you can create or modify
DAG networks, you must first enable manual DAG network control by running the following command:
After you've enabled manual DAG network configuration, you can use the New-
DatabaseAvailabilityGroupNetwork cmdlet in the Exchange Management Shell to create a DAG network. For
detailed steps about how to create a DAG network, see Create a database availability group network.
You can use the Set-DatabaseAvailabilityGroupNetwork cmdlet in the Exchange Management Shell to
configure DAG network properties. For detailed steps about how to configure DAG network properties, see
Configure database availability group network properties. Each DAG network has required and optional
parameters to configure:
Network name: A unique name for the DAG network of up to 128 characters.
Network description: An optional description for the DAG network of up to 256 characters.
Network subnets: One or more subnets entered using a format of IPAddress/Bitmask (for example,
192.168.1.0/24 for Internet Protocol version 4 (IPv4) subnets; 2001:DB8:0:C000::/64 for Internet Protocol
version 6 (IPv6) subnets).
Enable replication: In the EAC, select the check box to dedicate the DAG network to replication traffic and
block MAPI traffic. Clear the check box to prevent replication from using the DAG network and to enable
MAPI traffic. In the Exchange Management Shell, use the ReplicationEnabled parameter in the Set-
DatabaseAvailabilityGroupNetwork cmdlet to enable and disable replication.
NOTE
Disabling replication for the MAPI network doesn't guarantee that the system won't use the MAPI network for replication.
When all configured replication networks are offline, failed, or otherwise unavailable, and only the MAPI network remains
(which is configured as disabled for replication), the system uses the MAPI network for replication.
The initial DAG networks (for example, MapiDagNetwork and ReplicationDagNetwork01) created by the system
are based on the subnets enumerated by the Cluster service. Each DAG member must have the same number of
network adapters, and each network adapter must have an IPv4 address (and optionally, an IPv6 address as well)
on a unique subnet. Multiple DAG members can have IPv4 addresses on the same subnet, but each network
adapter and IP address pair in a specific DAG member must be on a unique subnet. In addition, only the adapter
used for the MAPI network should be configured with a default gateway. Replication networks shouldn't be
configured with a default gateway.
For example, consider DAG1, a two-member DAG where each member has two network adapters (one dedicated
for the MAPI network and the other for a replication network). Example IP address configuration settings are
shown in the following table.
Example network adapter settings
In the following configuration, there are two subnets configured in the DAG: 192.168.1.0 and 10.0.0.0. When EX1
and EX2 are added to the DAG, two subnets will be enumerated and two DAG networks will be created:
MapiDagNetwork (192.168.1.0) and ReplicationDagNetwork01 (10.0.0.0). These networks will be configured as
shown in the following table.
Enumerated DAG network settings for a single-subnet DAG
In the following configuration, there are four subnets configured in the DAG: 192.168.0.0, 192.168.1.0, 10.0.0.0,
and 10.0.1.0. When EX1 and EX2 are added to the DAG, four subnets will be enumerated, but only two DAG
networks will be created: MapiDagNetwork (192.168.0.0, 192.168.1.0) and ReplicationDagNetwork01 (10.0.0.0,
10.0.1.0). These networks will be configured as shown in the following table.
Enumerated DAG network settings for a multi-subnet DAG
This command will also disable the network for use by the cluster. Although the iSCSI networks will continue to
appear as DAG networks, they won't be used for MAPI or replication traffic after running the above command.
If any of the preceding tasks fails, all operations, except for successful database moves, are undone by the script.
To begin maintenance procedures on a DAG member, including flushing the transport queues and suspending
client connectivity, perform the following tasks:
1. To empty the transport queues, run the following command:
2. To initiate the draining of the transport queues, run the following command:
Restart-Service MSExchangeTransport
3. To begin the process of draining all Unified Messaging calls (in Exchange 2016 only), run the following
command:
CD $ExScripts
For the value of the MoveComment parameter, you can make any notation you want. The above example
uses "Maintenance."
NOTE
This script can take some time to execute, and during this time you may not see any activity on your screen.
6. To redirect messages pending delivery in the local queues to the Exchange server specified by the Target
parameter, run
To verify that a server is ready for maintenance, perform the following tasks:
1. To verify the server has been placed into maintenance mode, confirm that only Monitoring and
RecoveryActionsEnabled are in an Active state when you run the following command:
2. To verify the server is not hosting any active database copies, run:
Get-Queue
After the maintenance is complete and the DAG member is ready to return to service, the
StopDagServerMaintenance.ps1 script helps takes the DAG member out of maintenance mode and put it back
into production. The StopDagServerMaintenance.ps1 script performs the following tasks:
Resumes the node in the cluster, which enables full cluster functionality for the DAG member.
Sets the value of the DatabaseCopyAutoActivationPolicy parameter on the DAG member to Unrestricted
.
Runs the Resume-MailboxDatabaseCopy cmdlet for each database copy hosted on the DAG member.
When you're ready to restore the DAG member to full production status, including resuming the transport queues
and client connectivity, perform the following tasks:
1. To configure the server as out of maintenance mode and ready to accept client connections, run:
2. To allow the server to accept Unified Messaging calls (in Exchange 2016 only), run:
4. To enable the transport queues to resume accepting and processing messages, run:
Restart-Service MSExchangeTransport
To verify that a server is ready for production use, perform the following tasks:
1. To verify the server is not in maintenance mode, run
If you're installing an Exchange update, and the update process fails, it can leave some server components in an
inactive state, which will be displayed in the output of the above Get-ServerComponentState cmdlet. To resolve this,
run the following commands:
1. Set-ServerComponentState <ServerName> -Component ServerWideOffline -State Active -Requester Functional
A database availability group (DAG ) is a set of up to 16 Microsoft Exchange Server Mailbox servers that provide
automatic database-level recovery from a database, server, or network failure. When a Mailbox server is added to
a DAG, it works with the other servers in the DAG to provide automatic, database-level recovery from database,
server, and network failures.
IMPORTANT
All servers within a DAG must be running the same version of Exchange. You can't mix Exchange 2013 servers and
Exchange servers in the same DAG.
Looking for other management tasks related to DAGs? Check out Manage database availability groups.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
The next example creates a DAG named DAG2. For the DAG's witness server, the system automatically selects an
Exchange server with Client Access services that is in the local Active Directory site. DAG2 is assigned a single
static IP address because in this example all DAG members have the MAPI network on the same subnet.
This example creates the DAG DAG3. DAG3 is configured to use the witness server MBX2 and the local directory
C:\DAG3. DAG3 is assigned multiple static IP addresses because its DAG members are on different subnets on the
MAPI network.
This example creates the DAG DAG4 that's configured to use DHCP. In addition, the witness server will be
automatically selected by the system, and the default witness directory will be created.
This example creates the DAG DAG5 that will not have an administrative access point (valid for Windows Server
2012 R2 DAGs only). In addition, MBX4 will be used as the witness server for the DAG, and the default witness
directory will be created.
In environments where computer account creation is restricted, or where computer accounts are created in a
container other than the default computers container, you can pre-stage the cluster name object (CNO ) and then
provision the CNO by assigning permissions to it.
Pre-staging the CNO is also required for Windows Server 2012 and Windows Server 2012 R2 DAG members
due to permissions changes in Windows for computer objects. When deploying a database availability group
(DAG ) using Mailbox servers that are running Windows Server 2012 or Windows Server 2012 R2, you must pre-
stage and provision the CNO, unless you're deploying a DAG without a cluster administrative access point. DAGs
without cluster administrative access points do not use CNOs; therefore pre-staging is not required for those
DAGs.
You create and disable a computer account for the CNO, and then either:
Assign full control of the computer account to the computer account of the first Mailbox server you're
adding to the DAG.
-Or-
Assign full control of the computer account to the Exchange Trusted Subsystem universal security group
(USG ).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This configuration requires three separate physical locations: two datacenters for mailbox servers and a third
location to place the witness server for the DAG. Organizations with only two physical locations now can also take
advantage of automatic datacenter failover by using a Microsoft Azure file server virtual machine to act as the
DAG's witness server. This article focuses on the placement of the DAG witness on Microsoft Azure and assumes
that you're familiar with site resilience concepts and already have a fully functional DAG infrastructure spanning
two datacenters. If you don't already have your DAG infrastructure configured, we recommend that you first
review the following articles:
High availability and site resilience
Database availability groups
Plan for high availability and site resilience
NOTE
This configuration leverages Azure virtual machines and a multi-site VPN for deploying the witness server and does not use
the Azure Cloud Witness.
NOTE
It is technically possible to use a single Azure VM for this purpose and place the file witness share on the domain controller.
However, this will result in an unnecessary elevation of privileges. Therefore, it is not a recommended configuration.
NOTE
A significant portion of the guidance in this article involves Microsoft Azure configuration. Therefore, we link to Azure
documentation whenever applicable.
Prerequisites
Two datacenters that are capable of supporting an Exchange high availability and site resilience deployment.
See Plan for high availability and site resilience for more information.
A public IP address that is not behind NAT for the VPN gateways in each site.
A VPN device in each site that is compatible with Microsoft Azure. See About VPN Devices for Virtual
Network for more information about compatible devices.
Familiarity with DAG concepts and management.
Familiarity with Windows PowerShell.
Phase 1: Prepare the Microsoft Azure virtual network
Configuring the Microsoft Azure network is the most crucial part of the deployment process. At the end of this
phase, you will have a fully functional Azure virtual network that is connected to your two datacenters via a multi-
site VPN.
Register DNS servers
Because this configuration requires name resolution between the on-premises servers and Azure VMs, you will
need to configure Azure to use your own DNS servers. Name resolution (DNS ) topic provides an overview of
name resolution in Azure.
Do the following to register your DNS servers:
1. In the Azure portal, go to networks, and then click NEW.
2. Click NETWORK SERVICES > VIRTUAL NETWORK > REGISTER DNS SERVER.
3. Type the name and IP address for your DNS server. The name specified here is a logical name used in the
management portal and doesn't have to match the actual name of your DNS server.
4. Repeat steps 1 through 3 for any other DNS servers you want to add.
NOTE
The DNS servers you register are not used in a round robin fashion. Azure VMs will use the first DNS server listed
and will only use any additional servers if the first one is not available.
5. Repeat steps 1 through 3 to add the IP address you will use for the domain controller you will deploy on
Microsoft Azure.
Create local (on-premises ) network objects in Azure
Next, do the following to create logical network objects that represent your datacenters in Microsoft Azure:
1. In the Azure portal, and then go to networks, and then click NEW.
2. Click NETWORK SERVICES > VIRTUAL NETWORK > ADD LOCAL NETWORK.
3. Type the name for your first datacenter site and the IP address of the VPN device on that site. This IP
address must be a static public IP address that is not behind NAT.
4. On the next screen, specify the IP subnets for your first site.
5. Repeat steps 1through 4 for your second site.
Create the Azure virtual network
Now, do the following to create an Azure virtual network that will be used by the VMs:
1. In the Azure portal, go to networks, and then click NEW.
2. Click NETWORK SERVICES > VIRTUAL NETWORK > CUSTOM CREATE.
3. On the Virtual Network Details page, specify a name for the virtual network, and select a geographic
location for the network.
4. In the DNS Servers and VPN Connectivity page, verify that the DNS servers you previously registered
are listed as the DNS servers.
5. Select the Configure a site-to-site VPN check box under SITE -TO -SITE CONNECTIVITY.
IMPORTANT
Do not select Use ExpressRoute because this will prevent the necessary configuration changes required to set up a
multi-site VPN.
6. Under LOCAL NETWORK, select one of the two on-premises networks you configured.
7. In the Virtual Network Address Spaces page, specify the IP address range you will use for your Azure
virtual network.
Checkpoint: Review the network configuration
At this point, when you go to networks, you should see the virtual network you configured under VIRTUAL
NETWORKS, your local sites under LOCAL NETWORKS, and your registered DNS servers under DNS
SERVERS.
Phase 2: Configure a multi-site VPN
The next step is to establish the VPN gateways to your on-premises sites. To do this, you need to:
1. Establish a VPN gateway to one of your sites by using the Azure portal.
2. Export the virtual network configuration settings.
3. Modify the configuration file for multi-site VPN.
4. Import the updated Azure network configuration.
5. Record the Azure gateway IP address and preshared keys.
6. Configure on-premises VPN devices.
For more information about configuring a multi-site VPN, see Configure a Multi-Site VPN.
Establish a VPN gateway to your first site
When creating your virtual gateway, note that you already specified that it will be connected to your first on-
premises site. When you go into the virtual network dashboard, you will see that the gateway has not been
created.
To establish the VPN gateway on the Azure side, follow the instructions in the Start the virtual network gateway
section of Configure a Virtual Network Gateway in the Management Portal.
IMPORTANT
Only perform the steps in the "Start the virtual network gateway" section of the article, and do not continue to the
subsequent sections.
To configure your second site, add another "LocalNetworkSiteRef" section under the
"ConnectionsToLocalNetwork" section. The section in the updated configuration file will look like the following
(assuming the site name for your second local site is "Site B").
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Site A">
<Connection type="IPsec" />
<LocalNetworkSiteRef name="Site B">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
If both tunnels are up and running, the output of this command will look like the following.
LocalNetworkSiteName ConnectivityState
-------------------- -----------------
Site A Connected
Site B Connected
You can also verify connectivity by viewing the virtual network dashboard in the Azure management portal. The
STATUS column for both sites will show as Connected.
NOTE
It can take several minutes after the connection is successfully established for the status change to appear in the Azure
management portal.
NOTE
A VM with a preferred IP address will attempt to use that address. However, if that address has been assigned to a
different VM, the VM with the preferred IP address configuration will not start. To avoid this situation, make sure that
the IP address you use isn't assigned to another VM. See Configure a Static Internal IP Address for a VM for more
information.
3. Provision the domain controller VM on Azure using the standards used by your organization.
4. Prepare the file server with the prerequisites for an Exchange DAG witness:
a. Add the File Server role using the Add Roles and Features Wizard or the Add-WindowsFeature
cmdlet.
b. Add the Exchange Trusted Subsystems universal security group to the Local Administrators group.
Checkpoint: Review virtual machine status
At this point, your virtual machines should be up and running and should be able to communicate with servers in
both of your on-premises datacenters:
Verify that your domain controller in Azure is replicating with your on-premises domain controllers.
Verify that you can reach the file server on Azure by name and establish an SMB connection from your
Exchange servers.
Verify that you can reach your Exchange servers by name from the file server on Azure.
Phase 4: Configure the DAG witness
Finally, you need to configure your DAG to use the new witness server. By default, Exchange uses the
C:\DAGFileShareWitnesses as the file share witness path on your witness server. If you're using a custom file path,
you should also update the witness directory for the specific share.
1. Connect to Exchange Management Shell.
2. Run the following command to configure the witness server for your DAGs.
Verify that the WitnessServer parameter is set to the file server on Azure, the WitnessDirectory parameter is
set to the correct path, and the WitnessShareInUse parameter shows Primary.
2. If the DAG has an even number of nodes, the file share witness will be configured. Validate the file share
witness setting in cluster properties by running the following command. The value for the SharePath
parameter should point to the file server and display the correct path.
3. Next, verify the status of the "File Share Witness" cluster resource by running the following command. The
State of the cluster resource should display Online.
4. Lastly, verify that the share is successfully created on the file server by reviewing the folder in File Explorer
and the shares in Server Manager.
Remove a database availability group
8/23/2019 • 2 minutes to read • Edit Online
Removing a DAG is a quick and easy task. You can use the EAC or the Exchange Management Shell to remove a
DAG.
Looking for other management tasks related to DAGs? Check out Manage database availability groups.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
If the DAG was successfully deleted, the preceding command will produce an error message indicating the
object could not be found.
Configure AutoReseed for a database availability
group
8/23/2019 • 5 minutes to read • Edit Online
Use the steps in this topic to configure AutoReseed for a database availability group (DAG ) in Exchange Server.
Cau t i on
The AutoReseed feature doesn't perform any prerequisite configuration tasks for you. Installing disks correctly,
adding spare disks to the system, replacing bad disks, and formatting new disks must be done manually by an
administrator.
For additional management tasks related to DAGs, see Manage database availability groups.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example illustrates how to configure the root path for the storage volumes.
md C:\ExchangeDatabases
md C:\ExchangeVolumes
Dir C:\
Dir C:\
md c:\ExchangeDatabases\db001
md c:\ExchangeDatabases\db002
md c:\ExchangeDatabases\db003
md c:\ExchangeDatabases\db004
Dir C:\ExchangeDatabases
Mountvol.exe C:\ExchangeDatabases\db001 /L
md c:\ExchangeDatabases\db001\db001.db
md c:\ExchangeDatabases\db001\db001.log
md c:\ExchangeDatabases\db002\db002.db
md c:\ExchangeDatabases\db002\db002.log
md c:\ExchangeDatabases\db003\db003.db
md c:\ExchangeDatabases\db003\db003.log
md c:\ExchangeDatabases\db004\db004.db
md c:\ExchangeDatabases\db004\db004.log
Dir C:\ExchangeDatabases /s
2. Run the following command to verify the directory structure is configured correctly (below are the default
paths; if necessary, substitute the paths for the paths you're using).
Dir c:\ExchangeDatabases /s
Dir c:\ExchangeVolumes /s
Configure database availability group network
properties
8/23/2019 • 2 minutes to read • Edit Online
Configurable properties include the name of the DAG network, a description field for the DAG network, a list of
subnets that are used by the DAG network, and whether the DAG network is enabled for replication.
Looking for other management tasks related to DAGs? Check out Manage database availability groups.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
These options will only be visible if you have selected Configure database availability group networks manually
on the DAG properties page.
Disable Replication or Enable Replication: Configures the replication settings for the DAG network.
Remove: Removes a DAG network. Before you can remove a DAG network, you must first remove all
associated subnets from the DAG network.
View details: Configures DAG network properties, such as the name, description, and associated subnets
for the DAG network. You can also view the network interfaces associated with those subnets, and enable or
disable replication for the DAG network.
Use the Exchange Management Shell to configure database availability
group network properties
This example adds a subnet of 10.0.0.0 and subnet mask of 255.0.0.0 to the DAG network MapiDagNetwork in the
DAG DAG1.
You can use the EAC or the Exchange Management Shell to create a DAG network.
Looking for other management tasks related to DAGs? Check out Manage database availability groups.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
When you add a server to a DAG, the server works with the other DAG members to provide automatic database-
level recovery from database, server, or network failures. When you remove a server from a DAG, the server is no
longer automatically protected from failures.
Looking for other management tasks related to DAGs? Check out Manage database availability groups.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example removes the Mailbox server MBX1 from the DAG DAG1. Before running this command, make sure
that no replicated databases exist on the Mailbox server.
This example removes the configuration settings for the Mailbox server MBX4 from the DAG DAG2. MBX4 is
expected to be offline for an extended period, so its configuration is being removed from the DAG while it's offline
to establish quorum with the remaining online DAG members.
The Exchange Management Shell enables you to configure DAG properties that aren't available in the EAC, such
as alternate witness server and alternate witness directory information, the TCP port used for replication, and
datacenter activation coordination (DAC ) mode.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example preconfigures an alternate witness server of MBX3 and an alternate witness directory of
C:\DAGFileShareWitnesses\DAG1.contoso.com for the DAG DAG1.
This example configures the DAG DAG1 to use Dynamic Host Configuration Protocol (DHCP ) to obtain an IP
address.
This example configures the DAG DAG1 to use a static IP address of 10.0.0.8.
This example configures the multi-subnet DAG DAG1 with multiple static IP addresses.
This example configures the replication port for the DAG DAG1 to be 63132.
In Exchange Server, you can use the Exchange Management Console (EAC ) or the Exchange Management Shell
to add mailbox database copies after a database availability group (DAG ) has been created, configured, and
populated with Mailbox server members.
LooseTruncation_MinDiskFreeSpaceThr Available disk space (in MB) threshold If this registry value is not configured,
esholdInMB for triggering loose truncation. If free the default value used by loose
disk space falls below this value, loose truncation is 200 GB.
truncation is triggered.
LooseTruncation_MinLogsToProtect The minimum number of log files to If this registry value is not configured,
retain on healthy copies whose logs are then default values of 100,000 for
being truncated. If this registry value is passive database copies and 10,000 for
configured, then the configured value active database copies is used.
applies to both active and passive
copies.
When using the LooseTruncation_MinLogsToProtect registry value, note that the behavior is different for active
and passive database copies. On the active database copy, this is the number of extra logs that are retained
preceding those that are required by the protected passive copies and the required range of the active copy.On a
passive database copy, this is the number of logs maintained from the latest available log. One tenth of this
number is also used to maintain logs prior to the required range of this passive copy. The two limits are in place
to ensure that lagged database copies don't take up too much space, since their required range is typically very
large.
Database activation policy
There are scenarios in which you may want to create a mailbox database copy and prevent the system from
automatically activating that copy in the event of a failure, for example:
If you deploy one or more mailbox database copies to an alternate or standby datacenter.
If you configure a lagged database copy for recovery purposes.
If you're performing maintenance or an upgrade of a server.
In each of the preceding scenarios, you have database copies that you don't want the system to activate
automatically. To prevent the system from automatically activating a mailbox database copy, you can configure
the copy to be blocked (suspended) for activation. This allows the system to maintain the currency of the
database through log shipping and replay, but prevents the system from automatically activating and using the
copy. Copies blocked for activation must be manually activated by an administrator. You can configure the
database activation policy for an entire server by using the Set-MailboxServer cmdlet or an individual database
copy by using the Set-MailboxDatabaseCopy cmdlet to set the DatabaseCopyAutoActivationPolicy parameter to
Blocked.
For more information about configuring database activation policy, see Configure activation policy for a mailbox
database copy.
Effect of mailbox moves on continuous replication
On a very busy mailbox database with a high log generation rate, there is a greater chance for data loss if
replication to the passive database copies can't keep up with log generation. One scenario that can introduce a
high log generation rate is mailbox moves. Exchange Server includes a Data Guarantee API that's used by
services such as the Exchange Mailbox Replication service (MRS ) to check the health of the database copy
architecture based on the value of the DataMoveReplicationConstraint parameter that was set by the system or
an administrator. Specifically, the Data Guarantee API can be used to:
Check replication health: Confirms that the prerequisite number of database copies is available.
Check replication flush: Confirms that the required log files have been replayed against the prerequisite
number of database copies.
When executed, the API returns the following status information to the calling application:
Retry: Signifies that there are transient errors that prevent a condition from being checked against the
database.
Satisfied: Signifies that the database meets the required conditions or the database isn't replicated.
NotSatisfied: Signifies that the database doesn't meet the required conditions. In addition, information is
provided to the calling application as to why the NotSatisfied response was returned.
The value of the DataMoveReplicationConstraint parameter for the mailbox database determines how many
database copies should be evaluated as part of the request. The DataMoveReplicationConstraint parameter has
the following possible values:
None : When you create a mailbox database, this value is set by default. When this value is set, the Data
Guarantee API conditions are ignored. This setting should be used only for mailbox databases that aren't
replicated.
SecondCopy : This is the default value when you add the second copy of a mailbox database. When this
value is set, at least one passive database copy must meet the Data Guarantee API conditions.
SecondDatacenter: When this value is set, at least one passive database copy in another Active Directory
site must meet the Data Guarantee API conditions.
: When this value is set, at least one passive database copy in each Active Directory site
AllDatacenters
must meet the Data Guarantee API conditions.
AllCopies : When this value is set, all copies of the mailbox database must meet the Data Guarantee API
conditions.
Check Replication Health
When the Data Guarantee API is executed to evaluate the health of the database copy infrastructure, several
items are evaluated.
In all scenarios, the passive database copy must meet the following conditions:
Be healthy.
Have a replay queue within 10 minutes of the replay lag time.
Have a copy queue length less than 10 logs.
Have an average copy queue length less than 10 logs. The average copy queue length is computed based
on the number of times the application has queried the database status.
IF THE DATAMOVEREPLICATIONCONSTRAINT PARAMETER IS SET
TO... THEN, FOR A GIVEN DATABASE...
AllCopies The active copy must be mounted, and all passive database
copies must meet the previously described conditions.
A DAG that spans twoActive Directory sites, and you will SecondDatacenter
have highly available database copies in each site
A DAG that spans two Active Directory sites, and you will SecondCopy
have only lagged database copies in the second site This is because the Data Guarantee API won't guarantee data
being committed until the log file is replayed into the
database copy, and due to the nature of the database copy
being lagged, this constraint will fail the move request, unless
the lagged database copy ReplayLagTime value is less than
30 minutes.
A DAG that spans three or more Active Directory sites, and AllDatacenters
each site will contain highly available database copies
EX1 5 11 5 0 4, 4, 3, 5
EX2 1 15 1 0 1, 8, 6, 1
EX3 12 4 12 0 13, 2, 1, 0
EX4 1 15 1 0 1, 1, 5, 9
In the preceding example, there are four copies of each database, and therefore, only four possible values for
activation preference (1, 2, 3, or 4). The Preference count list column shows the count of the number of
databases with each of these values. For example, on EX3, there are 13 database copies with an activation
preference of 1, two copies with an activation preference of 2, one copy with an activation preference of 3, and no
copies with an activation preference of 4.
As you can see, this DAG isn't balanced in terms of the number of active databases hosted by each DAG member,
the number of passive databases hosted by each DAG member, or the activation preference count of the hosted
databases.
You can use the RedistributeActiveDatabases.ps1 script to balance the active mailbox databases copies across a
DAG. This script moves databases between their copies in an attempt to have an equal number of mounted
databases on each server in DAG. If required, the script also attempts to balance active databases across sites.
The script provides two options for balancing active database copies within a DAG:
BalanceDbsByActivationPreference: When this option is specified, the script attempts to move
databases to their most preferred copy (based on activation preference) without regard to the Active
Directory site.
BalanceDbsBySiteAndActivationPreference: When this option is specified, the script attempts to
move active databases to their most preferred copy, while also trying to balance active databases within
each Active Directory site.
After running the script with the first option, the preceding unbalanced DAG becomes balanced, as shown in the
following table.
DAG with balanced active copy distribution
EX1 4 12 4 0 4, 4, 4, 4
EX2 4 12 4 0 4, 4, 4, 4
EX3 4 12 4 0 4, 4, 4, 4
EX4 4 12 4 0 4, 4, 4, 4
As shown in the preceding table, this DAG is now balanced in terms of number of active and passive databases
on each server and activation preference across the servers.
The following table lists the available parameters for the RedistributeActiveDatabases.ps1 script.
RedistributeActiveDatabases.ps1 script parameters
PARAMETER DESCRIPTION
DagName Specifies the name of the DAG you want to rebalance. If this
parameter is omitted, the DAG of which the local server is a
member is used.
BalanceDbsByActivationPreference Specifies that the script should move databases to their most
preferred copy without regard to the Active Directory site.
ShowDatabaseCurrentActives Specifies that the script produce a report for each database
detailing how the database was moved and whether it's now
active on its most-preferred copy.
ShowDatabaseDistributionByServer Specifies that the script produce a report for each server
showing its database distribution.
RunOnlyOnPAM Specifies that the script run only on the DAG member that
currently has the PAM role. The script verifies it's being run
from the PAM. If it isn't being run from the PAM, the script
exits.
This example redistributes and balances the active mailbox database copies in a DAG using activation preference
without prompting for input.
This example redistributes and balances the active mailbox database copies in a DAG using activation preference,
and produces a summary of the distribution.
