Managing Exchange recipients

Exchange Server has two options with which an administrator can successfully manage the environment. These options are accessed through the EAC, which replaces the Exchange Management Console (EMC), the Exchange Control Panel (ECP) in Exchange 2010, and the Exchange Management Shell (EMS). The EAC is a web browser-based that you use to manage Exchange and can be used for administrators and end-users to perform various management tasks. Administrative tasks that can be completed in EAC including managing mailboxes, contacts, groups and User and Administrator roles. However, if you want to perform many tasks or have greater control over the Exchange environment, you need to become familiar with the EMS, especially when performing bulk administration.

EMS has been designed so that you can automate repetitive administrative tasks, and it’s a best practice to become familiar with how EMS can be used in your Exchange organization. EMS is used to manage any Exchange objects, including those in a cloud tenant domain that is linked to an on-premises organization.

Continue reading “Managing Exchange recipients”

Exchange permissions model

Exchange Server offers a large set of predefined permissions based on the Role-Based Access Control (RBAC) model, which you can use to delegate object creation or modify permissions even on an attribute level. RBAC was introduced in Exchange 2010 to allow precise permission management within the Exchange organization for administrators and users.

Active Directory groups in Exchange

During Exchange Setup, Exchange creates a set of groups in the Microsoft Exchange Security Groups organizational unit (OU) of your root domain in Active Directory that are used for assigning permissions to the Exchange system. Table 1 describes these groups and their respective functionality. The table describes only Exchange system groups, not the Default Management Role Groups used to assign RBAC permissions; those are described later in this section.

Continue reading “Exchange permissions model”


Autodiscover is a critical service to understand, because it automatically configures email profiles for Microsoft Outlook email clients, mobile devices like smartphones, tablets, and so on. It also provides the client URLs for features such as free/busy, Unified Messaging, the Out of Office assistant, shared and site mailboxes, and the OAB. Because Autodiscover information is refreshed when the email client is started and at regular intervals (every 60 minutes), it allows the administrator to move mailboxes without having to manually reconfigure every email client. The interval at which the client is expected to refresh its configuration can be changed with the Set-OutlookProvider cmdlet by setting the TTL parameter to the number of hours for the interval. Some clients, such as Windows Mobile devices, use Autodiscover for initial profile creation, but do not refresh the configuration once the profile has been created. Also, the email clients find the URL for Autodiscover differently based on whether the client has internal access or external access. The Autodiscover service is not used by