NOTE
A database copy is your first defense if a failure occurs that affects the active copy of a database. It's therefore critical to
monitor the health and status of database copies to ensure that they are available when needed.
For more information about monitoring database copies, see Monitor database availability groups.
Removing a database copy
A database copy can be removed at any time by using the EAC or by using the Remove-
MailboxDatabaseCopy cmdlet in the Exchange Management Shell. After removing a database copy, you must
manually delete any database and transaction log files from the server from which the database copy is being
removed. For detailed steps about how to remove a database copy, see Remove a mailbox database copy.
Database switchovers
The Mailbox server that hosts the active copy of a database is referred to as the mailbox database master. The
process of activating a passive database copy changes the mailbox database master for the database and turns
the passive copy into the new active copy. This process is called a database switchover. In a database switchover,
the active copy of a database is dismounted on one Mailbox server and a passive copy of that database is
mounted as the new active mailbox database on another Mailbox server. When performing a switchover, you can
optionally override the database mount dial setting on the new mailbox database master.
You can quickly identify which Mailbox server is the current mailbox database master by reviewing the right-
hand column under the Database Copies tab in the EAC. You can perform a switchover by using the Activate
link in the EAC, or by using the Move-ActiveMailboxDatabase cmdlet in the Exchange Management Shell.
There are several internal checks that will be performed before a passive copy is activated. In some cases, the
database switchover is blocked or canceled. In other cases, you can use cmdlets to move or skip over some
checks.
The status of the database copy is checked. If the database copy is in a failed state, the switchover is
blocked. You can override this behavior and bypass the health check by using the SkipHealthChecks
parameter of the Move-ActiveMailboxDatabase cmdlet. This parameter lets you move the active copy
to a database copy in a failed state.
The active database copy is checked to see if it's currently a seeding source for any passive copies of the
database. If the active copy is currently being used as a source for seeding, the switchover is blocked. You
can override this behavior and bypass the seeding source check by using the SkipActiveCopyChecks
parameter of the Move-ActiveMailboxDatabase cmdlet. This parameter allows you to move an active
copy that's being used as a seeding source. Using this parameter will cause the seeding operation to be
cancelled and considered failed.
The copy queue and replay queue lengths for the database copy are checked to ensure their values are
within the configured criteria. Also, the database copy is verified to ensure that it isn't currently in use as a
source for seeding. If the values for the queue lengths are outside the configured criteria, or if the database
is currently used as a source for seeding, the switchover is blocked. You can override this behavior and
bypass these checks by using the SkipLagChecks parameter of the Move-ActiveMailboxDatabase
cmdlet. This parameter allows a copy to be activated that has replay and copy queues outside of the
configured criteria.
The state of the search catalog (content index) for the database copy is checked. If the search catalog isn't
up to date, is in an unhealthy state, or is corrupt, the switchover is blocked. You can override this behavior
and bypass the search catalog check by using the SkipClientExperienceChecks parameter of the Move-
ActiveMailboxDatabase cmdlet. This parameter causes this search to skip the catalog health check. If
the search catalog for the database copy you're activating is in an unhealthy or unusable state and you use
this parameter to skip the catalog health check and activate the database copy, you will need to either
crawl or seed the search catalog again.
When you perform a database switchover, you also have the option of overriding the mount dial settings
configured for the server that hosts the passive database copy being activated. Using the MountDialOverride
parameter of the Move-ActiveMailboxDatabase cmdlet instructs the target server to override its own mount
dial settings and use those specified by the MountDialOverride parameter.
For detailed steps about how to perform a switchover of a database copy, see Activate a mailbox database copy.
Add a mailbox database copy
8/23/2019 • 3 minutes to read • Edit Online
When you add a copy of a mailbox database, continuous replication is automatically enabled between the existing
database and the database copy. Database copies are automatically assigned an identity in the format of <
DatabaseName>\< HostMailboxServerName>. For example, a copy of the database DB1 that's hosted on the
server MBX3 would be DB1\MBX3.
Looking for other management tasks related to mailbox database copies? Check out Manage mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example adds a copy of mailbox database DB2 to the Mailbox server MBX4. Replay lag time and truncation
lag time are left at the default values of zero, and the activation preference is configured with a value of 5 . In
addition, seeding is being postponed for this copy so that it can be seeded using a local source server instead of
the current active database copy, which is geographically distant from MBX4.
This example adds a copy of mailbox database DB3 to the Mailbox server MBX5. Replay lag time is set to 3 days,
truncation lag time is left at the default value of zero, and the activation preference is configured with a value of 4
.
Get-MailboxDatabaseCopyStatus <DatabaseCopyName>
Each mailbox database copy has its own properties, which you can configure. These properties include the amount
of time, if any, for replay lag and truncation lag, and the activation preference number. For more information about
replay lag, truncation lag and the activation preference number, see Manage mailbox database copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Latest available log time: Displays the date and time stamp of the most recently generated log file
on the active copy of the database. This field is relevant only for passive database copies. On active
database copies (replicated and stand-alone), this field will display never.
Last inspected log time: Displays the date and time stamp of the last log file that was inspected by
the LogInspector on the selected database copy. This field is relevant only for passive database
copies. On active database copies (replicated and stand-alone), this field will display never.
Last copied log time: Displays the date and time stamp of the last log file that was copied by the
LogCopier on the selected database copy. This field is relevant only for passive database copies. On
active database copies (replicated and stand-alone), this field will display never.
Last replayed log time: Displays the date and time stamp of the last log file that was replayed by
the LogReplayer into the selected database copy. This field is relevant only for passive database
copies. On active database copies (replicated and stand-alone), this field will display never.
Activation preference number: Displays the activation preference number. This is used as part of
Active Manager's best copy selection process, and it is used to balance the DAG by redistributing
active mailbox databases throughout the DAG via the DAG's PreferenceMoveFrequency property. This
property defines the frequency (measured in time) when the Microsoft Exchange Replication service
rebalances database copies by performing a lossless switchover that activates the copy with an
activation preference number of 1. The value for activation preference is a number equal to or
greater than 1, where 1 is at the top of the preference order. The number can't be larger than the
number of copies of the mailbox database.
Replay lag time (days): Displays the amount of time that the Microsoft Exchange Information
Store service should wait before replaying log files that have been copied by the Microsoft Exchange
Replication service to the passive database copy. Setting this parameter to a value greater than 0
creates a lagged database copy. The default setting for this value is 0 days. The maximum allowable
value for this setting is 14 days. The minimum allowable value is 0 days, and setting this value to 0
disables replay lag.
This example configures a copy of the database DB1 that's hosted on Server1 with a replay lag time and
truncation lag time of 1 day, and an activation preference number of 2.
If the mailbox database being moved is replicated to one or more mailbox database copies, you must follow the
procedure in this topic to move the mailbox database path. All copies of a mailbox database must be located in the
same path on each server that hosts a copy. For example, if database DB1 is located at C:\mountpoints\DB1 on
server EX1, copies of DB1 on servers EX2, EX3, and so on, must also be located at C:\mountpoints\DB1.
NOTE
After you create a new mailbox database, you can move it to another volume, folder, location, or path by using either the EAC
or the Exchange Management Shell. For step-by-step instructions about how to move the database path for a non-
replicated mailbox database, see Manage mailbox databases in Exchange Server.
Looking for other management tasks related to mailbox database copies? Check out Managing mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
1. Note any replay lag or truncation lag settings for all copies of the mailbox database being moved. You can
obtain this information by using the Get-MailboxDatabase cmdlet, as shown in this example.
2. If circular logging is enabled for the database, it must be disabled before proceeding. You can disable circular
logging for a mailbox database by using the Set-MailboxDatabase cmdlet, as shown in this example.
3. Remove all mailbox database copies for the database being moved. For detailed steps, see Remove a
mailbox database copy. After all copies are removed, preserve the database and transaction log files from
each server from which the database copy is being removed by moving them to another location. These files
are being preserved so the database copies don't require re-seeding after they have been re-added.
4. Move the mailbox database path to the new location. For detailed steps, see Move a mailbox database path.
IMPORTANT
During the move operation, the database being moved must be dismounted. Until the move is complete, this process
will cause an interruption in service and an outage for all users with mailboxes on the database being moved. After
the move operation completes, the database is automatically mounted.
5. Create the necessary folder structure on each Mailbox server that previously contained a passive copy of the
moved mailbox database. For example, if you moved the database to C:\mountpoints\DB1, you must create
this same path on each Mailbox server that will host a mailbox database copy.
6. After creating the folder structure, move the passive copy of the mailbox database and its log stream to the
new location. These are the files that were left from and preserved after Step 3. Repeat this process for each
database copy that was removed in Step 3.
7. Add all of the database copies that were removed in Step 3. For detailed steps, see Add a mailbox database
copy.
8. On each server that contains a copy of the mailbox database being moved, run the following command to
stop and restart the content index services.
Restart-Service MSExchangeFastSearch
9. Optionally, enable circular logging by using the Set-MailboxDatabase cmdlet, as shown in this example.
10. Reconfigure any previously set values for replay lag time and truncation lag time by using the Set-
MailboxDatabaseCopy cmdlet, as shown in this example.
Set-MailboxDatabaseCopy DB1\MBX2 -ReplayLagTime 00:15:00
11. As each copy is added, we recommend that you verify the health and status of the copy prior to adding the
next copy. You can verify the health and status by:
a. Examining the event log for any error or warning events related to the database or the database copy.
b. Using the Get-MailboxDatabaseCopyStatus cmdlet to check the health and status of continuous
replication for the database copy.
c. Using the Test-ReplicationHealth cmdlet to verify the health and status of the database availability
group and continuous replication.
For detailed syntax and parameter information, see the following topics:
Get-MailboxDatabase
Set-MailboxDatabase
Set-MailboxDatabaseCopy
Get-MailboxDatabaseCopyStatus
Test-ReplicationHealth
Get-MailboxDatabaseCopyStatus <DatabaseCopyName>
Activation is the process of changing a mailbox database copy from a passive copy to an active copy. Activation can
occur automatically (by the system as part of a database or server failover operation) or it can be performed
manually (by an administrator as part of a database or server switchover operation). Blocking a database for
activation prevents it from becoming the active copy during a database or server failover.
Looking for other management tasks related to mailbox database copies? Check out Manage mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
Use the EAC to configure the activation policy for a mailbox database
copy
1. In the EAC, go to Servers > Databases.
2. Select the database that you want to configure.
3. In the Details pane, under Database Copies, locate the database copy you want to configure and click
Suspend.
4. Optionally, add a comment, and select the check box that says This copy can only be activated by
manual intervention.
5. Click Save to save the configuration changes for the mailbox database copy.
This example configures the database copies on server MBX3 as blocked for out-of-site activation.
This example configures the database copies on server MBX4 as unblocked for activation.
In the Exchange Management Shell, run the following command to verify activation settings for a DAG
member.
Updating, also known as seeding, is the process in which a copy of a mailbox database is added to another Mailbox
server in a database availability group (DAG ). The newly added copy becomes the baseline database for the
passive copy into which log files copied from the active copy are replayed. Seeding is required under the following
conditions:
When a new passive copy of a database is created. Seeding can be postponed for a new mailbox database
copy, but eventually each passive database copy must be seeded to function as a redundant database copy.
After a failover occurs in which data is lost as a result of the passive database copy having become diverged
and unrecoverable.
When the system has detected a corrupted log file that can't be replayed into the passive copy of the
database.
After an offline defragmentation of any copy of the database occurs.
After the log generation sequence for the database has been reset back to 1.
You can perform seeding by using the following methods:
Automatic seeding: An automatic seed produces a passive copy of the active database on the target
Mailbox server. Automatic seeding occurs during the creation of a database.
Seeding using the Update-MailboxDatabaseCopy cmdlet: You can use the Update-
MailboxDatabaseCopy cmdlet in the Exchange Management Shell to seed a database copy at any time.
Seeding using the Update Mailbox Database Copy wizard: You can use the Update Mailbox Database
Copy wizard in the EAC to seed a database copy at any time.
Manually copying the offline database: You can dismount the active copy of the database and copy the
database file to the same location on another Mailbox server in the same DAG. If you use this method, there
will be an interruption in service because the process requires you to dismount the database.
Updating a database copy can take a long time, especially if the database being copied is large, or if there is high
network latency or low network bandwidth. After the seeding process has started, don't close the EAC or the
Exchange Management Shell until the process has completed. If you do, the seeding operation will be terminated.
A database copy can be seeded using either the active copy or an up-to-date passive copy as the source for the
seed. When seeding from a passive copy, be aware that the seed operation will terminate with a network
communication error under the following circumstances:
If the status of the seeding source copy changes to Failed or FailedAndSuspended.
If the database fails over to another copy.
Multiple database copies can be seeded simultaneously. However, when seeding multiple copies simultaneously,
you must seed only the database file, and omit the content index catalog. You can do this by using the
DatabaseOnly parameter with the Update-MailboxDatabaseCopy cmdlet.
NOTE
If you don't use the DatabaseOnly parameter when seeding multiple targets from the same source, the task will fail with
SeedInProgressException error FE1C6491 .
Looking for other management tasks related to mailbox database copies? Check out Manage mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example shows how to seed a copy of the database DB1 on MBX1 using MBX2 as the source Mailbox server
for the seed.
This example shows how to seed a copy of the database DB1 on MBX1 without seeding the content index catalog.
This example shows how to seed the content index catalog for the copy of the database DB1 on MBX1 without
seeding the database file.
2. Dismount the database. You can use the Dismount-Database cmdlet, as shown in this example.
3. Manually copy the database files (the database file and all log files) to a second location, such as an external
disk drive or a network share.
4. Mount the database. You can use the Mount-Database cmdlet, as shown in this example.
Mount-Database DB1
5. On the server that will host the copy, copy the database files from the external drive or network share to the
same path as the active database copy. For example, if the active copy database path is D:\DB1\DB1.edb and
log file path is D:\DB1, you would copy the database files to D:\DB1 on the server that will host the copy.
6. Add the mailbox database copy by using the Add-MailboxDatabaseCopy cmdlet with the SeedingPostponed
parameter, as shown in this example.
7. If circular logging is enabled for the database, enable it again by using the Set-MailboxDatabase cmdlet, as
shown in this example.
Get-MailboxDatabaseCopyStatus <DatabaseCopyName>
You may need to suspend or resume a database copy for a variety of reasons, such as maintenance on the disk that
contains the database copy. Or you may need to suspend an individual database copy from activation for disaster
recovery purposes.
Looking for other management tasks related to mailbox database copies? Check out Manage mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example resumes a copy of the database DB2 on the server MBX2 for replication only.
Activating a mailbox database copy is the process of designating a specific passive copy as the new active copy of
a mailbox database. This process is referred to as a database switchover. A database switchover involves
dismounting the current active database and mounting the database copy on the specified server as the new
active mailbox database copy. The database copy that will become the active mailbox database must be healthy
and current.
Looking for other management tasks related to mailbox database copies? Check out Manage mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example performs a switchover of the database DB2 to the Mailbox server MBX1. When the command
completes, MBX1 hosts the active copy of DB2. Because the MountDialOverride parameter is set to None , MBX1
mounts the database using its own defined database auto mount dial settings.
This example performs a switchover of the database DB1 to the Mailbox server MBX3. When the command
completes, MBX3 hosts the active copy of DB1. Because the MountDialOverride parameter is specified with a
value of Good Availability , MBX3 mounts the database using a database auto mount dial setting of
GoodAvailability.
This example performs a switchover of the database DB3 to the Mailbox server MBX4. When the command
completes, MBX4 hosts the active copy of DB3. Because the MountDialOverride parameter isn't specified, MBX4
mounts the database using a database auto mount dial setting of Lossless.
This example performs a server switchover for the Mailbox server MBX1. All active mailbox database copies on
MBX1 will be activated on one or more other Mailbox servers with healthy copies of the active databases on
MBX1.
This example performs a switchover of the database DB4 to the Mailbox server MBX5. In this example, the
database copy on MBX5 has a replay queue greater than 6. As a result, the SkipLagChecks parameter must be
specified to activate the database copy on MBX5.
This example performs a switchover of the database DB5 to the Mailbox server MBX6. In this example, the
database copy on MBX6 has a ContentIndexState of Failed. As a result, the SkipClientExperienceChecks parameter
must be specified to activate the database copy on MBX6.
A lagged mailbox database copy is a mailbox database copy configured with a replay lag time value greater than 0.
If you want the database to replay all log files and make the database copy current, activating and recovering a
lagged mailbox database copy is a simple process. However, if you want to replay log files up to a specific point in
time, it's a more difficult operation because you have to manually manipulate log files and run Eseutil.
Looking for other information related to lagged mailbox database copies? Check out Manage mailbox database
copies
NOTE
The amount of time it takes to activate a lagged mailbox database copy directly depends on how many log files need to be
replayed and how fast the hardware can replay them. At a minimum, you should experience a log replay rate of at least two
logs per second per database.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
1. This example suspends replication for the lagged copy being activated by using the Suspend-
MailboxDatabaseCopy cmdlet.
2. Optionally (to preserve a lagged copy), make a copy of the database copy and its log files.
NOTE
At this point, continuing to perform this procedure on the existing volume would incur a copy on write performance
penalty. As an alternative, you can copy the database and log files to another volume to perform the recovery.
3. Determine which log files are required to replay into the database to meet your point-in-time requirement
for this recovery (based on log file date and time, as shown in Windows Explorer). All logs created after this
point should be moved to a different directory, until the recovery process is completed, and the logs are no
longer needed.
4. Delete the checkpoint (.chk) file for the database.
5. This example uses Eseutil to perform the recovery operation.
Eseutil.exe /r eXX /a
NOTE
• In the preceding example, e XX is the log generation prefix for the database (for example, E00, E01, E02, and so on).
• This step may take a considerable amount of time, depending on several factors, such as the length of the replay
lag time, the number of log files generated during that period, and the speed at which your hardware can replay
those logs into the database being recovered.
6. After log replay is finished, the database is in a clean shutdown state and can be copied and used for
recovery purposes.
7. After the recovery process is complete, this example resumes replication for the database that was used as
part of the recovery process.
Resume-MailboxDatabaseCopy DB1\EX3
3. Optionally (to preserve a lagged copy), make a copy of the database copy and its log files.
NOTE
At this point, continuing to perform this procedure on the existing volume would incur a copy on write performance
penalty. If this isn't desirable, you can copy the database and log files to another volume to perform the recovery.
4. This example activates the lagged mailbox database copy using the Move-ActiveMailboxDatabase cmdlet
with the SkipLagChecks parameter.
## Use the Exchange Management Shell to activate a lagged mailbox database copy by using SafetyNet recovery
1. Optionally (to preserve a lagged copy), take a file system-based (non-Exchange aware) Volume Shadow Copy
Service (VSS) snapshot of the volumes containing the database copy and its log files.
2. This example suspends replication for the lagged copy being activated by using the [Suspend-
MailboxDatabaseCopy](http://technet.microsoft.com/library/b6e03402-706e-40c6-b392-92e3da21b5c0.aspx) cmdlet.
3. Optionally (to preserve a lagged copy), make a copy of the database copy and its log files.
> [!NOTE]
> At this point, continuing to perform this procedure on the existing volume would incur a copy-on-write
performance penalty. If this isn't desirable, you can copy the database and log files to another volume to
perform the recovery.
4. Determine the required logs for the lagged database copy by looking for the "Log Required:" value in
ESEUTIL database header output
Take note of the hexadecimal numbers in parentheses. The first number is the lowest generation required
(referred to as LowGeneration), and the second number is the highest generation required (referred to as
HighGeneration). Move all log generation files that have a generation sequence greater than HighGeneration to
a different location so that they are not replayed into the database.
5. On the server hosting the active copy of database, either delete the log files for the lagged copy being
activated from the active copy, or stop the Microsoft Exchange Replication service.
4. Perform a database switchover and activate the lagged copy. This example activates the database by using
the [Move-ActiveMailboxDatabase](http://technet.microsoft.com/library/755d1ecb-95d1-45e3-9a21-
56df9f196f37.aspx) cmdlet with several parameters.
Move-ActiveMailboxDatabase DB1 -ActivateOnServer EX3 -MountDialOverride BestEffort -
SkipActiveCopyChecks -SkipClientExperienceChecks -SkipHealthChecks -SkipLagChecks
6. At this point, the database will automatically mount and request redelivery of missing messages from
SafetyNet.
To verify that you've successfully activated a lagged mailbox database copy, do one of the following:
- In the EAC, navigate to **Servers** \> **Databases**. Select the appropriate database, and in the Details
pane, click **View details** to view the database copy properties.
- In the Exchange Management Shell, run the following command to display status information for a database
copy.
Get-MailboxDatabaseCopyStatus | Format-List
Remove a mailbox database copy
8/23/2019 • 2 minutes to read • Edit Online
You can use these procedures to remove a copy of a mailbox database, but you can't use them to remove the last
copy of a mailbox database. For detailed steps about how to remove the last copy of a mailbox database, see
Remove a mailbox database or Remove-MailboxDatabase.
Looking for other management tasks related to mailbox database copies? Check out Manage mailbox database
copies.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
You can use the details in this topic for monitoring mailbox database copies for database availability groups
(DAGs), for gathering diagnostic information, and for configuring the low disk space monitoring threshold.
Get-MailboxDatabaseCopyStatus cmdlet
Use the Get-MailboxDatabaseCopyStatus cmdlet to view status information about mailbox database copies. This
cmdlet enables you to view information about all copies of a particular database, information about a specific
copy of a database on a specific server, or information about all database copies on a server. The following table
describes possible values for the copy status of a mailbox database copy.
Database copy status
Seeding The mailbox database copy is being seeded, the content index
for the mailbox database copy is being seeded, or both are
being seeded. Upon successful completion of seeding, the
copy status should change to Initializing.
Resynchronizing The mailbox database copy and its log files are being
compared with the active copy of the database to check for
any divergence between the two copies. The copy status will
remain in this state until any divergence is detected and
resolved.
Dismounted The active copy is offline and not accepting client connections.
Only the active copy of the mailbox database copy can have a
copy status of Dismounted.
Mounting The active copy is coming online and not yet accepting client
connections. Only the active copy of the mailbox database
copy can have a copy status of Mounting.
The Get-MailboxDatabaseCopyStatus cmdlet also returns details about the in-use replication networks,
including IncomingLogCopyingNetwork, which is returned for passive database copies, and
OutgoingConnections, which is returned for active databases that have more than one copy, as well as any
database copy being used as a source for a database seeding operation. Outgoing connection information is
provided for database copies that are in file mode replication. Outgoing connection information is not provided
for database copies that are in block mode replication.
Get-MailboxDatabaseCopyStatus examples
The following examples use the Get-MailboxDatabaseCopyStatus cmdlet. Each example pipes the results to
the Format-List cmdlet to display the output in list format.
This example returns status information for all copies of the database DB2.
This example returns the status for all database copies on the Mailbox server MBX2.
This example returns the status for all database copies on the local Mailbox server.
For more information about using the Get-MailboxDatabaseCopyStatus cmdlet, see Get-
MailboxDatabaseCopyStatus.
Test-ReplicationHealth cmdlet
You can use the Test-ReplicationHealth cmdlet to view continuous replication status information about mailbox
database copies. This cmdlet can be used to check all aspects of the replication and replay status to provide a
complete overview of a specific Mailbox server in a DAG.
The Test-ReplicationHealth cmdlet is designed for the proactive monitoring of continuous replication and the
continuous replication pipeline, the availability of Active Manager, and the health and status of the underlying
cluster service, quorum, and network components. It can be run locally on or remotely against any Mailbox server
in a DAG. The Test-ReplicationHealth cmdlet performs the tests listed in the following table.
Test-ReplicationHealth cmdlet tests
TasksRpcListener Verifies that the tasks remote procedure call (RPC) server is
running and reachable on the specified DAG member, or if no
DAG member is specified, on the local server.
TEST NAME DESCRIPTION
TcpListener Verifies that the TCP log copy listener is running and
reachable on the specified DAG member, or if no DAG
member is specified, on the local server.
DagMembersUp Verifies that all DAG members are available, running, and
reachable.
FileShareQuorum Verifies that the witness server and witness directory and
share configured for the DAG are reachable.
DatabaseRedundancy Verifies that there is at least one healthy copy available of the
databases on the specified DAG member, or if no DAG
member is specified, on the local server.
DBLogCopyKeepingUp Verifies that log copying and inspection by the passive copies
of databases on the specified DAG member, or if no DAG
member is specified, on the local server, are able to keep up
with log generation activity on the active copy.
DBLogReplayKeepingUp Verifies that replay activity for the passive copies of databases
on the specified DAG member, or if no DAG member is
specified, on the local server, is able to keep up with log
copying and inspection activity.
Test-ReplicationHealth example
This example uses the Test-ReplicationHealth cmdlet to test the health of replication for the Mailbox server
MBX1.
CollectOverMetrics.ps1 script
Exchange Server includes a script called CollectOverMetrics.ps1, which can be found in the Scripts folder.
CollectOverMetrics.ps1 reads DAG member event logs to gather information about database operations (such as
database mounts, moves, and failovers) over a specific time period. For each operation, the script records the
following information:
Identity of the database
Time at which the operation began and ended
Servers on which the database was mounted at the start and finish of the operation
Reason for the operation
Whether the operation was successful, and if the operation failed, the error details
The script writes this information to .csv files with one operation per row. It writes a separate .csv file for each
DAG.
The script supports parameters that allow you to customize the script's behavior and output. For example, the
results can be restricted to a specified subset by using the Database or ReportFilter parameters. Only the
operations that match these filters will be included in the summary HTML report. The available parameters are
listed in the following table.
CollectOverMetrics.ps1 script parameters
PARAMETER DESCRIPTION
DatabaseAvailabilityGroup Specifies the name of the DAG from which you want to collect
metrics. If this parameter is omitted, the DAG of which the
local server is a member will be used. Wildcard characters can
be used to collect information from and report on multiple
DAGs.
StartTime Specifies the duration of the time period to report on. The
script gathers only the events logged during this period. As a
result, the script may capture partial operation records (for
example, only the end of an operation at the start of the
period or vice-versa). If neither StartTime nor EndTime is
specified, the script defaults to the past 24 hours. If only one
parameter is specified, the period will be 24 hours, either
beginning or ending at the specified time.
EndTime Specifies the duration of the time period to report on. The
script gathers only the events logged during this period. As a
result, the script may capture partial operation records (for
example, only the end of an operation at the start of the
period or vice-versa). If neither StartTime nor EndTime is
specified, the script defaults to the past 24 hours If only one
parameter is specified, the period will be 24 hours, either
beginning or ending at the specified time.
GenerateHtmlReport Specifies that the script gather all the information it has
recorded, group the data by the operation type, and then
generate an HTML file that includes statistics for each of these
groups. The report includes the total number of operations in
each group, the number of operations that failed, and
statistics for the time taken within each group. The report
also contains a breakdown of the types of errors that resulted
in failed operations.
SummariseCsvFiles Specifies that the script read the data from existing .csv files
that were previously generated by the script. This data is then
used to generate a summary report similar to the report
generated by the GenerateHtmlReport parameter.
RawOutput Specifies that the script writes the results that would have
been written to .csv files directly to the output stream, as
would happen with write-output. This information can then
be piped to other commands.
IncludedExtendedEvents Specifies that the script collects the events that provide
diagnostic details of times spent mounting databases. This
can be a time-consuming stage if the Application event log
on the servers is large.
MergeCSVFiles Specifies that the script takes all the .csv files containing data
about each operation and merges them into a single .csv file.
CollectOverMetrics.ps1 examples
The following example collects metrics for all databases that match DB* (which includes a wildcard character) in
the DAG DAG1. After the metrics are collected, an HTML report is generated and displayed.
The following examples demonstrate ways that the summary HTML report may be filtered. The first uses the
Database parameter, which takes a list of database names. The summary report then contains data only about
those databases. The next two examples use the ReportFilter option. The last example filters out all the default
databases.
CollectReplicationMetrics.ps1 script
CollectReplicationMetrics.ps1 is another health metric script included in Exchange Server. This script provides an
active form of monitoring because it collects metrics in real time, while the script is running.
CollectReplicationMetrics.ps1 collects data from performance counters related to database replication. The script
gathers counter data from multiple Mailbox servers, writes each server's data to a .csv file, and then reports
various statistics across all of this data (for example, the amount of time each copy was failed or suspended, the
average copy or replay queue length, or the amount of time that copies were outside of their failover criteria).
You can either specify the servers individually, or you can specify entire DAGs. You can either run the script to first
collect the data and then generate the report, or you can run it to just gather the data or to only report on data
that's already been collected. You can specify the frequency at which data should be sampled and the total
duration to gather data.
The data collected from each server is written to a file named CounterData.<ServerName>.
<TimeStamp>.csv. The summary report will be written to a file named HaReplPerfReport.<DAGName>.
<TimeStamp>.csv, or HaReplPerfReport.<TimeStamp>.csv if you didn't run the script with the DagName
parameter.
The script starts Windows PowerShell jobs to collect the data from each server. These jobs run for the full period
in which data is being collected. If you specify a large number of servers, this process can use a considerable
amount of memory. The final stage of the process, when data is processed into a summary report, can also be
quite time consuming for large amounts of data. It's possible to run the collection stage on one computer, and
then copy the data elsewhere for processing.
The CollectReplicationMetrics.ps1 script supports parameters that allow you to customize the script's behavior
and output. The available parameters are listed in the following table.
CollectReplicationMetrics.ps1 script parameters
PARAMETER DESCRIPTION
DagName Specifies the name of the DAG from which you want to collect
metrics. If this parameter is omitted, the DAG of which the
local server is a member will be used.
Mode Specifies the processing stages that the script executes. You
can use the following values:
CollectAndReport : This is the default value. This value
signifies that the script should both collect the data from the
servers and then process them to produce the summary
report.
CollectOnly : This value signifies that the script should just
collect the data and not produce the report.
ProcessOnly : This value signifies that the script should
import data from a set of .csv files and process them to
produce the summary report. The SummariseFiles parameter
is used to provide the script with the list of files to process.
CollectReplicationMetrics.ps1 example
The following example gathers one hour's worth of data from all the servers in the DAG DAG1, sampled at one
minute intervals, and then generates a summary report. In addition, the ReportPath parameter is used, which
causes the script to place all the files in the current directory.
The following example reads the data from all the files matching CounterData* and then generates a summary
report.
Switchovers and failovers are the two forms of outages in Microsoft Exchange Server:
A switchover is a scheduled outage of a database or server that's explicitly initiated by a cmdlet or by the
managed availability system in Exchange Server. Switchovers are typically done to prepare for performing a
maintenance operation. Switchovers involve moving the active mailbox database copy to another server in
the database availability group (DAG ). If no healthy target is found during a switchover, administrators will
receive an error and the mailbox database will remain up, or mounted.
A failover refers to unexpected events that result in the unavailability of services, data, or both. A failover
involves the system automatically recovering from the failure by activating a passive mailbox database copy
to make it the active mailbox database copy. If no healthy target is found during a failover, the mailbox
database will be dismounted.
Exchange Server is specifically designed to handle both switchovers and failovers.
Looking for management tasks related to high availability and site resilience? See Managing high availability and
site resilience.
Switchovers
There are three types of switchovers in Exchange Server:
Database switchovers
Server switchovers
Datacenter switchovers
Database Switchovers
A database switchover is the process by which an individual active database is switched over to another database
copy (a passive copy), and that database copy is made the new active database copy. Database switchovers can
happen both within and across datacenters. A database switchover can be performed by using the Exchange admin
center (EAC ) or the Exchange Management Shell. Regardless of which interface is used, the switchover process is
as follows:
1. The administrator initiates a database switchover to move the current active mailbox database copy to
another server.
2. The client used for the task makes an RPC call to the Microsoft Exchange Replication service on a DAG
member.
3. If the DAG member doesn't hold the Primary Active Manager (PAM ) role, the DAG member refers the task
to the server that holds the PAM role.
4. The task makes an RPC call to the Microsoft Exchange Replication service on the server that holds the PAM
role.
5. The PAM reads and updates the database location information that's stored in the cluster database for the
DAG.
6. The PAM contacts the Microsoft Exchange Replication service on the DAG member whose passive copy is
being activated as the new active mailbox database copy.
7. The Microsoft Exchange Replication service on the target server queries the Microsoft Exchange Replication
services on all other DAG members to determine the best log source for the database copy.
8. The database is dismounted from the current server and the Microsoft Exchange Replication service on the
target server copies the remaining logs to the target server.
9. The Microsoft Exchange Replication service on the target server requests a database mount.
10. The Microsoft Exchange Information Store service on the target server replays the log files and mounts the
database.
11. Any error codes are returned to the Microsoft Exchange Replication service on the target server.
12. The PAM updates the database copy state information in the cluster database for the DAG.
13. Any error codes are returned by the Microsoft Exchange Replication service on the target server to the
Microsoft Exchange Replication service on the PAM.
14. The Microsoft Exchange Replication service on the PAM returns any errors to the administrative interface
where the task was called.
15. Remote PowerShell returns the results of the operation to the calling administrative interface.
For detailed steps about how to perform a database switchover, see Activate a mailbox database copy.
Server Switchovers
A server switchover is the process by which all active databases on a DAG member are activated on one or more
other DAG members. Like database switchovers, a server switchover can occur both within a datacenter and across
datacenters, and it can be initiated by using both the EAC and the Exchange Management Shell. Regardless of
which interface is used, the server switchover process is as follows:
1. The administrator initiates a server switchover to move all current active mailbox database copies to one or
more other servers.
2. The task performs the same steps described earlier in this topic for database switchovers (Steps 2 through 4)
for each of the active databases on the current server.
3. The PAM reads and updates the database location information that's stored in the cluster database for the
DAG.
4. The PAM contacts the Microsoft Exchange Replication service on each DAG member that has a passive copy
being activated.
5. The Microsoft Exchange Replication service on the target servers query the Microsoft Exchange Replication
services on all other DAG members to determine the best log source for the database copy.
6. The database is dismounted from the current server and the Microsoft Exchange Replication service on each
target server copies the remaining logs.
7. The Microsoft Exchange Replication service on each target server requests a database mount.
8. The Microsoft Exchange Information Store service on each target server replays the log files and mounts the
database.
9. Any error codes are returned to the Microsoft Exchange Replication service on the target server.
10. The PAM updates the database copy state information in the cluster database for the DAG.
11. Any error codes are returned by the Microsoft Exchange Replication service on the target server to the
Microsoft Exchange Replication service on the PAM.
12. The Microsoft Exchange Replication service on the PAM returns any errors to the administrative interface
where the task was called.
13. Remote PowerShell returns the results of the operation to the calling administrative interface.
For detailed steps about how to perform a server switchover, see Perform a server switchover.
Datacenter Switchovers
In a site resilient configuration, automatic recovery in response to a site-level failure can occur within a DAG,
allowing the messaging system to remain in a functional state. This configuration requires at least three locations,
as it requires deploying DAG members in two locations and the DAG's witness server in a third location.
If you don't have three locations, or even if you do have three locations but you want to control datacenter-level
recovery actions, you can configure a DAG for manual recovery in the event of a site-level failure. In that event, you
would perform a process called a datacenter switchover. As with many disaster recovery scenarios, prior planning
and preparation for a datacenter switchover can simplify your recovery process and reduce the duration of your
outage. For detailed steps to performing a datacenter switchover, see Datacenter switchovers
Failovers
A failover is an automatic activation process that can occur at the database, server, or datacenter level. Failovers
occur in response to a failure that affects an individual database (for example, an isolated storage loss) an entire
server (for example, a motherboard failure or a loss of power), or an entire site (for example, the loss of all DAG
members in a site).
DAGs and mailbox database copies provide full redundancy and rapid recovery of both the data and the services
that provide access to the data. The following table lists the expected recovery actions for a variety of failures.
Some failures require the administrator to initiate the recovery, and other failures are automatically handled by the
system.
STATE DURING
AUTOMATIC AUTOMATIC STATE DURING REPAIR: REPAIR
DESCRIPTION ACTIVATION REPAIR ACTION REPAIR: ACTIVE PASSIVE ACTIONS COMMENTS
Extensible Possible short Automatic Manual Failed RAID rebuild, There may be
Storage outage. patching of switchover, database and other soft
Engine (ESE) Possible bad page. automatic database copy database
soft database automatic failover, or repair, restore failure codes.
failure: The failover. online repair. and run Doesn't
drives storing recovery then include NTFS
the database page patching, file system
are returning or page block failures.
errors on patching from If failover or
some reads copy. switchover is
(for example, a performed,
-1018 error). host server is
updated.
STATE DURING
AUTOMATIC AUTOMATIC STATE DURING REPAIR: REPAIR
DESCRIPTION ACTIVATION REPAIR ACTION REPAIR: ACTIVE PASSIVE ACTIONS COMMENTS
ESE " semi- Short outage Automatic Dismounted if Failed RAID rebuild An ESE semi-
soft" database during volume/disk can't be may solve the soft write
failure: The automatic rebuilt after recovered. problem. error means
drives storing failover. possible drive Copy and some writes
the database replacement. repair, restore are successful.
are returning and run Doesn't
errors on recovery, or include an
some writes. volume/disk NTFS block
rebuilt after failure.
possible
replacement.
ESE "semi- Short outage Automatic Dismounted if Failed RAID rebuild An ESE semi-
soft" log during volume/disk can't be may solve the soft read/write
failure: The automatic rebuilt after recovered. problem. error means
drives storing failover. possible drive Copy and some
the log data replacement. repair, restore reads/writes
are returning and run are successful.
non- recovery, or If the
recovered volume/disk database fails,
errors on rebuilt after automated
some reads or possible recovery will
writes. replacement. occur before
log data
recovery
processing
starts.
ESE software Short outage None. Dismounted if Failed Fix underlying This failure
error or during can't be resource issue. could be the
resource automatic recovered. surfaced error
exhaustion: failover. of other cases.
An error
where ESE
terminates
instance (for
example,
Event ID
1022,
checkpoint
depth too
deep).
STATE DURING
AUTOMATIC AUTOMATIC STATE DURING REPAIR: REPAIR
DESCRIPTION ACTIVATION REPAIR ACTION REPAIR: ACTIVE PASSIVE ACTIONS COMMENTS
NTFS block Short outage Volume Dismounted if Failed RAID rebuild This is more
failures: The during completely can't be may solve the likely to occur
drives storing automatic rebuilt after recovered. problem. NTFS when RAID
the database failover. possible drive utilities may isn't in use. If
or logs replacement. solve the NTFS this impacts
experiences a problems. the active log
read or write Exchange volume, some
error to an recovery may recent log files
NTFS control be required. will be lost.
structure. Doesn't
include errors
automatically
corrected by
NTFS or its
underlying
software or
hardware
stack.
Microsoft Short outage None. Dismounted. Any Restart the Not applicable.
Exchange during Microsoft
Information automatic Exchange
Store service failover. Information
is stopped or Store service.
paused by an
administrator.
Partial Possible short None. Mounted and Any, but may Restart server, Not applicable.
Microsoft outage during partially be only operating
Exchange automatic functional. partially system, or
Information failover. functional Microsoft
Store service Exchange
failure; some Information
part of the Store service.
Exchange
store stops
functioning,
but it's not
identified as
completely
failed.
Server failure: Short outage Restart Dismounted. Any Restore power, Not applicable.
The server during computer. change
fails for one of automatic operating
the following failover. system
reasons: settings,
Complete change
power failure hardware
Unrecovered settings,
failure of the replace
processor hardware,
chip, restart
motherboard, operating
or backplane system,
Operating service
system stop operating
error system,
Operating service
system stops hardware, or
responding repair
Complete communicatio
communicatio n problems.
n failure
MAPI network Short outage None. Dismounted. Any Fix Not applicable.
communicatio during Communicatio communicatio
n failure: The automatic n continues to n problem by
server is no failover; must be attempted. correcting
longer be lossless. hardware or
available on software
the MAPI issues.
network.
STATE DURING
AUTOMATIC AUTOMATIC STATE DURING REPAIR: REPAIR
DESCRIPTION ACTIVATION REPAIR ACTION REPAIR: ACTIVE PASSIVE ACTIONS COMMENTS
Partial failure Failure not None. Mounted, but Any Fix Network
of one or detected; no possible communicatio experiences
more action. performance n problem by higher than
networks: issues. correcting normal error
Networks hardware or rates.
experience software
high error issues.
rates.
Operating Short outage None. Dismounted. Any Replace drive Not applicable.
system drive during and rebuild
experiences a automatic server or
failure. failover. rebuild
volume by
using RAID.
Operating Short outage None. Dismounted. Any Manually free Not applicable.
system drive during space on the
out of space. automatic volume.
failover.
STATE DURING
AUTOMATIC AUTOMATIC STATE DURING REPAIR: REPAIR
DESCRIPTION ACTIVATION REPAIR ACTION REPAIR: ACTIVE PASSIVE ACTIONS COMMENTS
Drive Short outage None. Dismounted. Any Replace drive Not applicable.
containing during and reinstall
Exchange automatic application or
binaries failover. rebuild
experiences a volume by
volume or using RAID.
drive failure.
Drive Short outage None. Dismounted. Any Manually free Not applicable.
containing the during space on the
Exchange automatic volume.
binaries is out failover.
of space.
Invalid new Short outage None. Dismounted. Failed Remove The disruptive
log detected: during disruptive logs logs shouldn't
The log automatic after replicate.
sequence is failover; determining
disrupted by assume other source.
an existing file. copies don't
have the same
problem.
Continuous Not Discard log. Not Failed Discard invalid Not applicable.
replication applicable. applicable. log; move
detects invalid impacting log
log: Replay stream.
detects an
inappropriate
log during
copy or replay.
Database Failovers
A database failover occurs when a database copy that was active is no longer able to remain active. The following
occurs as part of a database failover:
1. The database failure is detected by the Microsoft Exchange Information Store service.
2. The Microsoft Exchange Information Store service writes failure events to the crimson channel event log.
3. The Active Manager on the server that contains the failed database detects the failure events.
4. The Active Manager requests the database copy status from the other servers that hold a copy of the
database.
5. The other servers return the requested database copy status to the requesting Active Manager.
6. The PAM initiates a move of the active database to another server in the DAG using a best copy selection
algorithm.
7. The PAM updates the database mount location in the cluster database to refer to the selected server.
8. The PAM sends a request to the Active Manager on the selected server to become the database master.
9. The Active Manager on the selected server requests that the Microsoft Exchange Replication service attempt
to copy the last logs from the previous server and set the mountable flag for the database.
10. The Microsoft Exchange Replication service copies the logs from the server that previously had the active
copy of the database.
11. The Active Manager reads the maximum log generation number from the cluster database.
12. The Microsoft Exchange Information Store service mounts the new active database copy.
Server Failovers
A server failover occurs when the DAG member is no longer able to service the MAPI network, or when the
Cluster service on a DAG member is no longer able to contact the remaining DAG members. The following occurs
as part of a server failover:
1. The Cluster service on the PAM sends a notification to the PAM for one of two conditions:
2. Node Down: The server is reachable but is unable to participate in DAG operations.
3. MAPI Network Down: The server can't be contacted over the MAPI network and therefore can't
participate in DAG operations.
4. If the server is reachable, the PAM contacts the Active Manager on the affected server and requests that all
databases be immediately dismounted.
5. For each affected database copy:
6. The PAM requests the database copy status from all servers in the DAG.
7. The PAM receives a response from all reachable and active DAG members.
8. The PAM tries to determine the best log source among all responding servers by querying the most recent
log generation number from each of the responders.
9. Each of the servers responds with the log generation number.
10. The PAM retrieves the current search index catalog status from the cluster database.
11. Based on the log generation number and catalog health of each database copy, the PAM selects the best
copies to activate.
12. The PAM updates the mounted location of the database in the cluster database.
13. The PAM initiates database failover by communicating with the Active Manager on one or more other
servers.
14. The Active Manager on the selected servers requests that the Microsoft Exchange Replication service
attempt to copy the last logs from the previous server and set the mountable flag.
15. When the database is mountable, the Active Manager on the servers mounts the databases.
For more information about Active Manager's best copy selection process, see Active Manager.
Datacenter Failovers
Significant changes have been made since Exchange 2010 regarding site resilience configuration. With namespace
simplification, consolidation of server roles, separation of Client Access services and DAG recovery (in Exchange
Server, the namespace does not need to move with the DAG ), and changes around load balancing, Exchange
Server provides site resilience options like the ability to use a single global namespace. If you have more than two
locations in which to deploy messaging service components, Exchange Server also provides the ability to configure
the messaging service for automatic failover in response to failures that required manual intervention in previous
versions.
Exchange leverages fault tolerance built into the namespace through multiple IP addresses, load balancing, and, if
necessary, the ability to take servers in and out of service. Exchange Server makes it possible to leverage the
clients' ability to cache multiple IP addresses returned from a DNS server in response to a name resolution
request. Clients with the ability to cache multiple IP addresses (which includes almost all HTTP -based clients in
Exchange Server, such as Outlook, Outlook Anywhere, EAS, EWS, Outlook on the web, EAC, RPS, etc.), all have the
ability to use those multiple IP addresses, and this provides failover on the client side. You can configure DNS to
hand multiple IP addresses to a client during name resolution. The client asks for mail.contoso.com and gets back
two IP addresses, or four IP addresses, for example. However many IP addresses the client gets back will be used
reliably by the client. This makes the client a lot better off because if one of the IP addresses fails, the client has one
or more others to try to connect to. If a client tries one and it fails, it waits around 20 seconds and then tries the
next one in the list. Thus, if you lose connectivity to your primary Client Access services (CAS ) array, and you have
a second published IP address for a second CAS array, recovery for the clients happens automatically (and in about
21 seconds).
Modern HTTP clients (operating systems and Web browsers that are ten years old or less) simply work with this
redundancy automatically. The HTTP stack can accept multiple IP addresses for an FQDN, and if the first IP it tries
fails hard (e.g., cannot connect), it will try the next IP in the list. In a soft failure (connect lost after session
established, perhaps due to an intermittent failure in the service where, for example, a device is dropping packets
and needs to be taken out of service), the user might need to refresh their browser.
With the proper configuration, failover can happen at the client level and clients will be automatically redirected to
a second datacenter where Client Access services is running, and the servers that are running Client Access
services will proxy the communication back to the user's Mailbox server, which remains unaffected by the outage
(because you don't do a switchover). Instead of working to recover service, the service recovers itself and you can
focus on fixing the core issue (e.g., replacing a failed load balancer).
Since you can failover the namespace between datacenters, all that is needed to achieve a datacenter failover is a
mechanism for failover of the Mailbox role across datacenters. To get automatic failover for the DAG, you simply
architect a solution where the DAG is evenly split between two datacenters, and then place the witness server in a
third location so that it can be arbitrated by DAG members in either datacenter, regardless of the state of the
network between the datacenters that contain the DAG members. The key is that third location is isolated from
network failures that affect the locations containing the DAG members.
If you only have two datacenters and would like to be able to configure automatic failover, you can utilize Microsoft
Azure as your third location. You will need to create an Azure virtual network and connect it to your two
datacenters using a multi-point VPN. You will then be able to place your witness server on a Microsoft Azure
virtual machine. For more information, see Using a Microsoft Azure VM as a DAG witness server.
Datacenter switchovers
8/23/2019 • 21 minutes to read • Edit Online
In a site resilient configuration, automatic recovery in response to a site-level failure can occur within a DAG,
allowing the messaging system to remain in a functional state. This configuration requires at least three locations,
as it requires deploying DAG members in two locations and the DAG's witness server in a third location.
If you don't have three locations, or even if you do have three locations but you want to control datacenter-level
recovery actions, you can configure a DAG for manual recovery in the event of a site-level failure. In that event,
you would perform a process called a datacenter switchover. As with many disaster recovery scenarios, prior
planning and preparation for a datacenter switchover can simplify your recovery process and reduce the duration
of your outage.
There are four basic steps that you complete to perform a datacenter switchover, after making the initial decision
to activate the second datacenter:
1. Terminate a partially running datacenter: This step involves terminating Exchange services in the
primary datacenter, if any services are still running. This is particularly important for the Mailbox server role
because it uses an active/passive high availability model. If services in a partially failed datacenter aren't
stopped, it's possible for problems from the partially failed datacenter to negatively affect the services
during a switchover back to the primary datacenter.
IMPORTANT
If network or Active Directory infrastructure reliability has been compromised as a result of the primary datacenter
failure, we recommend that all messaging services be off until these dependencies are restored to healthy service.
2. Validate and confirm the prerequisites for the second datacenter: This step can be performed in
parallel with step 1 because validation of the health of the infrastructure in the second datacenter is largely
independent of the first datacenter. Each organization typically requires its own method for performing this
step. For example, you may decide to complete this step by reviewing health information collected and
filtered by an infrastructure monitoring application, or by using a tool that's unique to your organization's
infrastructure. This is a critical step, because you don't want to activate the second datacenter when its
infrastructure is unhealthy and unstable.
3. Activate the Mailbox servers: This step begins the process of activating the second datacenter. This step
can be performed in parallel with step 4 because the Microsoft Exchange services can handle database
outages and recover. Activating the Mailbox servers involves a process of marking the failed servers from
the primary datacenter as unavailable followed by activation of the servers in the second datacenter. The
activation process for Mailbox servers depends on whether the DAG is in database activation coordination
(DAC ) mode. See Datacenter Activation Coordination mode for more information.
If the DAG is in DAC mode, you can use the Exchange site resilience cmdlets to terminate a partially failed
datacenter (if necessary) and activate the Mailbox servers. For example, in DAC mode, this step is
performed by using the Stop-DatabaseAvailabilityGroup cmdlet. In some cases, the servers must be
marked as unavailable twice (once in each datacenter). Next, the Restore-DatabaseAvailabilityGroup cmdlet
is run to restore the remaining members of the database availability group (DAG ) in the second datacenter
by reducing the DAG members to those that are still operational, thereby reestablishing quorum. If the DAG
isn't in DAC mode, you must use the Windows Failover Cluster tools to activate the Mailbox servers. After
either process is complete, the database copies that were previously passive in the second datacenter can
become active and be mounted. At this point, Mailbox server recovery is complete.
4. Activate Client Access services: This involves using the URL mapping information and the Domain
Name System (DNS ) change methodology to perform all required DNS updates. The mapping information
describes what DNS changes to perform. The amount of time required to complete the update depends on
the methodology used and the Time to Live (TTL ) settings on the DNS record (and whether the
deployment's infrastructure honors the TTL ).
Users should start to have access to messaging services sometime after steps 3 and 4 are completed. Steps 3 and
4 are described in greater detail later in this topic.
2. The DAG members in the second datacenter must now be restarted and then used to complete the eviction
process from the second datacenter. Stop the Cluster service on each DAG member in the second
datacenter by running the following command on each member:
net stop clussvc
3. On a DAG member in the second datacenter, force a quorum start of the Cluster service by running the
following command:
4. Open the Failover Cluster Management tool and connect to the DAG's underlying cluster. Expand the
cluster, and then expand Nodes. Right-click each node in the primary datacenter, select More Actions, and
then select Evict. When you're done evicting the DAG members in the primary datacenter, close the Failover
Cluster Management tool.
If any Unified Messaging services are in use in the failed datacenter, they must be disabled to prevent call routing
to the failed datacenter. You can disable Unified Messaging services by using the Disable-UMService cmdlet (for
example, Disable-UMService EX1 ). Alternatively, if you're using a Voice over IP (VoIP ) gateway, you can also
remove the server entries from the VoIP gateway, or change the DNS records for the failed servers to point to the
IP address of the servers in the second datacenter if your VoIP gateway is configured to route calls using DNS.
NOTE
Unified Messaging is not available in Exchange 2019
3. If there's an even number of DAG members, reconfigure the witness server and directory by running the
following command in the Exchange Management Shell:
4. Start the Cluster service on any remaining DAG members in the second datacenter by running the
following command:
5. Perform server switchovers to activate the mailbox databases in the DAG by running the following
command for each DAG member:
6. Mount the mailbox databases on each DAG member in the second site by running the following command:
Clients starting or restarting will perform a DNS lookup on startup and will get the new IP address for the
service endpoint, which will be an Exchange server running Client Access services, or a Client Access
services array, in the second datacenter.
Assuming that all appropriate configuration changes have been completed to define and configure the services in
the second datacenter to function as they were in the primary datacenter, and assuming that the established DNS
configuration is correct, no further changes should be needed to activate Client Access services.
Activating Transport services
Clients and other servers that submit messages typically identify those servers using DNS. Activating transport
services in the second datacenter involves changing DNS records to point to the IP addresses of the Mailbox
servers in the second datacenter. Clients and sending servers will then automatically connect to the servers in the
second datacenter in one of two ways:
Clients will continue to try to connect, and should automatically connect after the TTL has expired for the
original DNS entry, and after the entry is expired from the client's DNS cache. Users can also run the
ipconfig /flushdns command from a command prompt to manually clear their DNS cache.
Clients starting or restarting will perform a DNS lookup on startup and will get the new IP address for the
SMTP endpoint, which will be a Mailbox server in the second datacenter.
Assuming that all appropriate configuration changes have been completed to define and configure the services in
the second datacenter to function as they were in the primary datacenter, and assuming that the established DNS
configuration is correct, no further changes should be needed to activate transport services.
Activating Unified Messaging services in Exchange 2016
NOTE
Unified Messaging is not available in Exchange 2019.
Unified Messaging (UM ) services in Exchange 2016 connect to an organization's PBX system and phone lines. The
logical connection between the PBX system and the Unified Messaging service is provided by an IP gateway. IP
gateways include high availability functionality and are able to switch between multiple Unified Messaging
services when a failure is detected.
If there are Unified Messaging services in the second datacenter that were in a disabled state because they are
dedicated to the site resilience solution, they can be enabled by using the Enable-UMService cmdlet (for example,
Enable-UMService EX4 ).
Assuming the IP gateways are associated with Unified Messaging services by using DNS servers, activating
Unified Messaging services therefore involves changing DNS records to point to the new IP addresses that will be
configured for the Unified Messaging service in the second datacenter. Assuming that all appropriate
configuration changes have been completed to define and configure the services in the second datacenter to
function as they were in the primary datacenter, and assuming that the established DNS configuration is correct,
no further changes should be needed to activate Unified Messaging services.
If the IP gateway in use doesn't support the use of DNS names to resolve the Unified Messaging services,
additional configuration steps will be necessary to manually point the IP gateway to the IP addresses of the
Unified Messaging services in the second datacenter.
Activating Edge Transport Servers
The steps to activate the Edge Transport server role will vary, depending on the specific configuration. Edge
Transport servers in two datacenters can be configured in either an active/passive or an active/active configuration.
In an active/passive configuration, the Edge Transport server in the second datacenter is idle until the second
datacenter is activated. In an active/active configuration, Edge Transport servers in both datacenters are delivering
mail at all times.
In an active/active configuration, no steps are necessary to activate the second datacenter's Edge Transport servers
because they are already running. In an active/passive configuration, the DNS MX resource record for each SMTP
domain needs to be updated as part of the switchover from the primary datacenter to the standby datacenter.
Although the active/active configuration provides a simple datacenter switchover solution, it has the drawback of
requiring careful load monitoring to make sure that after the datacenter switchover, the Edge Transport servers in
the second datacenter can provide sufficient capacity to support the increased load now flowing through it, as a
result of the Edge Transport servers in the primary datacenter being unavailable.
Even with an active/active configuration, it may be appropriate to update the MX resource records for your Edge
Transport servers during a datacenter switchover. Allowing the MX resource record for the failed datacenter to
continue to point at the failed datacenter means that when the datacenter starts recovering, it could start
experiencing connection attempts to its Edge Transport servers. This could happen while the Edge Transport
services are in an unstable state (for example, because dependent services in the datacenter are being restored).
Assuming the DNS records are under the control of the organization, activating Edge Transport servers involves
updating the MX resource record for each SMTP domain hosted by the server.
NOTE
If the MX resource record used by your organization isn't hosted by a DNS server under your organization's control, you
might consider referencing a CNAME record in the MX resource record and using a CNAME record under the organization's
control that can then be updated.
DNS updates enable incoming traffic, and outgoing traffic is handled by the activation of the mailbox databases in
a site that has functioning Edge Transport servers:
When incoming SMTP connections are initiated using the updated name resolution information, SMTP
clients will connect to the Edge Transport servers in the second datacenter. Traffic will be appropriately
routed by the Edge Transport server, and no further changes are required.
When outgoing SMTP connections are initiated, they will try the locally available Edge Transport server, and
those messages will be queued or immediately sent based on the status of the receiving server.
NOTE
This process doesn't require that all databases be moved at the same time. You are encouraged to move the majority
of your organization's databases at one time, but some databases many linger in the second datacenter if there are
issues associated with the database copies in the primary datacenter.
3. After a majority of the databases are in a healthy state in the primary datacenter, the switchback outage can
be scheduled. When the scheduled time arrives, the following steps must be taken:
a. During the datacenter switchover process, the DAG was configured to use an alternate witness
server. The DAG must be reconfigured to use a witness server in the primary datacenter. If you're
using the same witness server and witness directory that was used prior to the primary datacenter
outage, you can run the Set-DatabaseAvailabilityGroup -Identity DAGName command. If you plan on
using a witness server or witness directory that is different from the original witness server and
directory, use the Set-DatabaseAvailabilityGroup command to configure the witness server and
witness directory parameters with the appropriate values.
b. The databases being reactivated in the primary datacenter should be dismounted in the second
datacenter. You can use the Dismount-Database cmdlet to dismount the databases.
c. After the databases have been dismounted, the URLs of the servers running Client Access services
should be moved from the second datacenter to the primary datacenter. This is accomplished by
changing the DNS record for the URLs to point to the Client Access services server or array in the
primary datacenter. This will result in the system acting as though a database failover has occurred
for each database being moved.
IMPORTANT
Don't proceed to the next step until the URLs for the servers running Client Access services have been moved and
the DNS TTL and cache entries have expired. Activating the databases in the primary datacenter prior to moving the
URLs to the primary datacenter will result in an invalid configuration (for example, a mounted database that has no
Client Access services running in its Active Directory site).
4. Because each database in the primary datacenter is in a healthy state, it can be activated in the primary
datacenter by performing database switchovers. This is accomplished by using the Move-
ActiveMailboxDatabase cmdlet for each database that will be activated.
5. After each database is moved to the primary datacenter, it can be mounted by using the Mount-Database
cmdlet.
After one or more databases are active and mounted in the primary datacenter, switchback procedures for the
other server roles can be performed.
Client Access services switchback
As part of the switchover process, the internal and external DNS records used by clients, other servers, and IP
gateways to resolve the service endpoints for Client Access services, Transport and Unified Messaging services,
and Edge Transport servers were modified to point to the corresponding endpoints in the second datacenter. The
switchback process for the other server roles involves modifying those records to point to the restored service
endpoints in the primary datacenter.
As with the DNS changes that were made during the switchover to the second datacenter, clients, servers, and IP
gateways will continue to try to connect, and should automatically connect after the TTL has expired for the
original DNS entry, and after the entry is expired from their DNS cache.
A server switchover is part of preparing for a scheduled outage for the current Mailbox server.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example performs a server switchover of the Mailbox server MBX4. When the command completes, MBX5
hosts the active copy of the databases that were previously active on MBX4.
Data protection planning is a complex process that relies on many decisions that you make during the planning
phase of your deployment. As part of your planning, it's important that you understand the ways in which data can
be protected, and to determine which method best suits your organization's needs.
Traditionally, backups have been used for the following scenarios:
Disaster recovery: In the event of a hardware or software failure, multiple database copies in a DAG enable
high availability with fast failover and little or no data loss. This eliminates downtime and the resulting lost
productivity that's a significant cost of recovering from a past point-in-time backup to disk or tape. DAGs
can be extended to multiple sites and can provide resilience against disk, server, network, and datacenter
failures.
Recovery of accidentally deleted items: Historically, in a situation where a user deleted items that later
needed to be recovered, it involved finding the backup media on which the data that needed to be recovered
was stored, and then somehow obtaining the desired items and providing them to the user. With the
Recoverable Items folder in Exchange 2016 and Exchange 2019, and the Hold Policy that can be applied to
it, it's possible to retain all deleted and modified data for a specified period of time, so recovery of these
items is easier and faster. This reduces the burden on Exchange administrators and the IT help desk by
enabling end users to recover accidentally deleted items themselves, thereby reducing the complexity and
administrative costs associated with single item recovery. For more information, see Messaging policy and
compliance in Exchange Server and Data loss prevention in Exchange Server.
Long-term data storage: Backups have also been used as an archive, and typically tape is used to preserve
point-in-time snapshots of data for extended periods of time as governed by compliance requirements. The
new archiving, multiple-mailbox search, and message retention features in Exchange Server provide a
mechanism to efficiently preserve data in an end-user accessible manner for extended periods of time. This
eliminates expensive restores from tape, and increases productivity. For more information, see In-Place
Archiving in Exchange Server, In-Place eDiscovery in Exchange Server, and In-Place Hold and Litigation
Hold in Exchange Server.
Point-in-time database snapshot: If a past point-in-time copy of mailbox data is a requirement for your
organization, Exchange provides the ability to create a lagged database copy in a DAG environment. This
can be useful in the rare event that store logical corruption replicates to multiple database copies in the
DAG, resulting in a need to return to a previous point in time. It may also be useful if an administrator
accidentally deletes mailboxes or user data. Recovery from a lagged copy can be faster than restoring from a
backup because lagged copies don't require a time-consuming copy process from the backup server to the
Exchange server. This can significantly lower total cost of ownership by reducing downtime.
Because there are native Exchange Server features that meet each of these scenarios in an efficient and cost
effective manner, you may be able to reduce or eliminate the use of traditional backups in your environment.
Recovery Database
A recovery database is a special kind of mailbox database that allows you to mount a restored mailbox database
and extract data from the restored database as part of a recovery operation. You can use the New -
MailboxRestoreRequest cmdlet to extract data from a recovery database. After extraction, the data can be exported
to a folder or merged into an existing mailbox. Recovery databases enable you to recover data from a backup or
copy of a database without disturbing user access to current data.
Using a recovery database for a Mailbox database from any previous version of Exchange isn't supported. In
addition, the target mailbox used for data merges and extraction must be in the same Active Directory forest as the
database mounted in the recovery database.
For more information, see Recovery databases. For detailed steps about how to create a recovery database, see
Create a recovery database. For detailed steps about how to use a recovery database, see Restore data using a
recovery database.
Database Portability
Database portability is a feature that enables an Exchange mailbox database to be moved to and mounted on any
other Exchange Mailbox server in the same organization. By using database portability, reliability is improved by
removing several error-prone, manual steps from the recovery processes. In addition, database portability reduces
the overall recovery times for various failure scenarios.
For more information, see Database Portability. For detailed steps to use database portability, see Move a mailbox
database using database portability.
Microsoft's preferred architecture for Exchange Server leverages a concept known as Exchange Native Data
Protection. Exchange Native Data Protection relies on native Exchange features to protect your mailbox data,
without the use of traditional backups. But if you want to create backups, Exchange includes a plug-in for Windows
Server Backup (WSB ) that enables you to create Exchange-aware Volume Shadow Copy Service (VSS )-based
backups of Exchange data. To take Exchange-aware backups, you must have the WSB feature installed.
The plug-in, WSBExchange.exe, runs as a service named Microsoft Exchange Server Extension for Windows
Server Backup (the short name for this service is WSBExchange). This service is automatically installed and
configured for manual startup on all Mailbox servers. The plug-in enables WSB to create Exchange-aware VSS
backups.
Before using WSB to back up Exchange data, we recommend that you familiarize yourself with the following
features and options for the plug-in:
Backups taken with WSB occur at the volume level, and the only way to perform an application-level
backup or restore is to select an entire volume. To back up a database and its log stream, you must back up
the entire volume containing the database and logs, not just the individual folders. You can't back up any
data without backing up the entire volume containing the data.
The backup must be run locally on the server being backed up, and you can't use the plug-in to take remote
VSS backups. There is no remote administration of WSB or the plug-in. You can, however, use Remote
Desktop Services or Terminal Services to remotely manage backups.
The backup can be created on a local drive or on a remote network share.
Only full backups should be taken. Log truncation will occur only after a successful completion of a VSS full
backup of a volume or folders containing an Exchange database.
When restoring data, it's possible to restore only Exchange data. This data can be restored to its original
location or to an alternate location. If you restore the data to its original location, WSB and the plug-in
automatically handle the recovery process, including dismounting any existing database and replaying logs
into the restored database.
The restore process doesn't support the Exchange recovery database (RDB ). If you want to use an RDB, you
must restore the data to an alternate location and then manually copy or move the restored data from that
location into the RDB folder structure.
When restoring Exchange data, all backed up databases must be restored together. You can't restore a single
database.
Bare metal restores are supported when using WSB; however, the recommended recovery approach for
Exchange servers is to recover the Exchange server and then restore the data. If you're using a third-party
backup application (e.g., non-Microsoft), then support for bare metal restores of Exchange may be available
from your backup application vendor.
The following table describes the supportability of the backup and recovery options available for Exchange Server
with WSB.
IF YOU... THEN...
Back up the full server... A VSS copy backup will be performed, and the transaction logs
for the databases on the server will not be truncated.
Perform a custom backup and select one or more volumes to A VSS full backup can be selected, allowing the transaction
back up... logs for the databases on the selected volumes to be
truncated at the completion of a successful backup.
Perform a custom backup and select one or more folders to A VSS full backup can be selected and the log files will be
back up... truncated; however, restoration of the backup will be limited
to file restore, as an Application level restore will not be
available as an option.
For detailed steps to back up Exchange using WSB, see Use Windows Server Backup to back up Exchange.
For detailed steps to restore data from a backup taken with WSB, see Use Windows Server Backup to restore a
backup of Exchange.
Use Windows Server Backup to back up Exchange
8/23/2019 • 3 minutes to read • Edit Online
You can use Windows Server Backup to back up and restore Exchange databases. Exchange includes a plug-in for
Windows Server Backup that allows you to make Volume Shadow Copy Service (VSS )-based backups of
Exchange data.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
NOTE
Choose volumes and not individual folders. The only way to perform an application-level backup or restore is to
select an entire volume.
7. Click Advanced Settings. On the Exclusions tab, click Add Exclusion to add any files or file types you
want to exclude from the backup.
NOTE
By default, volumes that contain operating system components or applications are included in the backup and can't
be excluded.
8. On the VSS Settings tab, select VSS full Backup, and then click OK, and then click Next.
9. On the Specify Destination Type page, select the location where you want to store the backup, and then
click Next.
If you choose Local drives, the Select Backup Destination page appears. Select an option from
the Backup destination dropdown, and then click Next.
If you choose Remote shared folder, the Specify remote folder page appears. Specify a UNC
path for the backup files, configure access control settings. Choose Do not inherit if you want the
backup to be accessible only through a specific account. Provide a user name and password for an
account that has write permissions on the computer hosting the remote folder, and then click OK.
Alternatively, choose Inherit if you want the backup to be accessible by everyone who has access to
the remote folder. Click Next.
10. On the Confirmation page, review the backup settings, and then click Backup.
11. On the Backup Progress page, you can view the status and progress of the backup operation.
12. Click Close to exit the Backup Progress page at any time. Any backup in progress will continue to run in
the background.
The SnapshotLastFullBackup and LastFullBackup properties of the database indicate when the last
successful backup was taken, and if it was a VSS full backup.
Use Windows Server Backup to restore a backup of
Exchange
8/23/2019 • 3 minutes to read • Edit Online
You can use Windows Server Backup to back up and restore Exchange databases. Exchange includes a plug-in for
Windows Server Backup that allows you to make and restore Volume Shadow Copy Service (VSS )-based backups
of Exchange data. For additional information, see Using Windows Server Backup to back up and restore Exchange
data.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
7. On the Select Application page, verify that Exchange is selected in the Applications field. Click View
Details to view the application components of the backups. If the backup that you're recovering is the most
recent, the Do not perform a roll-forward recovery of the application database check box is
displayed. Select this check box if you want to prevent Windows Server Backup from rolling forward the
database being recovered by committing all uncommitted transaction logs. Click Next.
8. On the Specify Recovery Options page, specify where you want to recover the data, and then click Next:
Choose Recover to original location if you want to restore the Exchange data directly to its original
location. If you use this option, you can't choose which databases are restored; all backed up
databases on the volume will be restored to their original locations.
Choose Recover to another location if you want to restore individual databases and their files to a
specified location. Click Browse to specify the alternate location. If you use this option, you can
choose which databases are restored. After being restored, the data files can then be moved into a
recovery database, manually moved back to their original location, or mounted somewhere else in
the Exchange organization using Database Portability. When you restore a database to an alternate
location, the restored database will be in a dirty shutdown state. After the restore process has
completed, you will need to manually put the database into a clean shutdown state using Eseutil.exe.
9. On the Confirmation page, review the recovery settings, and then click Recover.
10. On the Recovery Progress page, you can view the status and progress of the recovery operation.
11. Click Close when the recovery operation has completed.
You can recover a lost Exchange server by using the /Mode:RecoverServer switch in unattended mode (from the
command line) of Exchange Setup. Since most Exchange server settings are stored in Active Directory, the
Setup.exe /Mode:RecoverServer command uses that information during the installation of Exchange on a new
server with the same name.
Recovering a lost Exchange server is often accomplished by using new hardware. However, you can also use an
existing server that doesn't already have Exchange installed on it.
This topic shows you how to recover a lost Exchange server that isn't a member of a database availability group
(DAG ). For detailed steps about how to recover a server that was a member of a DAG, see Recover a database
availability group member server.
Looking for other management tasks related to backing up and restoring data? Check out Backup, Restore, and
Disaster Recovery.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
This example uses the Exchange installation files on drive E: to install Exchange in the default location
(%ProgramFiles%\Microsoft\Exchange Server\V15) and recover the Exchange server.
This is the same example, but a custom location for the Exchange program files is required to match the
location on the lost server.
For more information about the optional switches, see Use unattended mode in Exchange Setup.
8. After Setup has completed, but before you put the recovered server into production, reconfigure any
custom settings that were previously present on the server, and then restart the server.
How do you know this worked?
The successful completion of Setup will be the primary indicator that the recovery was successful. To further verify
that you've successfully recovered a lost server, open the Windows Services tool (services.msc) and verify that the
Microsoft Exchange services have been installed and are running.
Possible issues with the Scripting Agent
If you previously enabled the Scripting Agent in your Exchange organization, the recovery process might fail. The
error will look like this:
"Initialization failed: '"Scripting Agent initialization failed: "File is not found: 'C:\Program
Files\Microsoft\Exchange Server\V15\Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml'.""' --->
Microsoft.Exchange.Provisioning.ProvisioningException: "Scripting Agent initialization failed: "File is not
found: 'C:\Program Files\Microsoft\Exchange Server\V15\Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml'.""
---> System.IO.FileNotFoundException: "File is not found: 'C:\Program Files\Microsoft\Exchange
Server\V15\Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml'."
If you have other Exchange servers in your organization, you'll need to:
1. Disable the Scripting Agent in the Exchange Management Shell on an existing server:
If the recovered Exchange server is the only Exchange server in your organization, you'll need to:
1. Rename the file %ExchangeInstallPath%Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml.sample to
%ExchangeInstallPath%Bin\CmdletExtensionAgents\ScriptingAgentConfig.xml.
The default value of %ExchangeInstallationPath% is %ProgramFiles%\Microsoft\Exchange Server\V15, but
the actual value is wherever you installed Exchange on the server.
2. Re-run Exchange Setup in recovery mode as described earlier in this topic.
Recover a database availability group member server
8/23/2019 • 3 minutes to read • Edit Online
If a Mailbox server that's a member of a database availability group (DAG ) is lost or fails, and is unrecoverable and
needs replacement, you can perform a server recovery operation.
Microsoft Exchange Server Setup includes the switch /m:RecoverServer that can be used to perform the server
recovery operation. Running Setup with the /m:RecoverServer switch causes Setup to read the server's
configuration information from Active Directory for a server with the same name as the server from which you're
running Setup.
After the server's configuration information is gathered from Active Directory, the original Exchange files and
services are then installed on the server, and the roles and settings that were stored in Active Directory are then
applied to the server.
Looking for other management tasks related to DAGs? Check out Manage database availability groups.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
2. Remove any mailbox database copies that exist on the server being recovered by using the Remove-
MailboxDatabaseCopy cmdlet:
Remove-MailboxDatabaseCopy DB1\MBX1
3. Remove the failed server's configuration from the DAG by using the Remove-
DatabaseAvailabilityGroupServer cmdlet:
NOTE
If the DAG member being removed is offline and can't be brought online, you must add the -ConfigurationOnly
parameter to the preceding command. If you use the -ConfigurationOnly switch, you must also manually evict the
node from the cluster.
4. Reset the server's computer account in Active Directory. For detailed steps, see Reset a Computer Account.
5. Open a Command Prompt window. Using the original Setup media, run the following command:
Setup /m:RecoverServer
6. When the Setup recovery process is complete, add the recovered server to the DAG by using the Add-
DatabaseAvailabilityGroupServer cmdlet:
7. After the server has been added back to the DAG, you can reconfigure mailbox database copies by using the
Add-MailboxDatabaseCopy cmdlet. If any of the database copies being added previously had replay lag or
truncation lag times greater than 0, you can use the ReplayLagTime and TruncationLagTime parameters of
the Add-MailboxDatabaseCopy cmdlet to reconfigure those settings:
Test-ReplicationHealth <ServerName>
Get-MailboxDatabaseCopyStatus -Server <ServerName>
All of the replication health tests should pass successfully, and the status of databases and their content
indexes should be healthy.
Recovery databases
8/23/2019 • 4 minutes to read • Edit Online
A recovery database (RDB ) is a special kind of mailbox database that allows you to mount a restored mailbox
database and extract data from the restored database as part of a recovery operation. You can use the New -
MailboxRestoreRequest cmdlet to extract data from an RDB. After extraction, the data can be exported to a folder
or merged into an existing mailbox. RDBs enable you to recover data from a backup or copy of a database without
disturbing user access to current data.
Microsoft Exchange Server supports the ability to restore data directly to a recovery database. Mounting the
recovered data as a recovery database allows the administrator to restore individual mailboxes or individual items
in a mailbox. Restoring to a recovery database can be accomplished in two ways:
If a recovery database already exists, the application can dismount the database, restore the data onto the
recovery database and log files, and then remount the database.
The database and log files can be restored to any disk location. Exchange analyzes the restored data and
replays the transaction logs to bring the databases up to date, and then a recovery database can be
configured to point to already recovered database files.
NOTE
Folder access control lists (ACLs) aren't preserved when recovering content into an active mailbox. Because the recovery
process typically involves recovering mailbox data and merging the content back into the original database, there should be
no need to recover or copy ACLs.
An RDB is designed for mailbox database recovery under the following conditions and scenarios:
The logical information about the original database and the mailboxes in that database remains intact and
unchanged in Active Directory.
You need to recover a single mailbox or a single database. Recovery scenarios include:
Recovering or repairing a database while a dial tone database is in use, with the goal of merging the
two databases.
Recovering a database on a server other than the original server for that database. If needed, you can
then merge the recovered data back to the original server.
Recovering deleted items that users previously deleted from their mailbox, after the deleted item
retention period has expired.
RDBs are generally not designed for scenarios in which you have to restore entire servers, when you have to
restore multiple databases, or when you're in an emergency situation that requires changing or rebuilding your
Active Directory topology.
For detailed steps about how to create an RDB, see Create a recovery database. For detailed steps about how to
use an RDB, see Restore data using a recovery database.
Create a recovery database
8/23/2019 • 2 minutes to read • Edit Online
You can use the Exchange Management Shell to create a recovery database, a special kind of mailbox database
that's used to mount and extract data from the restored database as part of a recovery operation. After you create
a recovery database, you can move a recovered or restored mailbox database into the recovery database, and then
use the New -MailboxRestoreRequest cmdlet to extract data from the recovered database. After extraction, the data
can then be exported to a folder or merged into an existing mailbox. Using recovery databases, you can recover
data from a backup or copy of a database without disrupting user access to current data.
Looking for other management tasks related to recovery databases? Check out Recovery databases.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection..
This example creates the recovery database RDB2 on the Mailbox server MBX1 using a custom path for the
database file and log folder.
A recovery database (RDB ) is a special kind of mailbox database that allows you to mount and extract data from a
restored mailbox database as part of a recovery operation. RDBs allow you to recover data from a backup or copy
of a database without disrupting user access to current data.
After you create an RDB, you can restore a mailbox database into the RDB by using a backup application or by
copying a database and its log files into the RDB folder structure. Then you can use the New -
MailboxRestoreRequest cmdlet to extract data from the recovered database. Once extracted, the data can then be
exported to a folder or merged into an existing mailbox.
For additional management tasks related to RDBs, see Recovery databases.
The following example illustrates a log generation prefix of E01 and a recovery database and log file path of
E:\Databases\RDB1:
3. Create a recovery database. Give the recovery database a unique name, but use the name and path of the
database file for the EdbFilePath parameter, and the location of the recovered log files for the
LogFolderPath parameter.
The following example illustrates creating a recovery database that will be used to recover DB1.edb and its
log files, which are located at E:\Databases\RDB1.
Restart-Service MSExchangeIS
Mount-database <RDBName>
6. Verify that the mounted database contains the mailbox(es) you want to restore:
7. Use the New -MailboxRestoreRequest cmdlet to restore a mailbox or items from the recovery database to a
production mailbox.
The following example restores the source mailbox that has the MailboxGUID 1d20855f-fd54-4681-98e6-
e249f7326ddd on mailbox database DB1 to the target mailbox with the alias Morris.
The following example restores the content of the source mailbox that has the display name Morris Cornejo
on mailbox database DB1 to the archive mailbox for Morris@contoso.com.
8. Periodically check the status of the Mailbox restore request using Get-MailboxRestoreRequest.
Once the restore has a status of Completed, remove the restore request using Remove-
MailboxRestoreRequest. For example:
Database portability can help reduce overall recovery times for some failure scenarios. By using database
portability, reliability is improved by removing several error-prone, manual steps from the recovery processes.
Note that Mailbox databases from previous versions of Exchange can't be moved to a Mailbox server running
Exchange 2016 or Exchange 2019.
NOTE
When using database portability to recover a mailbox database, the operating system version and the Exchange Server
version on the source and target Exchange servers must be the same. For example, if an Exchange 2016 mailbox database
was previously mounted on a server running Windows Server 2016, database portability will only work when migrating the
database to a server also running Windows Server 2016 and Exchange 2016.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
When you perform a soft recovery, any uncommitted log files are committed to the database. If you don't have all of
the required log files, you can't complete the soft recovery process. Proceed to step 2.
To commit all uncommitted log files to the database, from a command prompt, run the following command.
ESEUTIL /R <Enn>
NOTE
<E nn> specifies the log file prefix for the database into which you intend to replay the log files. The log file prefix
specified by <E nn> is a required parameter for Eseutil /r.
3. Set the This database can be over written by restore attribute using the following syntax:
4. Move the original database files (.edb file, log files, and Exchange Search catalog) to the database folder you
specified when you created the new database above.
5. Mount the database using the following syntax:
Mount-Database <DatabaseName>
6. After the database is mounted, modify the user account settings with the Set-Mailbox cmdlet so that the
account points to the mailbox on the new mailbox server. To move all of the users from the old database to
the new database, use the following syntax.
7. Trigger delivery of any messages remaining in queues using the following syntax.
After Active Directory replication is complete, all users can access their mailboxes on the new Exchange server.
Most clients are redirected via Autodiscover. Outlook on the web users are also automatically redirected.
Dial tone portability is a feature of Exchange Server 2016 and Exchange Server 2019 that provides a limited
business continuity solution for failures that affect a mailbox database, a server, or an entire site. A temporary
mailbox maintains users' ability to send email, and this mailbox can be on the same Exchange Mailbox server or on
any other Exchange Mailbox server in your organization, provided they contain databases with the same database
schema version. This allows an alternative server to host the mailboxes of users who were previously on a server
that is no longer available. Clients that support Autodiscover are automatically redirected to the new server
without having to manually update the user's desktop profile. After the user's original mailbox data has been
restored, an administrator can merge a user's recovered mailbox and the user's dial tone mailbox into a single, up-
to-date mailbox.
The process for using dial tone portability is called a dial tone recovery. A dial tone recovery involves creating an
empty database on a Mailbox server to replace a failed database. This empty database, referred to as a dial tone
database, allows users to send and receive email messages while the failed database is recovered.
There are three options for performing a dial tone recovery:
Dial tone recovery on the server with the failed database: If the server hosting the failed database is
still functional, we recommend that you perform a dial tone recovery on that server. This means less
downtime because you don't need to move database files between servers. In addition, you won't need to
reconfigure messaging profiles for clients that don't support Autodiscover.
Dial tone recovery using an alternate server for the dial tone database: If a server fails and needs to
be rebuilt, the most efficient way to give users basic mail functionality is to create a dial tone database on
another server, and use database portability to move the users' mailbox configuration to that new server.
Because this process involves moving the dial tone database back to the original (recovered) server, this
option adds more time to the overall recovery process. In addition, this process is more complex than
performing a dial tone recovery on the original server. When performing this process, the server hosting
the dial tone database must have sufficient resources to support the added load of the additional users. In
addition, if the users' client doesn't support Autodiscover, their messaging profile will need to be
reconfigured to point to the dial tone server.
Dial tone recovery using and staying on an alternate server for the dial tone database: This is
similar to the preceding option, except that you don't revert back to the original server. We recommend this
option for situations in which it isn't possible or feasible to recover the failed server. In this scenario, users
typically remain on an alternate server after the recovery operation has completed. When performing this
process, the server hosting the dial tone database must have sufficient resources to support the added load
of the additional users. In addition, if the users' client doesn't support Autodiscover, their messaging profile
will need to be reconfigured to point to the dial tone server.
All three options follow the same basic steps:
1. Create an empty dial tone database to replace the failed database.
This new database will allow users who had mailboxes on the failed database to send and receive new
messages. Dial tone portability allows you to point a user to a different database without moving the
mailbox. If you created the dial tone database on a different server than the server that housed the failed
database, you need to move the mailbox configuration to that new server.
2. Restore the old database.
Use the backup and recovery software you typically use to restore the failed database. If there is no backup
of the failed database, recover the failed database using other means if possible. If you're using the same
server for dial tone recovery, you need to restore the database to a recovery database (RDB ).
3. Swap the dial tone database with the restored database.
After the failed database is restored, swap it with the dial tone database. This gives the users the ability to
send and receive email and access all the data in the restored database. If users were moved to a dial tone
database on another server, you need to move the mailbox configuration back to the original server.
4. Merge the databases.
To get the data from the dial tone database into the restored database, you merge the data using the New -
MailboxRestoreRequest cmdlet.
For detailed steps about how to perform a dial tone recovery, see Perform a dial tone recovery.
Perform a dial tone recovery
8/23/2019 • 3 minutes to read • Edit Online
The process for using dial tone portability is called a dial tone recovery, which involves creating an empty database
on a Mailbox server to replace a failed database. To learn more, see Dial tone portability.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
1. Make sure that any existing files for the database being recovered are preserved in case they're needed later
for further recovery operations.
2. Use the New -MailboxDatabase cmdlet to create a dial tone database, as shown in this example.
3. Use the Set-Mailbox cmdlet to rehome the user mailboxes hosted on the database being recovered, as
shown in this example.
4. Use the Mount-Database cmdlet to mount the database so client computers can access the database and
send and receive messages, as shown in this example.
Mount-Database -Identity DTDB1
5. Create a recovery database (RDB ) and restore or copy the database and log files containing the data you
want to recover into the RDB. For detailed steps, see Create a recovery database.
6. After the data is copied to the RDB, but before mounting the restored database, copy any log files from the
failed database to the recovery database log folder so they can be played against the restored database.
7. Mount the RDB, and then use the Dismount-Database cmdlet to dismount it, as shown in this example.
8. After the RDB is dismounted, move the current database and log files within the RDB folder to a safe
location. This is done in preparation for swapping the recovered database with the dial tone database.
9. Dismount the dial tone database, as shown in this example. Note that your end users will experience an
interruption in service when you dismount this database.
10. Move the database and log files from the dial tone database folder into the RDB folder.
11. Move the database and log files from the safe location containing the recovered database into the dial tone
database folder, and then mount the database, as shown in this example.
This ends the service interruption for your end users. They will be able to access their original production
database and send and receive messages.
12. Mount the RDB, as shown in this example.
13. Use the Get-Mailbox and New -MailboxRestoreRequest cmdlets to export the data from the RDB and
import it into the recovered database, as shown in this example. This will import all the messages sent and
received using the dial tone database into the production database.
14. After the restore operation is complete, you can dismount and remove the RDB, as shown in this example.
For detailed syntax and parameter information, see the following topics:
New -MailboxDatabase
Get-Mailbox
Set-Mailbox
Mount-Database
Dismount-Database
Remove-MailboxDatabase
Ensuring that users have a good email experience has always been the primary objective for messaging system
administrators. In your Exchange Server organization, all aspects of the system must be actively monitored and
any detected issues must be resolved quickly. To achieve this, a feature called Managed Availability provides built-
in monitoring and recovery actions that preserve the end-user experience.
Managed Availability
Managed availability, also known as Active Monitoring or Local Active Monitoring, is the integration of built-in
monitoring and recovery actions with the Exchange high availability platform. It's designed to detect and recover
from problems as soon as they occur and are discovered by the system. Unlike previous external monitoring
solutions and techniques for Exchange, managed availability doesn't try to identify or communicate the root cause
of an issue. It's instead focused on recovery aspects that address three key areas of the user experience:
Availability: Can users access the service?
Latency: How is the experience for users?
Errors: Are users able to accomplish what they want?
Managed availability provides a native health monitoring and recovery solution. It moves away from monitoring
individual separate slices of the system to monitoring the end-to-end user experience, and protecting the end
user's experience through recovery-oriented actions.
Managed availability is an internal process that runs on every Exchange server. It polls and analyzes hundreds of
health metrics every second. If something is found to be wrong, most of the time it will be fixed automatically. But
there will always be issues that managed availability won't be able to fix on its own. In those cases, managed
availability will escalate the issue to an administrator by means of event logging.
Managed availability is implemented in the form of two services:
Exchange Health Manager Service (MSExchangeHMHost.exe): This is a controller process used to
manage worker processes. It's used to build, execute, and start and stop the worker process, as needed. It's
also used to recover the worker process in case that process fails, to prevent the worker process from being
a single point of failure.
Exchange Health Manager Worker process (MSExchangeHMWorker.exe): This is the worker process
responsible for performing run-time tasks within the managed availability framework.
Managed availability uses persistent storage to perform its functions:
XML files in the \bin\Monitoring\config folder are used to store configuration settings for some of the
probe and monitor work items.
Active Directory is used to store global overrides.
The Windows registry is used to store run-time data, such as bookmarks, and local (server-specific)
overrides.
The Windows crimson channel event log infrastructure is used to store the work item results.
Health mailboxes are used for probe activity. Multiple health mailboxes will be created on each mailbox
database that exists on the server.
Managed Availability Components
As illustrated in the following drawing, managed availability includes three main asynchronous components that
are constantly doing work.
Managed Availability Components
Probes
The first component is called a Probe. Probes are responsible for taking measurements on the server and
collecting data.
There are three primary categories of probes: recurrent probes, notifications, and checks. Recurrent probes are
synthetic transactions performed by the system to test the end-to-end user experience. Checks are the
infrastructure that perform the collection of performance data, including user traffic. Checks also measure the
collected data against thresholds that are set to determine spikes in user failures, which enable the checks
infrastructure to become aware when users are experiencing issues. Finally, the notification logic enables the
system to take action immediately, based on a critical event, and without having to wait for the results of the data
collected by a probe. These are typically exceptions or conditions that can be detected and recognized without a
large sample set.
Recurrent probes run every few minutes and evaluate some aspect of service health. These probes might transmit
an email via Exchange ActiveSync to a monitoring mailbox, they might connect to an RPC endpoint, or they might
verify Client Access-to-Mailbox connectivity.
All probes are defined on Health Manager service startup in the
Microsoft.Exchange.ActiveMonitoring\ProbeDefinition crimson channel. Each probe definitions has many
properties, but the most relevant properties are:
Name The name of the probe, which begins with a SampleMask of the probe's monitor.
TypeName The code object type of the probe that contains the probe's logic.
ServiceName The name of the health set that contains this probe.
TargetResource The object the probe is validating. This is appended to the name of the probe when it is
executed to become a probe result ResultName
RecurrenceIntervalSeconds How often the probe executes.
TimeoutSeconds How long the probe will wait before failing.
There are hundreds of recurrent probes. Many of these probes are per-database, so as the number of databases
increases, so does the number of probes. Most probes are defined in code and are therefore not directly
discoverable.
The basics of a recurrent probe are as follows: start every RecurrenceIntervalSeconds and check (or probe) some
aspect of health. If the component is healthy, the probe passes and writes an informational event to the
Microsoft.Exchange.ActiveMonitoring\ProbeResult channel with a ResultType of 3. If the check fails or times out,
the probe fails and writes an error event to the same channel. A ResultType of 4 means the check failed and a
ResultType of 1 means that it timed out. Many probes will re-run if they timeout, up to the value of the
MaxRetryAttempts property.
NOTE
The ProbeResult crimson channel can get very busy with hundreds of probes running every few minutes and logging an
event, so there can be a real impact on the performance of your Exchange server if you try expensive queries against the
event logs in a production environment.
Notifications are probes that are not run by the health manager framework, but by some other service on the
server. These services perform their own monitoring, and then feed their data into the Managed Availability
framework by directly writing probe results. You won't see these probes in the ProbeDefinition channel, as this
channel only describes probes that will be run by the Managed Availability framework. For example, the
ServerOneCopyMonitor Monitor is triggered by probe results written by the MSExchangeDAGMgmt service. This
service performs its own monitoring, determines whether there is a problem, and logs a probe result. Most
notification probes have the capability to log both a red event that turns the monitor unhealthy and a green event
that makes the monitor healthy again.
Checks are probes that only log events when a performance counter passes above or below a defined threshold.
They are really a special case of notification probes, as there is a service monitoring the performance counters on
the server and logging events to the ProbeResult channel when the configured threshold is met.
To find the counter and threshold that is considered unhealthy, you can look at the monitor for this check.
Monitors of the type
Microsoft.Office.Datacenter.ActiveMonitoring.OverallConsecutiveSampleValueAboveThresholdMonitor or
Microsoft.Office.Datacenter.ActiveMonitoring.OverallConsecutiveSampleValueBelowThresholdMonitor mean that
the probe they watch is a check probe
Monitor
The results of the measurements collected by probes flow into the second component, the Monitor. The monitor
contains all of the business logic used by the system on the data collected. Similar to a pattern recognition engine,
the monitor looks for the various different patterns on all the collected measurements, and then it decides whether
something is considered healthy.
Monitors query the data to determine if action needs to be taken based on a predefined rule set. Depending on
the rule or the nature of the issue, a monitor can either initiate a responder or escalate the issue to a human via an
event log entry. In addition, monitors define how much time after a failure that a responder is executed, as well as
the workflow of the recovery action. Monitors have various states. From a system state perspective, monitors have
two states:
Healthy: The monitor is operating properly and all collected metrics are within normal operating
parameters.
Unhealthy: The monitor isn't healthy and has either initiated recovery through a responder or notified an
administrator through escalation.
From an administrative perspective, monitors have additional states that appear in the Exchange Management
Shell:
Degraded: When a monitor is in an unhealthy state from 0 through 60 seconds, it's considered Degraded.
If a monitor is unhealthy for more than 60 seconds, it is considered Unhealthy.
Disabled: The monitor has been explicitly disabled by an administrator.
Unavailable: The Exchange Health service periodically queries each monitor for its state. If it doesn't get a
response to the query, the monitor state becomes Unavailable.
Repairing: An administrator sets the Repairing state to indicate to the system that corrective action is in
process by a human, which allows the system and humans to differentiate between other failures that may
occur at the same time corrective action is being taken (such as a database copy reseed operation).
Every monitor has a SampleMask property in its definition. As the monitor executes, it looks for events in the
ProbeResult channel that have a ResultName that matches the monitor's SampleMask. These events could be
from recurrent probes, notifications, or checks. If the monitor's thresholds are achieved, it becomes Unhealthy.
From the monitor's perspective, all three probe types are the same as they each log to the ProbeResult channel.
It is worth noting that a single probe failure does not necessarily indicate that something is wrong with the server.
It is the design of monitors to correctly identify when there is a real problem that needs fixing. This is why many
monitors have thresholds of multiple probe failures before becoming Unhealthy. Even then, many of these
problems can be fixed automatically by responders, so the best place to look for problems that require manual
intervention is in the Microsoft.Exchange.ManagedAvailability\Monitoring crimson channel. This will include the
most recent probe error.
Responders
Finally, there are Responders, which are responsible for recovery and escalation actions. As their name implies,
responders execute some sort of response to an alert that was generated by a monitor. When something is
unhealthy, the first action is to attempt to recover that component. This could include multi-stage recovery actions;
for example, the first attempt may be to restart the application pool, the second may be to restart the service, the
third attempt may be to restart the server, and the subsequent attempt may be to take the server offline so that it
no longer accepts traffic. If the recovery actions are unsuccessful, the system escalates the issue to a human
through event log notifications.
Responders take a variety of recovery actions, such as resetting an application worker pool or restarting a server.
There are several types of responders:
Restart Responder Terminates and restarts a service.
Reset AppPool Responder Stops and restarts an application pool in Internet Information Services (IIS ).
Failover Responder Initiates a database or server failover.
Bugcheck Responder Initiates a bugcheck of the server, thereby causing a server reboot.
Offline Responder Takes a protocol on a server out of service (rejects client requests).
Online Responder Places a protocol on a server back into production (accepts client requests).
Escalate Responder Escalates the issue to an administrator via event logging.
In addition to the above listed responders, some components also have specialized responders that are unique to
their component.
All responders include throttling behavior, which provide a built-in sequencing mechanism for controlling
responder actions. The throttling behavior is designed to ensure that the system isn't compromised or made
worse as a result of responder recovery actions. All responders are throttled in some fashion. When throttling
occurs, the responder recovery action may be skipped or delayed, depending on the responder action. For
example, when the Bugcheck Responder is throttled, its action is skipped, and not delayed.
Health Sets
From a reporting perspective, managed availability has two views of health, one internal and one external.
The internal view uses health sets. Each component in Exchange Server (for example, Outlook on the web,
Exchange ActiveSync, the Information Store service, content indexing, transport services, etc.) is monitored by
managed availability using probes, monitors, and responders. A group of probes, monitors and responders for a
given component is called a health set. A health set is a group of probes, monitors, and responders that determine
if that component is healthy. The current state of a health set (e.g., whether it is healthy or unhealthy) is
determined by using the state of the health set's monitors. If all of a health set's monitors are healthy, then the
health set is in a healthy state. If any monitor is not in a healthy state, then the health set state will be determined
by its least healthy monitor.
For detailed steps to view server health or health sets state, see Manage health sets and server health.
Health Groups
The external view of managed availability is composed of health groups. Health groups are exposed to System
Center Operations Manager 2012 R2.
There are four primary health groups:
Customer Touch Points Components that affect real-time user interactions, such as protocols, or the
Information Store.
Service Components Components without direct, real-time user interactions, such as the Microsoft
Exchange Mailbox Replication service, or the offline address book generation process (OABGen).
Server Components The physical resources of the server, such as disk space, memory and networking.
Dependency Availability The server's ability to access necessary dependencies, such as Active Directory,
DNS, etc.
When the Exchange Management Pack is installed, System Center Operations Manager (SCOM ) acts as a health
portal for viewing information related to the Exchange environment. The SCOM dashboard includes three views
of Exchange server health:
Active Alerts Escalation Responders write events to the Windows event log that are consumed by the
monitor within SCOM. These appear as alerts in the Active Alerts view.
Organization Health A roll up summary of the overall health of the Exchange organization health is
displayed in this view. These rollups include displaying health for individual database availability groups,
and health within specific Active Directory sites.
Server Health Related health sets are combined into health groups and summarized in this view.
Overrides
Overrides provide an administrator with the ability to configure some aspects of the managed availability probes,
monitors, and responders. Overrides can be used to fine tune some of the thresholds used by managed
availability. They can also be used to enable emergency actions for unexpected events that may require
configuration settings that are different from the out-of-box defaults.
Overrides can be created and applied to a single server (this is known as a server override), or they can be applied
to a group of servers (this is known as a global override). Server override configuration data is stored in the
Windows registry on the server on which the override is applied. Global override configuration data is stored in
Active Directory.
Overrides can be configured to last indefinitely, or they can be configured for a specific duration. In addition,
global overrides can be configured to apply to all servers, or only servers running a specific version of Exchange.
When you configure an override, it will not take effect immediately. The Microsoft Exchange Health Manager
service checks for updated configuration data every 10 minutes. In addition, global overrides will be dependent on
Active Directory replication latency.
For detailed steps to view or configure server or global overrides, see Configure managed availability overrides.
CMDLET DESCRIPTION
Get-ServerHealth Used to get raw server health information, such as health sets
and their current state (healthy or unhealthy), health set
monitors, server components, target resources for probes,
and timestamps related to probe or monitor start or stop
times, and state transition times.
Get-HealthReport Used to get a summary health view that includes health sets
and their current state.
You can use the built-in health reporting cmdlets to perform a variety of tasks related to managed availability, such
as:
Viewing the health of a server or group of servers
Viewing a list of health sets
Viewing a list of probes, monitors, and responders associated with a particular health set
View a list of monitors and their current health
For more information about health reporting and managed availability, see Managed availability.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Run any of the following commands to view the health sets on an Exchange server or database availability group:
Use the Exchange Management Shell to view the probes, monitors and
responders for a health set
You can use the Exchange Management Shell to view the list of probes, monitors, and responders associated with
a health set on an Exchange server.
Run the following command to view the probes, monitors and responders associated with a health set on an
Exchange server:
Managed availability performs continuous probing to detect possible problems with Exchange components or
their dependencies, and it performs recovery actions to make sure the end user experience is not impacted due to a
problem with any of these components. However, there may be scenarios where the out-of-box settings may not
be suitable for your environment. Managed availability probes, monitors, and responders can be customized by
creating an override.
There are two types of overrides: local and global. As their names imply, a local override is available only on the
server on which it is created, and a global override is used to apply an override to multiple servers. Both types of
override can be created for a specific duration or for a specific version of Exchange, but not both at the same time.
NOTE
When you create an override, it doesn't take effect immediately. The Microsoft Exchange Health Management service checks
for configuration changes every 10 minutes and loads any detected configuration changes. If you don't want to wait, you can
restart the service.
To learn more about managed availability, see Managed availability. For additional management tasks related to
managed availability, see Manage health sets and server health.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
To create a local override for a specific version of Exchange, use the following syntax.
Add-ServerMonitoringOverride -Server <ServerName> -Identity <HealthSetName>\<MonitoringItemName>[\
<TargetResource>] -ItemType <Probe | Monitor | Responder | Maintenance> -PropertyName <PropertyName> -
PropertyValue <Value> -Version <15.01.xxxx.xxx>
NOTE
When you create the override, the values used in the Identity parameter are case-sensitive.
This example adds a local override that disables the responder ActiveDirectoryConnectivityConfigDCServerReboot
on the server named EXCH03 for 20 days.
To create a global override for a specific version of Exchange, use the following syntax.
NOTE
When you create the override, the values used in the Identity parameter are case-sensitive.
This example adds a global override that disables the OnPremisesInboundProxy probe for 30 days.
This example adds a global override that disables the StorageLogicalDriveSpaceEscalate responder for all servers
running Exchange version 15.01.0225.042.
Get-GlobalMonitoringOverride
This example removes the existing global override of the ExtensionAttributes property of the
OnPremisesInboundProxy probe in the FrontEndTransport health set.
Understanding server health and performance is critical to designing and maintaining a high-performance
messaging infrastructure. Exchange 2016 and Exchange 2019 continue the features that were introduced in
Exchange 2013 to help you manage server health and performance.
Managed availability
Managed availability provides built-in monitoring and recovery actions that preserve the end-user experience.
Managed availability is made of two processes: the Exchange Health Manager Service (MSExchangeHMHost.exe)
and the Exchange Health Manager Worker process (MSExchangeHMWorker.exe), and the following components:
Probe engine: The probe engine takes measurements on the server.
Monitoring probe engine: The monitoring probe engine stores the business logic about what constitutes
a healthy state. Like a pattern recognition engine, the monitoring probe engine looks for patterns and
measurements that differ from a healthy state, and then evaluates whether a component or feature is
unhealthy.
Responder engine: When the responder engine is alerted about an unhealthy component, it first tries to
recover that component. Managed availability enables multi-stage recovery actions. The first attempt may
be to restart the application pool, the second attempt may be to restart the corresponding service, and the
third attempt may be to restart the server. And, the final attempt may be to put the server offline, so that it
no longer accepts traffic. If all of these actions fail, an alert is sent to the help desk.
For more information about managed availability, see Managed availability.
Workload management
Workload management is made of these components:
User workload management is the new name for the user throttling features that were introduced in
Exchange 2010. You can customize these setting based on the needs of your environment.
System workload management automatically throttles specific Exchange workloads by monitoring the
health of key server resources. These settings should be customized only under the direction of Microsoft
Customer Service and Support.
For more information about user workload management, see User workload management in Exchange Server.
User workload management in Exchange Server
8/23/2019 • 3 minutes to read • Edit Online
User workload management allows you to control how Exchange system resources are consumed by users. This
feature was available in Exchange 2010 (known as user throttling), and was expanded to its current level in
Exchange 2013.
A workload is a feature, protocol, or service that's been explicitly defined to manage system resources on
Exchange servers. Each workload consumes system resources on the Exchange server (for example CPU,
memory, network, and disk bandwidth). Examples of workloads include Outlook on the web (formerly known as
Outlook Web App), Exchange ActiveSync, mailbox migration, and mailbox assistants.
NOTE
We strongly recommend that you don't modify the default throttling policy, because changes to the default policy could be
overwritten by future Exchange updates. Instead, you should create custom throttling policies that contain customized
settings.
Antispam and antimalware protection are included in Exchange Server 2016 and Exchange Server 2019.
Antispam protection is provided by the same built-in transport agents that were introduced in Exchange
Server 2010. These agents are enabled by default on Edge Transport servers, and you can enable many of
them on Exchange Mailbox servers.
Antimalware protection is provided by the Malware agent that was introduced in Exchange Server 2013.
The Malware agent is available and enabled by default on Exchange Mailbox servers.
The following table contains links to topics that provide overview information and configuration steps for
customizing the built-in spam and malware filtering settings for your organization.
TOPIC DESCRIPTION
Antispam protection in Exchange Server Describes the built-in antispam protection features in
Exchange Server, and how to configure the antispam
protection options.
Running Windows antivirus software on Exchange servers Describes considerations for running Windows antivirus
programs on Exchange servers.
If you're looking for information about antispam features in Office 365, see Office 365 Email AntiSpam Protection.
Antispam protection in Exchange Server
8/23/2019 • 5 minutes to read • Edit Online
Spammers, or malicious senders, use a variety of techniques to send unwanted email into your organization. No
single tool or process can eliminate all spam. However, Microsoft Exchange provides a layered, multifaceted
approach to reducing these unwanted messages. Exchange uses transport agents to provide antispam protection,
and the built-in agents that are available in Exchange Server 2016 and Exchange Server 2019 are relatively
unchanged from Exchange Server 2010. In Exchange 2016 and Exchange 2019, configuration and management of
these agents is available only in the Exchange Management Shell.
For more antispam features and easier management, you can purchase Exchange Online Protection (EOP ) that's
part of Microsoft Office 365. To learn more about Office 365 antispam protection, see Office 365 Email antispam
Protection.
NOTE
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering
on a Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the
message is rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server,
but it isn't configured to block any recipients.
Attachment Filtering agent: Attachment filtering blocks messages or attachments based on the
attachment file name, extension, or MIME content type. For more information, see Attachment filtering on
Edge Transport servers.
Based on the default priority value of the antispam agent, and the SMTP event in the transport pipeline where the
agent is registered, this is the order that the antispam agents are applied to messages on Edge Transport servers:
1. Connection Filtering agent
2. Sender Filter agent
3. Recipient Filter agent
4. Sender ID agent
5. Content Filter agent
6. Protocol Analysis agent (sender reputation)
7. Attachment Filtering agent
Antispam stamps
Antispam stamps are applied to messages and are used by the antispam agents. You can view the antispam
stamps to help you diagnose spam-related problems. For more information, see Antispam stamps.
See also
Office 365 email antispam protection
Enable antispam functionality on Mailbox servers
8/23/2019 • 5 minutes to read • Edit Online
The following antispam agents are available in the Transport service on Exchange 2016 and Exchange 2019
Mailbox servers, but they aren't installed by default:
Content Filter agent
Sender Filter agent
Sender ID agent
Protocol Analysis agent for sender reputation
You can install these antispam agents on a Mailbox server by using an Exchange Management Shell script,
which is important if these agents are your only defense to help prevent spam. Typically, you don't need to
install the antispam agents on a Mailbox server when your organization uses other types of antispam filtering
on incoming mail.
NOTE
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a
Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is
rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server, but it isn't
configured to block any recipients. For more information, see Recipient filtering procedures on Edge Transport servers.
& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1
Restart-Service MSExchangeTransport
This example adds the internal SMTP server addresses 10.0.1.10 and 10.0.1.11 to the transport configuration of
your organization.
Get-TransportAgent
To see detailed information about the configuration of each agent, run the following commands:
For instructions on how to configure the log, see Configure antispam Agent Logging.
Antispam stamps
8/23/2019 • 6 minutes to read • Edit Online
Antispam stamps in Exchange Server apply diagnostic metadata, or stamps, such as sender-specific information,
puzzle validation results, and content filtering results, to messages as they pass through the antispam features that
filter inbound messages from the Internet. You can use antispam stamps to see the results of antispam filtering on
a message, and to diagnose spam-related problems. The antispam features and stamps are basically unchanged
from Exchange Server 2010. There are four major Exchange antispam stamps:
The phishing confidence level (PCL ) stamp
The Sender ID stamp
The spam confidence level (SCL ) stamp
The antispam report stamp
The antispam stamps are added to messages as X-header fields in the message header. You can view antispam
stamps on a message by using Outlook. For more information, see View antispam stamps in Outlook.
The PCL value appears in the X-MS -Exchange-Organization-PCL: X-header, and the PCL verdict appears in the
antispam report stamp as PCL:PhishingLevel <Verdict> . Outlook uses the PCL stamp to block the content of
suspicious messages.
STATUS DESCRIPTION
SoftFail The IP address for the PRA may be in the not permitted set.
The Sender ID stamp is displayed in the X-MS -Exchange-Organization-SenderIdResult: X-header, and also in
the antispam report stamp as SenderIDStatus <Status> . The SPF result is displayed in the Received-SPF header.
For more information, see the following topics:
Sender ID
Sender Policy Framework: SPF Record Syntax
The SCL stamp displays the rating of the message based on its content. The Content Filter agent uses Microsoft
SmartScreen technology to assess the contents of a message, and to assign an SCL rating to each message. The
SCL values are described in the following table.
X-MS-Exchange-Organization-Antispam-Report: DV:<DATVersion>;CW:CustomList;PCL:PhishingVerdict
<verdict>;P100:PhishingBlock;PP:Presolve;SID:SenderIDStatus <status>;TIME:
<SendReceiveDelta>;MIME:MimeCompliance;OrigIP:<SourceIPAddress>
The antispam filter information that can appear in the antispam report stamp is described in the following table.
Note that the antispam report stamp only contains results and conclusions from antispam filters that were applied
to the message. so the antispam report stamp usually doesn't contain all of the possible stamps and values.
STAMP DESCRIPTION
DV The DAT version (DV) stamp indicates the version of the spam
definition file that was used when scanning the message.
TIME:TimeBasedFeatures Indicates that there was a significant time delay between the
time that the message was sent and the time that the
message was received. The TIME stamp is used to determine
the final SCL rating for the message.
MessageSecurityAntispamBypass Indicates that the message wasn't filtered for content and that
the sender has been granted permission to bypass the
antispam filters.
SenderBypassed Indicates that the Content Filter agent doesn't process any
content filtering for messages that are received from this
sender. For more information, see Content filtering
procedures.
AllRecipientsBypassed Indicates that one of the following conditions was met for all
recipients listed in the message:
• The AntispamBypassedEnabled parameter on the recipient's
mailbox is set to $true . For more information, see Use the
Exchange Management Shell to configure a mailbox to bypass
Exchange antispam filtering.
• The message sender is in the recipient's Safe Senders List.
For more information about the Safe Senders List, see Use the
Exchange Management Shell to configure the safelist
collection on a mailbox.
• The Content Filter agent doesn't process any content
filtering for messages that are sent to this recipient. For more
information about recipient exceptions, see Use the Exchange
Management Shell to configure recipient and sender
exceptions for content filtering.
View antispam stamps in Outlook
8/23/2019 • 2 minutes to read • Edit Online
The built-in antispam agents in Exchange Server apply diagnostic metadata, or stamps, as X-headers to messages
as they enter your organization. For more information about these stamps, see Antispam stamps. You can use
Microsoft Outlook to view the antispam X-header fields in messages to help you diagnose spam-related problems.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
X-MS-Exchange-Organization-SenderIdResult:Fail
X-MS-Exchange-Organization-SCL:6
X-MS-Exchange-Organization-PCL:7X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.15608.880;SID:SenderIDStatus Fail;PCL:PhishingLevel
SUSPICIOUS;CW:CustomList;PP:Presolved;TIME:TimeBasedFeatures;OrigIP:10.1.1.1
Configure Exchange antispam settings on mailboxes
8/23/2019 • 18 minutes to read • Edit Online
In Exchange Server, you can configure specific antispam settings on individual mailboxes that are different than
the antispam settings that are applied to the rest of the mailboxes in your organization. The antispam settings that
are available on mailboxes are basically unchanged from Exchange 2010.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example disables the junk email rule on Ori Epstein's mailbox.
This example disables the junk email rule on all user mailboxes in the Organizational Unit named North America
in the consoto.com domain.
This example disables the junk email rule on all user mailboxes in the mailbox database named MDB 01.
This example disables the junk email rule on all user mailboxes in the organization.
For bulk operations, use the same filter that identified the mailboxes, and replace the Set-
MailboxJunkEmailConfiguration command with
Get-MailboxJunkEmailConfiguration | Format-Table -Auto Identity,Enabled . For example:
Replace <MailboxIdentity> with the identity of the mailbox, and run the following command to verify the
Enabled property value of the junk email rule.
To enter multiple values and overwrite any existing entries for the BlockedSendersAndDomains and
TrustedSendersAndDomains parameters, use the following syntax:
"<EmailAddressOrDomain1>","<EmailAddressOrDomain2>"... . To add or remove one or more values without affecting
other existing entries, use the following syntax:
@{Add="<EmailAddressOrDomain1>","<EmailAddressOrDomain2>"... ; Remove="<EmailAddressOrDomain3>","
<EmailAddressOrDomain4>...}
This example configures the following settings for the safelist collection on Ori Epstein's mailbox:
Adds the value shopping@fabrikam.com to the Blocked Senders list.
Removes the value chris@fourthcoffee.com from the Safe Senders list and the Safe Recipients list.
Configures contacts in the Contacts folder to be treated as trusted senders.
This example empties the Blocked Senders list for all user mailboxes in the Organizational Unit named North
America in the contoso.com domain.
This example adds michelle@tailspintoys.com to the Safe Senders list and Safe Recipients list on all user
mailboxes in the mailbox database named MDB 01.
This example removes the domain contoso.com from the Blocked Senders list in all user mailboxes in the
organization.
(Get-MailboxJunkEmailConfiguration <MailboxIdentity>).BlockedSendersAndDomains
For bulk operations, specify the filter that you used to configure the safelist collection, and replace the Set-
MailboxJunkEmailConfiguration command with
Get-MailboxJunkEmailConfiguration | Format-List Identity,trusted*,contacts*,blocked* . For example:
This example prevents all mailboxes that are assigned the Outlook on the web mailbox policy named Default from
configuring their junk email settings in Outlook on the web.
This example prevents all users that connect to the Outlook on the web virtual directory named owa (Default Web
Site) on the server named Mailbox01 from configuring their junk email settings.
Note: To apply changes to the Outlook on the web virtual directories, you need to restart Internet Information
Services (IIS ) by running the commands Stop-Service WAS -Force and Start-Service W3SVC .
For more information, see Set-OwaVirtualDirectory.
How do you know this worked?
To verify that you have successfully configured the availability of junk email settings in Outlook on the web, use
either of the following procedures:
For Outlook on the web mailbox policies, run the following command to verify the JunkEmailEnabled
property value:
For Outlook on the web virtual directories, run the following command to verify the JunkEmailEnabled
property value:
Delete Greater than or equal Silently deletes the Yes If this threshold is
to message (no NDR). enabled, the SCL
value should be
greater than all
others.
Reject Greater than or equal Rejects the message Yes The SCL value should
to with an NDR. be less than the
delete value, but
greater than the
quarantine or Junk
Email folder values.
By default, this
threshold is enabled
on the Content Filter
agent, and has the
default value 7.
SCL VALUE AVAILABLE ON THE
COMPARISON CONTENT FILTER
SCL THRESHOLD OPERATOR ACTION AGENT? COMMENTS
Quarantine Greater than or equal Redirects the message Yes If this threshold is
to to the spam enabled, the SCL
quarantine mailbox. value should be less
For more information than the delete or
about the configuring reject values, but
the spam quarantine greater than the Junk
mailbox, see Email folder value.
Configure a spam
quarantine mailbox.
Junk Email folder Greater than Delivers the message No The SCL value should
to the Junk Email You enable or disable be less than all others.
folder in the mailbox. the SCL threshold on By default, this
This action is the mailbox. threshold is enabled
controlled by the junk You configure the SCL on the Exchange
email rule that's threshold value on organization, and has
enabled by default in the Exchange the default value 4.
every mailbox. For organization, or on Because the junk
more information, see the mailbox. email rule is enabled
the Use the Exchange by default in all
Management Shell to mailboxes, messages
enable or disable the that arrive in the
junk email rule in a mailbox with an SCL
mailbox section in this value of 5 or higher
topic. are moved to the
Junk Email folder.
To configure the SCL threshold settings on a mailbox, use the following syntax.
This example disables the SCL Junk email threshold on mailbox of the user named Jeff Phillips.
This example disables the SCL Junk email threshold on all user mailboxes in the Organizational Unit named North
America in the consoto.com domain.
This example disables the SCL Junk email threshold on all user mailboxes in the mailbox database named MDB
01.
This example disables the SCL Junk email threshold on all user mailboxes in the organization.
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited; $All | foreach {Set-Mailbox
$_.Name -SCLJunkEnabled $false}
Notes:
To remove the specific SCL thresholds on the mailbox so the SCL threshold is controlled by the Content
Filter agent (delete, reject, or quarantine) or the Exchange organization (Junk Email folder), use the value
$null .
If you disable the SCL Junk Email folder threshold on the mailbox (SCLJunkEnabled is $false ), but the
junk email rule is still enabled in the mailbox, Exchange can still deliver messages to the Junk Email folder
based on the Blocked Senders list of the mailbox. Furthermore, even if you disable the Junk E -mail Rule on
the mailbox, Outlook (in Cached Exchange mode) can still move messages to the Junk Email folder based
on its own determination of whether the message is spam or the Blocked Senders list.
How do you know this worked?
To verify that you have successfully configured the SCL thresholds on a mailbox, use any of the following
procedures:
For a single mailbox, replace <MailboxIdentity> with the identity of the mailbox, and run the following
command to verify the property values:
For bulk operations, specify the filter that you used to configure the SCL thresholds, and replace the Set-
Mailbox command with Format-List Name,SCL* . For example:
Use the Exchange Management Shell to configure the SCL Junk Email
folder threshold value for all mailboxes in your organization
The SCL Junk Email folder threshold that's configured on the Exchange organization causes the junk email rule to
deliver messages to the Junk Email folder of a mailbox when all of the following conditions are true:
The message is assigned an SCL value by Exchange (typically, by the Content Filter agent).
The junk email rule in the mailbox is enabled. It's enabled by default, but it isn't fully functional until the
mailbox has been opened in Outlook (in Cached Exchange mode) or Outlook on the web.
An SCL Junk Email folder threshold isn't configured on the mailbox (by default, it's not configured).
The SCL value of the message is greater than the SCL Junk Email folder threshold that's configured for the
Exchange organization. The default value is 4, which means that messages with an SCL value of 5 or higher
are moved to the Junk Email folder by the junk email rule.
To configure the SCL Junk Email folder threshold for all mailboxes in your organization, use the following syntax:
This example sets the organization's SCL Junk Email folder threshold value to 5, which means messages with an
SCL value of 6 or higher are moved to the Junk Email folder by the junk email rule..
Set-OrganizationConfig -SCLJunkThreshold 5
Notes:
You can override the SCL Junk Email folder threshold value on a mailbox by configuring an SCL Junk Email
folder threshold on the mailbox. For more information, see the Use the Exchange Management Shell to
configure the SCL thresholds on a mailbox section in this topic.
If you disable the junk email rule in the mailbox, the value of the SCL Junk Email folder threshold for the
Exchange organization (or on the mailbox) is meaningless, because the junk email rule is required for
Exchange to deliver messages to the Junk Email folder. For more information, see the Use the Exchange
Management Shell to enable or disable the junk email rule in a mailbox section in this topic.
How do you know this worked?
To verify that you have successfully configured the SCL Junk Email folder threshold value for all mailboxes in your
organization, run the following command to verify the SCLJunkThreshold property value:
This example exempts messages that are sent to the mailbox named Customer Support from Exchange antispam
filtering.
To find all mailboxes in your organization that are configured to bypass antispam filtering, run the following
command:
Get-Mailbox -ResultSize Unlimited | where {$_.AntispamBypassEnabled -eq $true} | Format-Table
Name,AntispamBypassEnabled
NOTE
In November, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and
Outlook. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time. For
more information, see Deprecating support for SmartScreen in Outlook and Exchange.
So, the Outlook Junk Email Filter is able to use the mailbox's safelist collection and its own spam classification to
move messages to the Junk Email folder, even if the junk email rule and/or the SCL Junk Email threshold are
disabled in the mailbox. The difference is whether the junk email rule on the server or the Junk Email Filter in the
Outlook client moves the message to the Junk Email folder.
Outlook and Outlook on the web both support the safelist collection. The safelist collection is saved in the
Exchange mailbox, so changes to the safelist collection in Outlook appear in Outlook on the web, and vice-versa.
The safelist aggregation feature of the Content Filter agent shares these lists with the built-in Exchange antispam
agents. For more information, see Safelist aggregation.
Content filtering
8/23/2019 • 6 minutes to read • Edit Online
NOTE
In November, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and
Outlook. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time. For
more information, see Deprecating support for SmartScreen in Outlook and Exchange.
Content filtering evaluates inbound email messages by assessing the probability that the messages are legitimate
or spam. Unlike other filtering technologies, the content filtering uses characteristics from a statistically significant
sample of legitimate messages and spam to make its determination. Content filtering in Exchange Server is
provided by the Content Filter agent, and is basically unchanged from Exchange Server 2010. Updates to the
Content Filter agent are available periodically through Microsoft Update.
By default, the Content Filter agent is enabled on Edge Transport servers, but you can enable it on Mailbox
servers. For more information, see Enable antispam functionality on Mailbox servers.
For more information about how to configure the Content Filter agent, see Content filtering procedures.
NOTE
Messages that are over 11 MB aren't scanned by the Intelligent Message Filter. Instead, they pass through the Content
Filter agent without being scanned.
Using the SCL value in mail flow rules on Edge Transport servers
On Edge Transport servers, the Edge Rule agent acts on messages before the SCL value is added by the Content
Filter agent. If you want to use the SCLOver mail flow rule (also known as a transport rule) condition, you need to
configure the Content Filter agent to run before the Edge Rule agent by changing the transport agent priorities.
For more information, see Make message SCL values available to mail flow rules on Edge Transport servers.
Notes:
Although the Content Filter agent runs on other SMTP events, the SCL value is stamped on the message
by the instance of the Content Filter agent that's registered on the OnEndOfData SMTP event.
If you configure the Content Filter agent to act on messages before the Edge Rule agent on an Edge
Transport server, the server might incur additional processing costs, because messages that would normally
be rejected by other mail flow rules are received and evaluated by the Content Filter agent before they are
rejected by the Edge Rule agent, Also, you won't be able to configure a mail flow rule to stamp a message
that has an SCL value of -1 , which tells the Content Filter agent to ignore the message.
For more information about transport agents and transport agent priority, see Understanding Transport Agents.
Content filtering procedures
8/23/2019 • 7 minutes to read • Edit Online
Content filtering evaluates incoming messages to determine if a message is legitimate or spam. For more
information about content filtering and the Content Filter agent, see Content filtering.
You can configure many aspects of content filtering. For example:
Enable or disable content filtering on messages from internal (authenticated) and external
(unauthenticated) sources (it's enabled by default for incoming messages from external sources).
Configure exceptions to content filtering for specific senders, recipients, and source domains.
Configure allowed phrases and blocked phrases to look for in messages.
Configure the spam confidence level (SCL ) thresholds that tell what content filtering should do to
messages (delete, reject, or quarantine)
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
When you disable content filtering, the underlying Content Filter agent is still enabled. To disable the Content Filter agent,
run the command: Disable-TransportAgent "Content Filter Agent" .
To enable content filtering for external messages, run the following command:
To disable content filtering for internal messages, run the following command:
To add or remove entries without modifying other existing values, use the following syntax:
This example allows all messages that contain the phrase "customer feedback".
This example blocks all messages that contain the phrase "stock tip".
Notes:
The Delete action takes precedence over the Reject action, and the Reject action takes precedence over the
Quarantine action. Therefore, the SCL threshold for the Delete action should be greater than the SCL
threshold for the Reject action, which in turn should be greater than the SCL threshold for the Quarantine
action. Only the Reject action is enabled by default, and it has the SCL threshold value 7.
The Quarantine action requires a spam quarantine mailbox. For more information, see Configure a spam
quarantine mailbox.
This example configures the following values for the SCL thresholds:
The Delete action is enabled and the corresponding SCL threshold is set to 9.
The Reject action is enabled and the corresponding SCL threshold is set to 8.
The Quarantine action is enabled and the corresponding SCL threshold is set to 7.
This example configures the Content Filter agent to send a customized rejection response.
In Exchange Server, safelist aggregation refers to sender and recipient email addresses that are collected from all
users' Junk Email options in Microsoft Outlook, Outlook on the web, or the Set-
MailboxJunkEmailConfiguration cmdlet, and shared with the built-in Exchange antispam agents. Safelist
aggregation is basically unchanged from Exchange Server 2010.
When you enable and configure safelist aggregation, Exchange can take the following actions based on the
safelist aggregation data:
Deliver incoming messages from senders that have been identified as safe without additional antispam
processing (which could potentially identify the messages as spam).
Block incoming messages from senders that have been identified as malicious.
To configure safelist aggregation, see Safelist aggregation procedures.
In the context of spam filtering, a false-positive is a legitimate message that's identified as spam. For
organizations that filter hundreds of thousands of messages from the Internet every day, even a small percentage
of false-positives means that users might not receive many legitimate messages. Safelist aggregation is likely the
most effective way to reduce false-positives.
In Exchange Server, safelist aggregation refers to sender and recipient data that's collected from all users' Junk
Email options in Microsoft Outlook, Outlook on the web, or the Set-MailboxJunkEmailConfiguration cmdlet
and shared with the built-in Exchange antispam agents. For more information, see Safelist aggregation.
You can use the procedures in this topic to:
Configure limits on the number of safe senders and blocked senders that are stored for specific mailboxes.
Manually run safelist aggregation
Verify that safelist aggregation is working correctly.
For more information about adding and removing entries from a user's safelist collection, see Use the Exchange
Management Shell to configure the safelist collection on a mailbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example configures the mailbox john@contoso.com to have a maximum of 2,000 safe senders and 200
blocked senders.
This example writes the Safe Senders List for the mailbox john@contoso.com to Active Directory.
Update-Safelist john@contoso.com
If the output shows the Enabled property to be True , content filtering is enabled. If it isn't, run the following
command to enable content filtering and the Content Filter agent on the Exchange server:
Step 2: (Optional) Use ADSI Edit to verify replication of the safelist aggregation data to Edge Transport servers
This step is only required if you run the Content Filter agent on a subscribed Edge Transport server in your
perimeter network.
You can view the user objects in the Active Directory Lightweight Directory Services (AD LDS ) instance on the
Edge Transport server to:
Verify that the safelist collection data is updated for the user objects.
Verify that the Microsoft Exchange EdgeSync service has replicated the data to the AD LDS instance.
There are three safelist collection attributes for each user object:
msExchSafeRecipientsHash: Stores the hash of the Safe Recipients List collection for the user.
msExchSafeSendersHash: Stores the hash of the Safe Senders List collection for the user.
msExchBlockedSendersHash: Stores the hash of the Blocked Senders List collection for the user.
If a hexadecimal string, such as 0xac 0xbd 0x03 0xca , is present on the attribute, the user object was updated. If
the attribute has a value of <Not Set> , the attribute wasn't updated.
You can search for and view the attributes by using ADSI Edit on the Edge Transport server (run ADSIEdit.msc).
Step 3: Send a test message to verify safelist aggregation is working
To test whether safelist aggregation is functioning, you need to send yourself a message from a safe sender that
would otherwise be blocked by content filtering (for example, the message contains a blocked phrase). If safelist
aggregation is functioning, the message should arrive in your Inbox.
1. Open your Exchange mailbox in Outlook, and add an external email address (associated with an account
that you can access) to your Safe Senders List. For more information, see Add names to the Junk Email
Filter lists.
2. Use the Update-SafeList cmdlet to manually replicate the safelist collection from your mailbox to Active
Directory:
Update-Safelist <YourMailboxIdentity>
3. Optional: if you're running the Content Filter agent on a subscribed Edge Transport server in the perimeter
network, run the Start-EdgeSynchronization cmdlet to force EdgeSync replication.
4. Add a specific word as a blocked phrase to your content filtering configuration. For example:
For details, see Use the Exchange Management Shell to configure allowed and blocked phrases for content
filtering.
5. From the external email account in step 1, send a message to your Exchange mailbox that includes the
blocked phrase that you configured in step 4.
If the message is successfully delivered to your Inbox, safelist aggregation is working correctly.
Spam quarantine in Exchange Server
8/23/2019 • 2 minutes to read • Edit Online
Many organizations are bound by legal or regulatory requirements to preserve or deliver all legitimate email
messages. In Exchange Server, spam quarantine is a feature of the Content Filter agent that reduces the risk of
losing legitimate incoming email messages by providing a temporary storage location for messages that are
identified as spam. Spam quarantine is basically unchanged from Exchange Server 2010.
Messages that are identified as spam by the Content Filter agent are wrapped in a non-delivery report (also
known as an NDR, delivery status notification, DSN, or bounce message) and delivered to the designated spam
quarantine mailbox inside the organization. Administrators can use Microsoft Outlook to review the messages in
the spam quarantine mailbox and take appropriate action. For example, you can delete messages, or release
legitimate messages to their intended recipients. In addition, you can configure the spam quarantine mailbox to
automatically delete messages after a designated time period.
To use the spam quarantine, follow these steps:
1. Verify content filtering is enabled.
2. Create a dedicated mailbox for spam quarantine.
3. Specify the spam quarantine mailbox.
4. Configure the SCL quarantine threshold.
5. Manage the spam quarantine mailbox.
6. Adjust the SCL quarantine threshold as needed.
For detailed instructions, see Configure a spam quarantine mailbox.
More information
The Content Filter agent evaluates incoming messages and applies a spam confidence level (SCL ) to each
message. The SCL is a numeric value from 0 through 9, where 0 is considered very unlikely to be spam, and 9 is
considered very likely to be spam. You can configure the Content Filter agent to take progressively more serious
action based on a higher SCL value. For example:
SCL is 8 or higher: Silently delete the message.
SCL is 7: Reject the message with an NDR.
SCL is 6: Quarantine the message.
SCL is 5: Deliver the message to the user's Junk Email folder.
SCL is 4 or lower: Deliver the message to the user's Inbox.
For more information, see Exchange spam confidence level (SCL ) thresholds.
As you monitor the spam quarantine mailbox, you can view the results of antispam filtering by inspecting the
antispam stamps (X-header fields) that were applied to the message. For more information, see View antispam
stamps in Outlook. You can then adjust the SCL thresholds to more accurately filter the spam that's coming into
your organization. For example:
Too many legitimate messages are sent to the spam quarantine mailbox (too many false positives).
Too many obvious spam messages are sent to the quarantine mailbox (not enough spam is rejected or
deleted).
To release a false positive from the spam quarantine to the intended recipient, see the following topics:
Configure Outlook to show the original sender in the spam quarantine mailbox
Release quarantined messages from the spam quarantine mailbox
Configure a spam quarantine mailbox
8/23/2019 • 4 minutes to read • Edit Online
Messages determined to be spam by the Content Filter agent can be directed to a spam quarantine mailbox. If the
spam confidence level (SCL ) quarantine threshold is enabled, all messages that are quarantined are wrapped as
non-delivery reports (also known as NDRs, delivery status notifications, DSN, or bounce messages) and are
delivered to the spam quarantine mailbox that you specify. Administrators can review quarantined messages and
release them to their intended recipients by using Microsoft Outlook.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
If a quarantined message is rejected because of a storage quota, the message will be lost. Exchange doesn't
generate NDRs for quarantined messages because the quarantined messages are wrapped as NDRs.
Configure Outlook: You need to configure the Outlook delegate access permissions to meet the needs of
your organization. In addition, you can configure the Outlook profile to show the original sender, recipient,
and SCL value of the message. For more information, see Configure Outlook to show the original sender
in the spam quarantine mailbox.
This example sends all messages that exceed the spam quarantine threshold to spamQ@contoso.com.
IMPORTANT
NDRs for quarantined messages aren't delivered to the spam quarantine mailbox. NDRs that are identified as spam are
deleted, even if their SCL value indicates that they should be quarantined. To track these messages, use the agent log or the
message tracking log. For more information, see Antispam Agent Logging.
Spam quarantine is a feature of the Content Filter agent that reduces the risk of losing legitimate messages. Spam
quarantine provides a temporary storage location for messages that are identified as spam and that shouldn't be
delivered to a user mailbox inside the organization. For more information, see Spam quarantine in Exchange
Server.
When a message meets the spam quarantine threshold, it's wrapped in a non-delivery report (also known as an
NDR, delivery status notification, DSN, or bounce message) and delivered to the spam quarantine mailbox.
Because the quarantined messages are stored as NDRs, the postmaster address of your organization will be listed
as the From: address for all messages. However, having the original sender address, the original recipient address,
and the original spam confidence level (SCL ) in the field list would make it easier to locate the message you want
to recover.
By default, you can't add these fields in the message view in Microsoft Outlook. You need to create an Outlook
form that adds the original sender, original recipient, and original SCL as optional fields that you can select. After
you create this custom form, you can configure Outlook to display these fields in the message view.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
2. Save the file in your Office Forms folder using the following values:
Path: <OfficeInstallPath>\<OfficeVersion>\Forms\<LCID>
<OfficeInstallPath>:
For 32-bit versions of Office on 32-bit versions of Microsoft Windows, or 64-bit versions of
Office on 64-bit versions of Windows, the default path is
C:\Program Files\Microsoft Office\root .
For 32-bit versions of Office on 64-bit versions of Windows, the default path is
C:\Program Files (x86)\Microsoft Office\root .
<OfficeVersion>
Outlook 2010: Office14
<LCID>: This is your locale ID (LCID ) value. For example, the LCID for US English is 1033. For more
information, see KB221435: List of supported locale identifiers in Word.
Name: For the rest of this procedure, assume the file is named QTNE.cfg . The name of the file isn't
important, but be sure to save the file as QTNE.cfg and not QTNE.cfg.txt.
For example, for a 32-bit US English version of Outlook 2016 installed on a 64-bit version of Windows, save the
file as:
NOTE
If Windows User Access Control (UAC) prevents you from saving the file in the correct location, save it first to a temporary
location, and then copy it.
After you configure the spam quarantine mailbox in Exchange Server, you can use Resend this message in
Microsoft Outlook to release quarantined messages to their intended recipients. To configure the spam quarantine
mailbox, see Configure a spam quarantine mailbox.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
In November, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and
Outlook. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time.
For more information, see Deprecating support for SmartScreen in Outlook and Exchange.
In Exchange Server, you can define specific actions for messages according to spam confidence level (SCL )
thresholds. For example, you can define different thresholds for rejecting, deleting, or quarantining messages on
an Exchange server that's running the Content Filter agent. These SCL thresholds and actions are basically
unchanged from Exchange Server 2010
The Content Filter agent assigns an SCL rating to messages late in the antispam cycle, after the other antispam
agents have processed inbound messages. Many of the other antispam agents that process inbound messages
before the Content Filter agent are absolute in how they act on a message. For example, the Connection Filtering
agent on an Edge Transport server rejects messages from IP addresses based on a real-time block list. Similarly,
the Sender Filter agent blocks messages based on a list of blocked senders, and the Recipient Filter agent blocks
messages based on a list of blocked recipients. By processing messages first, the other antispam agents greatly
reduce the number of messages (in most cases, blatantly unwanted messages) that need to be processed by the
Content Filter agent. For more information about the order that antispam agents process messages in, see
Antispam protection in Exchange Server.
Because content filtering isn't an exact science, it's important to be able to adjust the actions of the Content Filter
agent based on different SCL values. By carefully monitoring and adjusting the SCL thresholds, you can
minimize the following conditions:
The number of messages in and the size of the spam quarantine mailbox.
The number of legitimate email messages that are mistakenly quarantined or placed in the user's Junk
Email folder (false positives).
The number of offensive spam email messages that reach the user's mailbox (messages shouldn't even
reach the Junk Email folder).
The number of spam email messages that reach the user's Inbox.
The combination of this SCL thresholds in the Content Filter agent and the SCL Junk Email folder threshold on
the user's mailbox helps you implement a more comprehensive and precise antispam strategy, which can help
you reduce the overall cost of deploying and maintaining an antispam solution across your Exchange
organization.
PARAMETER DESCRIPTION
SCLDeleteEnabled Enables and disables the SCL delete threshold. Valid values
are $true or $false . The default value is $false , which
means the SCL delete threshold isn't enabled by default.
You set the SCL delete threshold value with the
SCLDeleteThreshold parameter.
SCLDeleteThreshold The SCL value that's used when the SCL delete threshold is
enabled. A message with an SCL value that's greater than or
equal to this value is silently deleted. The maximum value is 9,
which is also the default value.
When you enable the SCL delete threshold, this value should
be greater than all other SCL thresholds.
SCLRejectEnabled Enables and disables the SCL reject threshold. Valid values are
$true or $false . The default value is $true , which
means the SCL reject threshold is enabled by default.
You set the SCL reject threshold value with the
SCLRejectThreshold parameter.
SCLRejectThreshold The SCL value that's used when the SCL reject threshold is
enabled. A message with an SCL value that's greater than or
equal to this value is rejected, and an NDR is sent to the
sender. The maximum value is 9, and the default value is 7.
When you enable the SCL reject threshold, this value should
be less than the SCL delete threshold, but greater than the
SCL quarantine and Junk Email folder thresholds.
SCLQuarantineThreshold The SCL value that's used when the SCL quarantine threshold
is enabled. A message with an SCL value that's greater than
or equal to this value is redirected to the spam quarantine
mailbox. The maximum value is 9, which is also the default
value.
When you enable the SCL quarantine threshold, this value
should be less than the SCL reject threshold, but greater than
the SCL Junk Email folder threshold (the SCLJunkThreshold
parameter on the Set-OrganizationConfig or Set-Mailbox
cmdlets).
For examples of configuring the SCL thresholds on the Content Filter agent, see Use the Exchange Management
Shell to configure SCL thresholds for content filtering.
SCL thresholds on the organization
You use the SCLJunkThreshold parameter Set-OrganizationConfig cmdlet to set the SCL Junk Email folder
threshold value for all mailboxes in the organization. This is the only SCL threshold that you can configure at the
organization level. The SCL value is typically assigned to messages by the Content Filter agent.
The SCLJunkThreshold parameter on the Set-OrganizationConfig cmdlet is described in the following table.
PARAMETER DESCRIPTION
SCLJunkThreshold The SCL value that's used when the junk email rule is enabled
in the mailbox, and an SCL Junk Email folder threshold isn't
configured on the mailbox.
A message with an SCL value that's greater than this value is
moved to the Junk Email folder by the junk email rule. The
maximum value is 9, and the default value is 4, which means
that messages with an SCL value of 5 or higher are moved to
the Junk Email folder, and messages with an SCL value of 4 or
lower are delivered to the Inbox.
Notes:
The SCL Junk Email folder threshold is enabled by default, because the junk email rule is enabled by
default in all mailboxes. If the junk email rule is disabled in the mailbox, the SCL Junk Email folder
threshold (for the organization or the mailbox) is disabled for the mailbox.
You can disable the junk email rule in a mailbox by using the Enabled parameter on the Set-
MailboxJunkEmailConfiguration cmdlet, but only after the mailbox has been opened in Outlook (in
Cached Exchange mode) or Outlook on the web.
You can control the availability of the junk email settings in Outlook on the web, which prevents users
from enabling or disabling the junk email rule in their own mailbox.
For more information, see the Configure Exchange antispam settings on mailboxes topic.
SCL thresholds on a mailbox
You can use the Set-Mailbox cmdlet to configure all SCL thresholds on a mailbox. The same SCL parameters
that are available on the Set-ContentFilterConfig cmdlet are also available on the Set-Mailbox cmdlet:
SCLDeleteEnabled
SCLDeleteThreshold
SCLRejectEnabled
SCLRejectThreshold
SCLQuarantineEnabled
SCLQuarantineThreshold
Unlike the SCL threshold parameters on Set-ContentFilterConfig, the parameters on the Set-Mailbox cmdlet
also accept the value $null (the value is blank), which is the default value for all SCL thresholds on the mailbox.
This blank default value indicates that no SCL thresholds are configured on the mailbox, so the Content Filter
agent uses its SCL threshold settings for messages that are sent to the mailbox.
If you configure an SCL threshold on a mailbox (the value isn't blank), the setting override the corresponding
SCL threshold on the Content Filter agent for messages that are sent to the mailbox. The SCL thresholds that
you configure on the mailbox are stored in Active Directory, and are replicated to subscribed Edge Transport
servers by the Microsoft Exchange EdgeSync service.
The results are similar for the SCLJunkThreshold parameter that's available on Set-OrganizationConfig and
Set-Mailbox: the SCL Junk Email folder threshold value that you configure on the mailbox (the value isn't blank)
overrides the SCL value on the organization for messages that are sent to the mailbox.
NOTE
SCL thresholds on a mailbox are not enforced for messages that are received from distribution groups.
The SCL threshold setting that's unique to a mailbox is the ability to enable or disable the SCL Junk Email folder
threshold. The SCLJunkEnabled parameter is only available on the Set-Mailbox cmdlet, and is described in the
following table.
PARAMETER DESCRIPTION
SCLJunkEnabled Enables and disables the SCL Junk Email folder threshold on
the mailbox. Valid values are $true , $false , or $null
(blank). The default value is blank ( $null ), which means the
SCL Junk Email folder threshold isn't configured on the
mailbox, and is controlled by whether the junk email rule is
enabled or disabled in the mailbox.
The default SCL Junk Email folder threshold value is set by
the SCLJunkThreshold parameter on the Set-
OrganizationConfig cmdlet. You can override this value for
the mailbox by using the SCLJunkThreshold parameter on
the Set-Mailbox cmdlet.
Notes:
You can disable the SCL Junk Email folder threshold on a mailbox by disabling the junk email rule in the
mailbox. However, disabling the rule also prevents the rule from using the mailbox's safelist collection
(Safe Senders list, Safe Recipients list, Blocked Senders list) to move messages to the Junk Email folder, or
keep messages out of the Junk Email folder.
Even if the junk email rule is disabled in the mailbox, and the SCL Junk Email folder threshold is disabled
on the mailbox, the client-side Outlook Junk Email Filter can still move messages to the Junk Email folder.
For more information, see the Configure Exchange antispam settings on mailboxes topic.
Sender filtering compares a list of blocked senders that's maintained by the Exchange administrator to the value of
the MAIL FROM command in SMTP connections to determine what to do with inbound email messages from
those blocked senders. Sender filtering in Exchange Server is provided by the Sender Filter agent, and is basically
unchanged from Exchange Server 2010.
You can configure the Sender Filter agent block single senders (for example, kim@contoso.com), whole domains
(contoso.com), or domains and all subdomains (*.contoso.com). You can control whether the agent inspects
messages from internal sources, external sources, or both. You can also configure the action to take on messages
from blocked senders:
Reject: The Sender Filter agent rejects the SMTP request with a 554 5.1.0 Sender Denied SMTP session
error and closes the connection.
Stamp status: The Sender Filter agent accepts the message and updates the message to indicate that it
came from a blocked sender. The Content Filter agent uses this information when it calculates the spam
confidence level (SCL ) of the message. For more information about content filtering and the Content Filter
agent, see Content filtering.
By default, the Sender Filter agent is enabled on Edge Transport servers, but you can enable it on Mailbox servers.
For more information, see Enable antispam functionality on Mailbox servers.
For more information about how to configure the Sender Filter agent, see Sender filtering procedures.
IMPORTANT
The MAIL FROM: SMTP headers can be spoofed, so you shouldn't rely exclusively on the Sender Filter agent. Instead, you
should use both the Sender Filter agent and the Sender ID agent. The Sender ID agent uses the originating IP address of the
sending server to verify that the domain in the MAIL FROM: SMTP header matches the domain that's registered. For more
information about the Sender ID agent, see Sender ID.
Sender filtering filters inbound messages by comparing a list of blocked senders to the value of the MAIL FROM
command in SMTP connections. For more information about sender filtering and the Sender Filter agent, see
Sender filtering.
You can configure many aspects of sender filtering. For example:
Enable or disable sender filtering on inbound messages from internal (authenticated) and external
(unauthenticated) sources (it's enabled by default for messages from external sources).
Configure blocked senders and blocked domains.
Specify whether to block messages with blank senders.
Configure the action that sender filtering takes on messages that contain blocked senders or domains.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
When you disable sender filtering, the underlying Sender Filter agent is still enabled. To disable the Sender Filter agent, run
the command: Disable-TransportAgent "Sender Filter Agent" .
To enable sender filtering for external connections, run the following command:
To disable sender filtering for internal connections, run the following command:
This example configures the Sender Filter agent to block messages from kim@contoso.com and
john@contoso.com, messages from the fabrikam.com domain, and messages from northwindtraders.com and all
its subdomains.
To add or remove entries without modifying other existing values, use the following syntax:
This example configures the Sender Filter agent with the following information:
Add chris@contoso.com and michelle@contoso.com to the list of existing senders who are blocked.
Remove tailspintoys.com from the list of existing sender domains that are blocked.
Add blueyonderairlines.com to the list of existing sender domains and subdomains that are blocked.
This example configures the Sender Filter agent to block messages that don't specify a sender in the MAIL
FROM: SMTP command:
This example configures the Sender Filter agent to allow messages from blocked senders or domains. The Sender
Filter agent updates the message to indicate that it came from a blocked sender. This information is used in the
calculation of the message's spam confidence level (SCL ).
This example configures the Sender Filter agent to reject messages from blocked senders or domains. The Sender
Filter agent rejects the SMTP request with a 554 5.1.0 Sender Denied SMTP session error and closes the
connection.
This example configures the Sender Filter agent to silently drop messages that contain blocked senders that are
defined by SafeList aggregation.
This example configures the Sender Filter agent to reject messages that contain blocked senders that are defined
by SafeList aggregation with a non-delivery report (also known as an NDR, delivery status notification, DSN or
bounce message).
Sender ID is used to detect spoofing. A spoofed email message is modified to appear as if it originates from a
sender other than the actual sender of the message. In the past, it was relatively easy to send spoofed email
messages, because the sender's email address in the message header wasn't validated. Sender ID uses the
RECEIVED SMTP header and a query to the DNS records for the sender's domain to determine if the sender's
email address is spoofed. Sender ID in Exchange Server is provided by the Sender ID agent, and is basically
unchanged from Exchange Server 2010.
By default, the Sender ID agent is enabled on Edge Transport servers, but you can enable it on Mailbox servers.
For more information, see Enable antispam functionality on Mailbox servers.
For more information about how to configure the Sender ID agent, see Sender ID procedures.
Sender ID detects spoofed email messages by using the Sender Policy Framework (SPF ) record in DNS to
compare the source IP address with the domain in the sender's email address. For more information about
Sender ID and the Sender ID agent, see Sender filtering
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
When you disable Sender ID, the underlying Sender ID agent is still enabled. To disable the Sender ID agent, run the
command: Disable-TransportAgent "Sender ID Agent" .
This example configures the Sender ID agent to reject any messages with a 5 xx SMTP error response when
sender's domain has an SPF record, and the IP address of the source server isn't listed as an authoritative server
for the domain (the Sender ID status is Fail ).
This example configures the Sender ID agent to stamp the messages when the Sender ID status can't be
determined due to a temporary DNS server error (the Sender ID status is TempError ). The message will be
processed by other antispam agents and the Content Filter agent will use the mark when determining the SCL
value for the message.
Note that StampStatus is the default value for the TempErrorAction parameter.
How do you know this worked?
To verify that you have successfully configured the Sender ID action for transient errors, run the following
command to verify the TempErrorAction property value:
This example configures the Sender ID agent to bypass the Sender ID check for messages sent to
kim@contoso.com and john@contoso.com, and to bypass the Sender ID check for messages sent from the
fabrikam.com domain.
Set-SenderIDConfig -BypassedRecipients kim@contoso.com,john@contoso.com -BypassedSenderDomains fabrikam.com
To add or remove entries without modifying other existing values, use the following syntax:
This example configures the Sender ID agent with the following settings:
Add chris@contoso.com and michelle@contoso.com to the list of existing recipients who bypass the
Sender ID check.
Remove tailspintoys.com from the list of existing domains that bypass the Sender ID check.
Sender reputation is part of the Exchange antispam functionality that blocks messages according to many
characteristics of the sender. Sender reputation relies on persisted data about the sender to determine the action
to take on inbound messages. The Protocol Analysis agent is the underlying agent for sender reputation
functionality.
For more information about how to configure sender reputation and the Protocol Analysis agent, see Sender
reputation procedures.
By default, the Protocol Analysis agent is enabled on Edge Transport servers, but you can enable it on Mailbox
servers. For more information, see Enable antispam functionality on Mailbox servers.
Sender reputation and the Protocol Anaysis agent block unwanted messages according to various characteristics
of the sender. Sender reputation relies on persisted data about the sender to determine what action, if any, to take
on an inbound message. For more information, see Sender reputation and the Protocol Analysis agent.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
NOTE
The Protocol Analysis agent is the underlying agent for sender reputation functionality. When you disable sender reputation,
the Protocol Analysis agent is still enabled. To disable the Protocol Analysis agent, run the command:
Disable-TransportAgent "Protocol Analysis Agent" .
To enable sender reputation for external messages, run the following command:
To disable sender reputation for internal messages, run the following command:
This example lowers the sender reputation level (SRL ) block threshold to 6 (which means senders with an SRL of
6, 7, 8, or 9 are blocked), and blocks the offending senders for 36 hours:
Notes:
The default value of the SenderBlockingEnabled parameter is $true .
The default value of the SenderBlockingPeriod parameter is 24.
The default value of the SrlBlockThreshold parameter is 7.
You can't disable sender blocking and open proxy server detection at the same time. One must be enabled
when the other is disabled, or they both can be enabled.
How do you know this worked?
To verify that you have successfully configured sender blocking in sender reputation, run the following command
to verify the property values:
PROTOCOLS PORTS
This example configures sender reputation to connect to the Internet through the proxy server named SERVER01
that uses the HTTP CONNECT protocol on port 80.
Notes:
The default value of the OpenProxyDetectionEnabled parameter is $true .
The default value of the ProxyServerName parameter is blank ( $null ).
The default value of the ProxyServerPort parameter is 0.
The default value of the ProxyServerType parameter is None .
You can't disable open proxy server detection and sender blocking at the same time. One must be enabled
when the other is disabled, or they both can be enabled.
How do you know this worked?
To verify that you have successfully configured open proxy server detection in sender reputation, run the
following command to verify the property values:
See also
Get-SenderReputationConfig
Set-SenderReputationConfig
Attachment filtering on Edge Transport servers
8/23/2019 • 3 minutes to read • Edit Online
In Exchange Server, you can use attachment filtering on Edge Transport servers to control the attachments that
users receive in email messages. Attachment filtering is performed by the Attachment Filtering agent, which is
available only on Edge Transport servers, and is basically unchanged from Exchange Server 2010.
To configure the attachment filtering options, see Attachment filtering procedures on Edge Transport servers.
After you define the files to look for, you can configure the action to take on messages that contain these
attachments. You can't specify different actions for different types of attachments. You configure one of the
following actions for all the messages that match any of the attachment filters:
Reject (block) the message: he message is blocked. The sender receives a non-delivery report (also
known as an NDR, delivery status notification, DSN, or bounce message) that explains that the message
wasn't delivered because it contained an unacceptable attachment. You can customize the text in the NDR.
The default text is: Message rejected due to unacceptable attachments .
Strip the attachment but allow the message through: The attachment is removed from the message.
However, the message itself and any other attachments that don't match the filter are allowed through. If an
attachment is stripped, it's replaced with a text file that explains why the attachment was removed. This is
the default action.
Silently delete the message: The message is deleted. Neither the sender nor the recipient receives
notification.
Notes:
You can't retrieve messages that have been blocked or attachments that have been stripped. When you
configure attachment filters, carefully examine all possible file name matches and verify that legitimate
attachments won't be affected by the filter.
If you remove attachments from digitally signed, encrypted, or rights-protected messages, you invalidate
the digital signature, which makes encrypted and rights-protected messages unreadable. A way to avoid this
problem for outbound messages is to sign or encrypt the messages after they've been processed by the
Attachment Filtering agent.
For more information, see Attachment filtering procedures on Edge Transport servers.
TYPE NAME
ContentType application/hta
ContentType application/javascript
ContentType application/msaccess
ContentType application/prg
ContentType application/x-javascript
ContentType application/x-msdownload
ContentType message/partial
ContentType text/javascript
ContentType text/scriptlet
ContentType x-internet-signup
FileName *.ade
FileName *.adp
FileName *.app
FileName *.asx
FileName *.bas
FileName *.bat
FileName *.chm
FileName *.cmd
FileName *.com
FileName *.cpl
TYPE NAME
FileName *.crt
FileName *.csh
FileName *.exe
FileName *.fxp
FileName *.hlp
FileName *.hta
FileName *.inf
FileName *.ins
FileName *.isp
FileName *.js
FileName *.jse
FileName *.ksh
FileName *.lnk
FileName *.mda
FileName *.mdb
FileName *.mde
FileName *.mdt
FileName *.mdw
FileName *.mdz
FileName *.msc
FileName *.msi
FileName *.msp
FileName *.mst
FileName *.ops
TYPE NAME
FileName *.pcd
FileName *.pif
FileName *.prf
FileName *.prg
FileName *.ps1
FileName *.ps1xml
FileName *.ps11
FileName *.ps11xml
FileName *.ps2
FileName *.ps2xml
FileName *.psc1
FileName *.psc2
FileName *.reg
FileName *.scf
FileName *.scr
FileName *.sct
FileName *.shb
FileName *.shs
FileName *.url
FileName *.vb
FileName *.vbe
FileName *.vbs
FileName *.wsc
FileName *.wsf
TYPE NAME
FileName *.wsh
FileName *.xnk
Attachment filtering procedures on Edge Transport
servers
8/23/2019 • 5 minutes to read • Edit Online
Attachment filtering in Exchange Server is provided by the Attachment Filter agent that's available only on Edge
Transport servers. Attachment filtering can help prevent files in email messages from entering your organization.
You can configure one or more attachment filter entries to filter attachments either by content type or by file name.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
After you enable or disable attachment filtering, restart the Microsoft Exchange Transport service by running the
following command:
Restart-Service MSExchangeTransport
To find a specific MIME content type entry, use the following syntax:
Get-AttachmentFilterEntry ContentType:<MIMEContentType>
For example, to see if there's a MIME content type entry for JPEG images, run the following command:
Get-AttachmentFilterEntry ContentType:image/jpeg
If you receive the error, Couldn't find the specified identity. , then the MIME content type isn't defined in the
attachment filtering entries.
To view a specific file name or file name extension entry, use the following syntax:
For example, to see if there's a file name extension entry for JPEG attachments, run the following command:
Get-AttachmentFilterEntry FileName:*.jpg
If you receive the error, Couldn't find the specified identity. , then the file name or file name extension isn't
defined in the attachment filtering entries.
For more information, see Get-AttachmentFilterEntry.
The following example adds a MIME content type entry that filters JPEG images.
Add-AttachmentFilterEntry -Name image/jpeg -Type ContentType
To add an attachment filtering entry that filters attachments by file name or file name extension, use the following
syntax:
The following example filters attachments that have the .jpg file name extension.
Remove-AttachmentFilterEntry ContentType:<ContentType>
The following example removes the MIME content type entry for JPEG images.
Remove-AttachmentFilterEntry ContentType:image/jpeg
To remove an attachment filtering entry that filters attachments by file name or file name extension, use the
following syntax:
The following example removes the file name entry for the .jpg file name extension.
Remove-AttachmentFilterEntry FileName:*.jpg
This example makes the following changes to the attachment filtering configuration:
Reject (block) messages that have prohibited attachments. Note that you can't specify different actions for
different types of attachments.
Use a custom response for rejected messages.
Connection filtering is an antispam feature in Exchange Server that allows or blocks email based on the message
source. Connection filtering is performed by the Connection Filtering agent that's available only on Edge Transport
servers, and is basically unchanged from Exchange Server 2010. The Connection Filtering agent relies on the IP
address of the connecting mail server to determine what action, if any, to take on an inbound message.
By default, the Connection Filtering agent is the first antispam agent to evaluate an inbound message on an Edge
Transport server. The source IP address of the SMTP connection is checked against the allowed and blocked IP
addresses. If the source IP address is specifically allowed, the message is sent to the recipients in your organization
without additional processing by other antispam agents. If the source IP address is specifically blocked, the SMTP
connection is dropped. If the source IP address isn't specifically allowed or blocked, the message flows through the
other antispam agents on the Edge Transport server.
Connection filtering compares the IP address of the source mail server to the values in the IP Allow list, the IP
Block list, IP Allow list providers, and IP Block list providers. You need to configure at least one of these four IP
address data stores for connection filtering to function. If you don't specify any IP address data, you should disable
the Connection Filtering agent. For more information, see Connection filtering procedures on Edge Transport
servers.
IP Block list
The IP Block list contains the IP addresses of email servers that you want to block. You manually maintain the IP
addresses in the IP Block list. You can add individual IP addresses or IP address ranges. You can specify an
expiration time that specifies how long the IP address entry will be blocked. When the expiration time is reached,
the IP address entry in the IP Block list is disabled.
If the Connection Filtering agent finds the source IP address on the IP Block list, the SMTP connection will be
dropped after all the RCPT TO headers (envelope recipients) in the message are processed.
IP addresses can also be automatically added to the IP Block list by the Sender Reputation feature of the Protocol
Analysis agent. For more information, see Sender reputation and the Protocol Analysis agent.
IP Allow list
The IP Allow list contains the IP addresses of email servers that you want to designate as trustworthy sources of
email. Email from mail servers that you specify in the IP Allow list is exempt from processing by other Exchange
antispam agents.
You manually maintain the IP addresses in the IP Allow list. You can add individual IP addresses or IP address
ranges. You can specify an expiration time that specifies how long the IP address entry will be allowed. When the
expiration time is reached, the entry in the IP Allow list is disabled.
For absolute value types, the IP Block List provider returns explicit responses that define why the IP address is
defined in their block lists. The following table shows examples of absolute values and the explicit responses.
Values and status codes for absolute value data types
VALUE EXPLICIT RESPONSE
Connection filtering is an antispam feature that's provided by the Connection Filtering agent, which is available
only on Edge Transport servers in Exchange Server. Connection filtering enables the following features:
IP Block list
IP Block List providers
IP Allow list
IP Allow List providers
Each of these features can be enabled or disabled separately.
For more information about connection filtering, see Connection filtering on Edge Transport servers.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
To make the change take effect, restart the Microsoft Exchange Transport service by running the following
command:
Restart-Service MSExchangeTransport
Use the Exchange Management Shell to enable or disable the IP Block list
To disable the IP Block list, run the following command:
This example configures the IP Block list with the following settings:
The IP Block list filters incoming connections from internal and external mail servers. By default,
connections are filtered from external mail servers only (ExternalMailEnabled is set to $true , and
InternalMailEnabled is set to $false ). Non-authenticated connections and authenticated connections from
external partners are considered external.
The custom response text for connections that were filtered by IP addresses that were automatically added
to the IP Block list by the sender reputation feature of the Protocol Analysis agent is set to the value
"Connection from IP address {0} was rejected by sender reputation."
The custom response text for connections that were filtered by IP addresses that were manually added to
the IP Block list is set to the value "Connection from IP address {0} was rejected by connection filtering."
Get-IPBlockListEntry
Note that each IP Block list entry is identified by an integer value. The identity integer is assigned in ascending
order when you add entries to the IP Block list and the IP Allow list.
To view a specific IP Block list entry, use the following syntax:
For example, to view the IP Block list entry that contains the IP address 192.168.1.13, run the following command:
This example adds the IP Block list entry for the IP address range 192.168.1.10 through 192.168.1.15 and
configures the IP Block list entry to expire on July 4, 2018 at 15:00.
Get-IPBlockListEntry
Remove-IPBlockListEntry <IdentityInteger>
This example removes the IP Block list entry that has the Identity value 3.
Remove-IPBlockListEntry 3
This example removes the IP Block list entry that contains the IP address 192.168.1.12 without using the Identity
integer value. Note that the IP Block list entry can be an individual IP address or an IP address range.
Get-IPBlockListEntry
Use the Exchange Management Shell to configure all IP Block List providers
To configure how connection filtering uses all IP Block List providers, use the following syntax:
This example configures all IP Block List providers with the following settings:
IP Block List providers filter incoming connections from internal and external mail servers. By default,
connections are filtered from external mail servers only (ExternalMailEnabled is set to $true , and
InternalMailEnabled is set to $false ). Non-authenticated connections and authenticated connections from
external partners are considered external.
Messages sent to the internal recipients chris@fabrikam.com and michelle@fabrikam.com are excluded
from filtering by IP Block List providers. Note that if you want to add recipients to the list without affecting
existing recipients, use the syntax, @{Add="<recipient1>","<recipient2>"...} .
Get-IPBlockListProvider
Get-IPBlockListProvider <IPBlockListProviderIdentity>
This example show the details of the provider named Contoso IP Block List Provider.
Add-IPBlockListProvider -Name "<Descriptive Name>" -LookupDomain <FQDN> [-Priority <Integer>] [-Enabled <$true
| $false>] [-AnyMatch <$true | $false>] [-BitmaskMatch <IPAddress>] [-IPAddressesMatch
<IPAddressStatusCode1,IPAddressStatusCode2...>] [-RejectionResponse "<Custom Text>"]
This example creates an IP Block List provider named "Contoso IP Block List Provider" with the following options:
FQDN to use the provider: rbl.contoso.com
Bitmask code to use from the provider: 127.0.0.1
NOTE
When you add a new IP Block List provider, it's enabled by default (the value of Enabled is $true ), and the priority value is
incremented (the first entry has the Priority value 1).
Get-IPBlockListProvider
Use the Exchange Management Shell to enable or disable an IP Block List provider
To enable or disable a specific IP Block List provider, use the following syntax:
This example disables the provider named Contoso IP Block List Provider.
This example enables the provider named Contoso IP Block List Provider.
For example, to add the IP address status code 127.0.0.1 to the list of existing status codes for the provider named
Contoso IP Block List Provider, run the following command:
This example tests the provider named Contoso IP Block List Provider by looking up the IP address 192.168.1.1.
Test-IPBlockListProvider "Contoso IP Block List Provider" -IPAddress 192.168.1.1
Remove-IPBlockListProvider <IPBlockListProviderIdentity>
This example removes the IP Block List provider named Contoso IP Block List Provider.
Get-IPBlockListProvider
This example configures the IP Allow list to filter incoming connections from internal and external mail servers. By
default, connections are filtered from external mail servers only (ExternalMailEnabled is set to $true , and
InternalMailEnabled is set to $false ). Non-authenticated connections and authenticated connections from
external partners are considered external.
Get-IPAllowListEntry
Note that each IP Allow list entry is identified by an integer value. The identity integer is assigned in ascending
order when you add entries to the IP Block list and the IP Allow list.
To view a specific IP Allow list entry, use the following syntax:
For example, to view the IP Allow list entry that contains the IP address 192.168.1.13, run the following command:
NOTE
When you use the IPAddress parameter, the resulting IP Allow list entry can be an individual IP address, an IP address range,
or a Classless InterDomain Routing (CIDR) IP. To use the Identity parameter, you specify the integer value that's assigned to
the IP Allow list entry.
This example adds the IP Allow list entry for the IP address range 192.168.1.10 through 192.168.1.15 and
configures the IP Allow list entry to expire on July 4, 2018 at 15:00.
Get-IPAllowListEntry
Remove-IPAllowListEntry <IdentityInteger>
This example removes the IP Allow list entry that has the Identity value 3.
Remove-IPAllowListEntry 3
This example removes the IP Allow list entry that contains the IP address 192.168.1.12 without using the Identity
integer value. Note that the IP Allow list entry can be an individual IP address or an IP address range.
Get-IPAllowListEntry
Use the Exchange Management Shell to configure all IP Allow List providers
To configure how connection filtering uses all IP Allow List providers, use the following syntax:
This example configures all IP Allow List providers to filter incoming connections from internal and external mail
servers. By default, connections are filtered from external mail servers only (ExternalMailEnabled is set to $true ,
and InternalMailEnabled is set to $false ). Non-authenticated connections and authenticated connections from
external partners are considered external.
Get-IPAllowListProvider
Get-IPAllowListProvider <IPAllowListProviderIdentity>
This example show the details of the provider named Contoso IP Allow List Provider.
Get-IPAllowListProvider "Contoso IP Allow List Provider" | Format-List
Name,Enabled,Priority,LookupDomain,*Match
Add-IPAllowListProvider -Name "<Descriptive Name>" -LookupDomain <FQDN> [-Priority <Integer>] [-Enabled <$true
| $false>] [-AnyMatch <$true | $false>] [-BitmaskMatch <IPAddress>] [-IPAddressesMatch
<IPAddressStatusCode1,IPAddressStatusCode2...>]
This example creates an IP Allow List provider named "Contoso IP Allow List Provider" with the following options:
FQDN to use the provider: allow.contoso.com
Bitmask code to use from the provider: 127.0.0.1
NOTE
When you add a new IP Allow List provider, it's enabled by default (the value of Enabled is $true ), and the priority value is
incremented (the first entry has the Priority value 1).
Get-IPAllowListProvider
Use the Exchange Management Shell to enable or disable an IP Allow List provider
To enable or disable a specific IP Allow List provider, use the following syntax:
This example disables the provider named Contoso IP Allow List Provider.
This example enables the provider named Contoso IP Allow List Provider.
For example, to add the IP address status code 127.0.0.1 to the list of existing status codes for the provider named
Contoso IP Allow List Provider, run the following command:
This example tests the provider named Contoso IP Allow List Provider by looking up the IP address 192.168.1.1.
Remove-IPAllowListProvider <IPAllowListProviderIdentity>
This example removes the IP Allow List provider named Contoso IP Allow List Provider.
Get-IPAllowListProvider
Recipient filtering on Edge Transport servers
8/23/2019 • 4 minutes to read • Edit Online
Recipient filtering is an antispam feature in Exchange Server that relies on the RCPT TO SMTP header to
determine what action, if any, to take on an inbound message. Recipient filtering is performed by the Recipient
Filter agent, and is basically unchanged from Exchange Server 2010.
For more information about how to configure the Recipient Filter agent, see Recipient filtering procedures on
Edge Transport servers.
The Recipient Filter agent blocks messages according to the characteristics of the intended recipient in the
organization. The Recipient Filter agent can help you prevent the acceptance of messages in the following
scenarios:
Nonexistent recipients: You can prevent delivery to recipients that aren't in the organization's address
book. For example, you may want to stop delivery to frequently misused account names, such as
administrator@contoso.com or support@contoso.com.
Restricted distribution groups: You can prevent delivery of Internet mail to distribution groups that
should be used only by internal users.
Mailboxes that should never receive messages from the Internet: You can prevent delivery of
Internet mail to a specific mailbox or alias that's typically used inside the organization, such as Helpdesk.
The Recipient Filter agent acts on recipients from one or both of the following data sources:
Recipient Block list: An administrator-defined list of recipients who should never receive messages from
the Internet.
Recipient Lookup: Queries Active Directory to verify that the recipient exists in the organization. On an
Edge Transport server, Recipient Lookup requires access to Active Directory information that's provided by
EdgeSync to the local instance of Active Directory Lightweight Directory Services (AD LDS ). For more
information, see Edge Subscriptions.
When you enable the Recipient Filter agent, one of the following actions is taken on inbound messages according
to the characteristics of the recipients. These recipients are indicated by the RCPT TO header.
If the inbound message contains a recipient that is on the Recipient Block list, the Exchange server sends a
550 5.1.1 User unknown SMTP session error to the sending server.
If the inbound message contains a recipient that doesn't match any recipients in Recipient Lookup, the
Exchange server sends a 550 5.1.1 User unknown SMTP session error to the sending server.
If the recipient isn't on the Recipient Block list and the recipient is found in Recipient Lookup, the Exchange
server sends a 250 2.1.5 Recipient OK SMTP response to the sending server, and the next antispam agent
in the chain processes the message.
NOTE
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a
Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is
rejected. The Recipient Filter agent is enabled when you install the antispam agents on a Mailbox server, but it isn't
configured to block any recipients. For more information, see Enable antispam functionality on Mailbox servers.
Configuring recipient lookup
One of the most effective ways to reduce spam is to validate recipients before accepting inbound messages from
the Internet. You enable the blocking of messages sent to recipients who don't exist in the Exchange organization,
and the blocking of specific recipients using the Set-RecipientFilterConfig cmdlet in the Exchange Management
Shell. For more information, see Recipient filtering procedures on Edge Transport servers.
Tarpitting functionality
Recipient Lookup functionality enables the sending server to determine whether an email address is valid or
invalid. As mentioned earlier, when the recipient of an inbound message is a known recipient, the Exchange server
sends back a 250 2.1.5 Recipient OK SMTP response to the sending server. This functionality provides an ideal
environment for a directory harvest attack, where a spammer uses an automated program to collect email
addresses that return a 250 2.1.5 Recipient OK SMTP response.
To combat directory harvest attacks, Exchange includes tarpitting functionality. Tarpitting is the practice of
artificially delaying server responses for specific SMTP communication patterns that indicate high volumes of
mail, so that the cost of sending spam increases for the spammer.
If tarpitting isn't configured, the Exchange server immediately returns a 550 5.1.1 User unknown SMTP session
error to the sender when a recipient isn't located in Recipient Lookup. Alternatively, if tarpitting is configured, the
Exchange server waits a specified number of seconds before it returns the 550 5.1.1 User unknown error. This
pause in the SMTP session makes automating a directory harvest attack more difficult and less cost-effective for
the spammer. By default, tarpitting is configured for 5 seconds on Receive connectors.
To configure the delay before SMTP returns the 550 5.1.1 User unknown error, you set the tarpitting interval using
the TarpitInterval parameter on the Set-ReceiveConnector cmdlet. For more information, see Message
throttling on Receive connectors.
Multiple namespaces
The Recipient Filter agent performs recipient lookups only for authoritative domains. If your organization accepts
and forwards messages on behalf of another domain that's configured as an internal relay or external relay
domain, the Recipient Filter agent doesn't perform a recipient lookup on recipients in those domains. However, if
the recipient is specified in the Recipient Block list, the recipient will still be blocked by the Recipient Filter agent.
Note that you can also configure accepted domains locally on an Edge Transport server. If the domain is
configured as internal relay or external relay domain, the Recipient Filter agent on the Edge Transport server also
doesn't perform a recipient lookup on recipients in those domains.
Recipient filtering procedures on Edge Transport
servers
8/23/2019 • 4 minutes to read • Edit Online
Recipient filtering is provided by the Recipient Filter agent. When recipient filtering is enabled on an Exchange
server, it filters inbound messages that come from the Internet but aren't authenticated. These messages are
handled as external messages. For more information about recipient filtering and the Recipient Filter agent, see
Recipient filtering on Edge Transport servers.
Recipient filtering on Edge Transport servers
NOTE
Although the Recipient Filter agent is available on Mailbox servers, you shouldn't configure it. When recipient filtering on a
Mailbox server detects one invalid or blocked recipient in a message that contains other valid recipients, the message is
rejected. If you install the antispam agents on a Mailbox server, the Recipient Filter agent is enabled by default. However, it
isn't configured to block any recipients. For more information, see Enable antispam functionality on Mailbox servers.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard
shortcuts in the Exchange admin center.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Use the Exchange Management Shell to enable or disable recipient
filtering
To disable recipient filtering, run the following command:
NOTE
When you disable recipient filtering, the underlying Recipient Filter agent is still enabled. To disable the Recipient Filter agent,
run the command: Disable-TransportAgent "Recipient Filter Agent" .
To enable recipient filtering for external connections, run the following command:
To disable recipient filtering for internal connections, run the following command:
This example configures the Recipient Block list with the valuesmark@contoso.com and kim@contoso.com:
To add or remove entries without modifying other existing values, use the following syntax:
Note: Recipient Lookup on an Edge Transport server requires an Edge subscription. For more information, see
Edge Subscriptions.
How do you know this worked?
To verify that you've successfully enabled or disabled Recipient Lookup, run the following command to verify the
RecipientValidationEnabled property value:
Antimalware protection in Exchange Server 2016 helps combat viruses and spyware in your email messaging
environment. Viruses infect other programs and data, and they spread throughout your computer looking for
programs to infect. Spyware gathers personal information (for example, sign-in information and personal data)
and sends it back to its author.
The antimalware protection in Exchange Server was introduced in Exchange 2013, and is provided by the
Transport agent named Malware Agent. The agent scans messages as they travel through the Transport service on
a Mailbox server. You configure malware filtering by using:
Antimalware policies: Specify inbound and outbound scanning and notification options for malware
filtering. There's a default policy that applies to all recipients in the Exchange organization, and you can
create addtional policies that are applied in a specific order.
Antimalware server settings: Specify the error and retry actions, and the engine and definition update
settings for malware filtering. The Malware agent uses Internet access on TCP port 80 (HTTP ) to check for
engine and definition updates every hour.
Antimalware scripts: Enable or disable malware filtering on the server, and manually download engine
and definition updates.
For procedures related to malware filtering, see Procedures for antimalware protection in Exchange Server. For
more information about the antispam features in Exchange Server, see Antispam protection in Exchange Server.
Antimalware policies
Antimalware policies control the actions and notification options for malware detections. The important settings
in antimalware policies are:
Action: Specifies what to do when a message is found to contain malware. The options are:
Delete the message (this is the default value).
Replace all attachments with a text file that contains this default text:
Malware was detected in one or more attachments included with this email. All attachments have
been deleted.
Replace all attachments with a text file that contains the custom text you specify.
Notifications: When an antimalware policy is configured to delete messages, you can choose whether to
send a notification message to the sender. You can send notification messages based on whether the sender
is internal or external. The default notification message has these properties:
From: Postmaster postmaster@ <defaultdomain>.com
Subject: Undeliverable message
Message text: This message was created automatically by mail delivery software. Your email
message was not delivered to the intended recipients because malware was detected.
You can customize the message properties for internal and external notifications. You can also
specify additional recipients (administrators) to receive notifications for undeliverable messages
from internal or external senders.
Recipient filters: For custom antimalware policies, you can specify recipient conditions and exceptions
that determine who the policy applies to. You can use these properties for conditions and exceptions:
By recipient
By accepted domain
By group membership
You can only use a condition or exception once, but the condition or exception can contain multiple
values. Multiple values of the same condition or exception use OR logic (for example, <recipient1>
or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and
<member of group 1>).
Priority: If you create multiple custom antimalware policies, you can specify the order that they're applied.
Antimalware policies in the Exchange admin center vs the Exchange Management Shell
The basic elements of an antimalware policy are:
The malware filter policy: Specifies the action and notification options for malware filtering.
The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a
malware filter policy.
The difference between these two elements isn't obvious when you manage antimalware polices in the Exchange
admin center (EAC ):
When you create an antimalware policy in the EAC, you're actually creating a malware filter rule and the
associated malware filter policy at the same time using the same name for both.
When you modify an antimalware policy in the EAC, settings related to the name, priority, enabled or
disabled, and recipient filters modify the malware filter rule. Other settings (actions and notification
options) modify the associated malware filter policy.
When you remove an antimalware policy from the EAC, the malware filter rule and the associated malware
filter policy are removed.
In the Exchange Management Shell, the difference between malware filter policies and malware filter rules is
apparent. You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage
malware filter rules by using the *-MalwareFilterRule cmdlets.
In the Exchange Management Shell, you create the malware filter policy first, then you create the malware
filter rule that identifies the policy that the rule applies to.
In the Exchange Management Shell, you modify the settings in the malware filter policy and the malware
filter rule separately.
When you remove a malware filter policy from the Exchange Management Shell, the corresponding
malware filter rule isn't automatically removed, and vice versa.
Default antimalware policy
Every Mailbox server has a built-in antimalware policy named Default that has these properties:
The malware filter policy named Default is applied to all recipients in the Exchange organization, even
though there's no malware filter rule (recipient filters) associated with the policy.
The policy named Default has the custom priority value Lowest that you can't modify (the policy is always
applied last). Any custom antimalware policies that you create always have a higher priority than the policy
named Default.
The policy named Default is the default policy (the IsDefault property has the value True ), and you can't
delete the default policy.
Antimalware scripts
Exchange includes two Exchange Management Shell scripts that you can use to manage malware filtering:
Disable-Antimalwarescanning.ps1 disables the Malware agent, and malware engine and definition updates
on the Mailbox server.
Enable-Antimalwarescanning.ps1enables the Malware agent, enables malware engine and definition
updates, and runs engine and definition updates on the Mailbox server.
Update-MalwareFilteringServer.ps1 manually runs malware engine and definition updates on the Mailbox
server.
For more information about using these scripts, see Use the Exchange Management Shell to enable or disable
malware filtering on Mailbox servers and Download antimalware engine and definition updates.
Exchange Server includes the Malware Agent that's installed on Mailbox servers. For more information about
malware filtering in Exchange, see Antimalware protection in Exchange Server.
This topic describes the following procedures for managing malware filtering in Exchange:
Disable or enable malware filtering on a Mailbox server
Bypass malware filtering on a Mailbox server
Create antimalware policies
View antimalware policies
Modify antimalware policies
Enable and disable antimalware policies
Set the priority of antimalware policies
Remove antimalware policies
Configure malware filtering to scan messages that were already scanned by Exchange Online Protection
(EOP ).
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
& $env:ExchangeInstallPath\Scripts\Disable-AntimalwareScanning.ps1
To enable malware filtering on the local Mailbox server, run this command in the Exchange Management
Shell:
& $env:ExchangeInstallPath\Scripts\Enable-AntimalwareScanning.ps1
Note: The enable script also applies malware engine and definition updates as needed.
2. Restart the Exchange Transport service by running this command, which will temporarily interrupt mail flow
on the server:
Restart-Service MSExchangeTransport
This example creates a new malware filter policy named Contoso Malware Filter Policy with these settings:
Block messages that contain malware (we aren't using the Action parameter, and the default value is
DeleteMessage ).
Don't notify the message sender when malware is detected in the message (we aren't using the
EnableExternalSenderNotifications or EnableInternalSenderNotifications parameters, and the default value
for both is $false ).
Notify the administrator admin@contoso.com when malware is detected in a message from an internal
sender.
This example creates a new malware filter rule named Contoso Recipients with these settings:
The malware filter policy named Contoso Malware Filter Policy is associated with the rule.
The rule applies to recipients in the contoso.com domain.
In the Exchange Management Shell, replace <RuleName> with the name of the malware filter rule, and run
this command to verify the property values:
Use an European Institute for Computer Antivirus Research (EICAR ) test file to verify that the malware filter
is working correctly:
1. Open Notepad, and insert this text (and only this text) into an empty file:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Save the file as EICAR.txt in a location that's easy for you to find, and that's excluded from scanning by your
computer's antivirus program. The file will be 68 bytes in size.
2. Create an email messages, attach the EICAR.txt file to the message, and send the message to a recipient in
your Exchange organization who should be affected by the malware policy.
3. Check the recipient's mailbox to verify that malware filtering acted on the message: the message was
deleted, or the message was delivered with the replacement alert text file for the attachment, and the
notification messages were delivered to the sender and/or administrators.
4. When you're finished, delete the EICAR.TXT file so other users aren't unnecessarily alarmed.
Get-MalwareFilterPolicy
To return detailed information about a specific malware filter policy, use the this syntax:
This example returns all the property values for the malware filter policy named Executives.
Get-MalwareFilterPolicy -Identity "Executives" | Format-List
This example returns only the specified properties for the same policy.
Get-MalwareFilterRule
To return detailed information about a specific malware filter rule, use this syntax:
This example returns all the property values for the malware filter rule named Executives.
This example returns only the specified properties for the same rule.
This example disables the malware filter rule named Marketing Department.
For detailed syntax and parameter information, see Enable-MalwareFilterRule and Disable-MalwareFilterRule.
How do you know this worked?
To verify that you've successfully enabled or disabled an antimalware policy, use either of these procedures:
In the EAC, go to Protection > Malware filter, and in the list of antimalware policies, verify the status of
the check box in the Enabled column.
In the Exchange Management Shell, run this command to see the list of rules and their State property
values:
Get-MalwareFilterRule
Set the priority of antimalware policies
By default, antimalware policies are given a priority that's based on the order they were created in (newer polices
are lower priority than older policies). A lower priority number indicates a higher priority for the policy, and
policies are processed in priority order (higher priority policies are processed before lower priority policies). No
two policies can have the same priority.
Notes:
In the EAC, you can only change the priority of the antimalware policy after you create it. In the Exchange
Management Shell, you can override the default priority when you create the malware filter rule (which can
affect the priority of existing rules).
The default antimalware policy named Default has the priority value Lowest, and you can't change it.
Use the EAC to set the priority of antimalware policies
In the EAC, antimalware policies are processed in the order that they're displayed (the first policy has the Priority
value 0). To change the priority of a policy, move the policy up or down in the list (you can't directly modify the
Priority number in the EAC ).
1. In the EAC, go to Protection > Malware filter.
2. Select a policy, and then click Move up ( ) or Move down ( ) to move the rule up or down in the list.
Use the Exchange Management Shell to set the priority of malware filter rules
The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules.
For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing
rule can have a cascading effect on other rules. For example, if you have five rules (priorities 0 through 4), and you
change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority
3 is changed to priority 4.
To set the priority of a malware filter rule in the Exchange Management Shell, use the following syntax:
This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority
less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).
Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-
MalwareFilterRule cmdlet.
How do you know this worked?
To verify that you've successfully modified the priority of an antimalware policy, use either of these procedures:
In the EAC, go to Protection > Malware filter, and verify the Priority value of the antimalware policies in
the list.
In the Exchange Management Shell, run this command to see the list of rules and their Priority property
values:
Get-MalwareFilterRule
Remove antimalware policies
Note: You can't remove the default antimalware policy.
Use the EAC to remove antimalware policies
When you use the EAC to remove an antimalware policy, the malware filter rule and the corresponding malware
filter policy are both removed.
1. From the EAC, go to Protection > Malware filter.
2. Select the antimalware policy you want to remove from the list, and then click Delete ( ).
Use the Exchange Management Shell to remove malware filter policies
When you use the Exchange Management Shell to remove a malware filter policy, the corresponding malware
filter rule isn't removed.
To remove a malware filter policy in the Exchange Management Shell, use this syntax:
This example removes the malware filter policy named Marketing Department.
This example removes the malware filter rule named Marketing Department:
Get-MalwareFilterPolicy
In the Exchange Management Shell, run this command to verify that the malware filter rule you removed is
no longer listed:
Get-MalwareFilterRule
This example enables scanning for malware in messages that have already been scanned by EOP on the Mailbox
server named Mailbox01.
This example disables scanning for malware in messages that have already been scanned by EOP on the same
server.
Administrators can manually download antimalware engine and definition (signature) updates. We strongly
recommend that you download engine and definition updates before you put the Exchange server into production.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
This example manually downloads the engine and definition updates on the Exchange server named
mailbox01.contoso.com:
Optionally, you can use the EngineUpdatePath parameter to download updates from somewhere other than the
default location of http://forefrontdl.microsoft.com/server/scanengineupdate . You can use this parameter to
specify an alternate HTTP address or a UNC path. If you specify a UNC path, the network service must have
access to the path.
This example manually downloads engine and definition updates on the Exchange server named
mailbox01.contoso.com from the UNC path \\FileServer01\Data\MalwareUpdates :
& $env:ExchangeInstallPath\Scripts\Update-MalwareFilteringServer.ps1 -Identity mailbox01.contoso.com -
EngineUpdatePath \\FileServer01\Data\MalwareUpdates
Add-PsSnapin Microsoft.Forefront.Filtering.Management.Powershell
2. Use the Get-ProxySettings and Set-ProxySettings cmdlets to view and configure the proxy server
settings that are used to download antimalware updates. The Set-ProxySettings cmdlet uses the following
syntax:
Set-ProxySettings -Enabled <$true | $false> -Server <Name or IP address of proxy server> -Port <TCP
port of proxy server>
For example, to configure antimalware updates to use the proxy server at address 172.17.17.10 on TCP
port 80, run the following command.
When you run Windows antivirus programs on Microsoft Exchange servers, you can help enhance the security and
health of your Exchange organization. However, if they aren't configured correctly, Windows antivirus programs
can cause problems in Exchange Server.
There are two basic components of any Windows antivirus program:
Memory-resident scanning or real-time protection monitors all files and processes that are loaded and
running in a computer's active memory.
File-level scanning refers to checking files on the hard disk for viruses manually or on a regular schedule.
Some antivirus programs start an on-demand scan automatically after the virus signatures are updated to
make sure that all files are scanned with the latest signatures.
The biggest potential problem is a Windows antivirus program might lock or quarantine an open log file or
database file that Exchange needs to modify. This can cause severe failures in Exchange Server, and it might also
generate 1018 event log errors. Therefore, excluding these files from being scanned by the Windows antivirus
program is very important.
Another issues to consider is that Windows antivirus programs can't replace email-based antispam and
antimalware solutions because Windows antivirus programs that run on Windows servers can't detect viruses,
malware, and spam that are distributed only through email.
NOTE
Unified Messaging is not available in Exchange 2019.
FOLDER CATEGORY DESCRIPTION SERVERS
DAGs
%SystemDrive%\DAGFileShareWitnesses\ The witness directory Any
<DAGFQDN> on the witness server
that's configured for
the DAG. The witness
server can be virtually
any Microsoft
Windows server in
the local Active
Directory forest that
isn't already a
member of the DAG.
To see the actual
location, run the
following command:
Get-
DatabaseAvailabilityG
roup <DAGName> |
Format-List *Witness*
MailTips
%ExchangeInstallPath%GroupMetrics Group Metrics files Mailbox servers
that are used to
calculate values for
the Large Audience
and External
Recipients MailTips.
FOLDER CATEGORY DESCRIPTION SERVERS
Mailbox databases
%ExchangeInstallPath%Mailbox Exchange databases, Mailbox servers
checkpoint files, and
log files. By default,
these files are located
in subfolders based
on the name of the
database. To see the
actual locations, run
the following
command: Get-
MailboxDatabase -
Server <ServerName>
| Format-List
EdbFilePath,LogFolder
Path
By default, database
context index files are
located in the same
folder as the database
files in a subfolder
that's named after the
GUID of the database.
EdgeSync
%ExchangeInstallPath%TransportRoles\Data\Adam Active Directory Edge Transport
Lightweight Directory servers
Services (AD LDS) and
log files.
Queues
%ExchangeInstallPath%TransportRoles\Data\Queue Queue database, Mailbox servers
checkpoint, and log Edge Transport
files. servers
Content conversion
%ExchangeInstallPath%TransportRoles\Data\Temp Content conversion Mailbox servers
that's done in the Edge Transport
transport pipeline. servers
Transport logs
%ExchangeInstallPath%TransportRoles\Logs Mail flow and Mailbox servers
transport pipeline Edge Transport
logs are located in servers (Transport
subfolders, for service only)
example:
• Agent logging
• Connectivity logging
• Message tracking
• Pipeline tracing
• Send and Receive
connector protocol
logging
To see the actual
locations, run the
following commands:
Get-TransportService
<ServerName> |
Format-List
*LogPath,*TracingPat
h
Get-
FrontEndTransportSer
vice <ServerName> |
Format-List *LogPath
Get-
MailboxTransportServi
ce <ServerName> |
Format-List
*LogPath,*TracingPat
h
Pickup directory
%ExchangeInstallPath%TransportRoles\Pickup The Pickup directory Mailbox servers
is used by Edge Transport
administrators for servers
mail flow testing or by
applications that need
to create and submit
their own message
files.
To see the actual
location, run the
following command:
Get-TransportService
<ServerName> |
Format-List
PickupDirectoryPath
FOLDER CATEGORY DESCRIPTION SERVERS
Replay directory
%ExchangeInstallPath%TransportRoles\Replay The Replay directory Format-List Mailbox servers
receives messages ReplayDirectoryPath Edge Transport
from foreign gateway servers
servers and can also
be used to resubmit
messages that
administrators export
from the queues of
Exchange servers.
To see the actual
location, run the
following command:
Get-TransportService
<ServerName>
Unified Messaging
%ExchangeInstallPath%UnifiedMessaging\Grammars Grammar files for Exchange 2016
different locales, for Mailbox servers
example en-EN or es-
ES.
Unified Messaging
%ExchangeInstallPath%UnifiedMessaging\Prompts Voice prompts, Exchange 2016
greetings, and Mailbox servers
informational
message files.
Unified Messaging
%ExchangeInstallPath%UnifiedMessaging\Temp Temporary files Exchange 2016
generated by Unified Mailbox servers
Messaging.
Content conversion
%ExchangeInstallPath%Working\OleConverter Transport Neutral Mailbox servers
Encoding Format Edge Transport
(TNEF), also known as servers
Rich Text Format
(RTF), to MIME/HTML
conversions.
Web components
%SystemDrive%\inetpub\temp\IIS Internet Information Mailbox servers
Temporary Compressed Files Services (IIS)
compression folder
that's used with
Outlook on the web.
FOLDER CATEGORY DESCRIPTION SERVERS
Web components
%SystemRoot%\System32\Inetsrv IIS system files. Mailbox servers
Process exclusions
Many antivirus programs support the scanning of processes, which can adversely affect Microsoft Exchange if the
incorrect processes are scanned. Therefore, you should exclude the following Exchange or related processes from
process scanning.
Microsoft.Exchange.Imap4.ex Microsoft
ExchangeInstallPath%FrontEnd\PopImap Exchange IMAP4 Mailbox servers
e service (MSExchangeImap4)
Unified Messaging in Exchange Server 2016 is basically unchanged from Exchange Server 2013. For information
about Exchange 2013 Unified Messaging, see Unified Messaging.
About Exchange documentation
8/23/2019 • 2 minutes to read • Edit Online
You're reading a collection of conceptual and procedural topics organized by subject or by technologies used by
Microsoft Exchange. You can access each topic directly from the table of contents in the left pane, from a link in
another Help topic, from the results of a search, or from your own custom list of favorite topics.
Other information related to Exchange documentation is in Third-party copyright notices.
Additional resources
Looking for more than just documentation? Check out these other Exchange resources:
Exchange Server Downloads: Use this page to download service packs, add-ins, tools, and trial software to
help you optimize your Exchange organization.
Exchange Server Forums: The forum provides a place to discuss Exchange with users and Exchange Team
members.
Exchange Server for Developers: You'll find Exchange developer documentation here.
Support for Microsoft Exchange Server: Check out this page for support resources for multiple versions of
Exchange.
Accessibility for people with disabilities : This topic provides important information about features, products,
and services that help make Microsoft Exchange more accessible for people with disabilities.
Accessibility for people with disabilities
8/23/2019 • 3 minutes to read • Edit Online
Microsoft is committed to making its products and services easier for everyone to use. The following sections
provide information about the features, products, and services that make Microsoft Exchange more accessible for
people with disabilities:
Accessibility features of Exchange
Accessibility features of Exchange Help
Accessibility products and services from Microsoft
NOTE
The information in this section applies only to users who license Microsoft products in the United States. If you obtained this
product outside of the United States, visit the Microsoft Accessibility website for a list of telephone numbers and addresses
for Microsoft support services. You can contact your subsidiary to find out whether the type of products and services
described in this section are available in your area. You can learn more about the accessibility features included in Microsoft
products on the Accessibility in Microsoft Products web site.
Learning Ally
20 Roszel Road
Princeton, NJ 08540
Telephone number from within the United States: (800) 221-4792
Web site: Learning Ally
Microsoft Support Services are subject to the prices, terms, and conditions in place at the time the service is used.
For more information, see Microsoft Support.
Microsoft is committed to protecting your privacy, while delivering software that brings you the performance,
power, and convenience you desire in your personal computing. This privacy statement applies to Microsoft
Exchange Server 2016 and Exchange Server 2019. It focuses on features that communicate with the Internet. It
does not apply to any other online or offline Microsoft sites, products, or services.
Exchange 2016 and Exchange 2019 deliver email, calendaring, contact management, and other online collaboration
functionalities on your PC's, mobile phones, and web browsers.
This privacy statement addresses the deployment and use of Exchange 2016 and Exchange 2019 in an enterprise
network environment. If you use Exchange Server technologies as a service operated by Microsoft or a third party,
please refer to the service-specific privacy and security policies provided by Microsoft or the third party service
provider.
IT administrators of Exchange 2016 and Exchange 2019 may choose to enable or disable certain Internet-enabled
features in Exchange, or to deploy other privacy impacting technologies, based on legal or compliance
considerations or internal policies. You should direct privacy-related requests related to the entity that's providing
your access to Exchange 2016 or Exchange 2019. Microsoft is not responsible for the privacy practices of its
customers or other third parties.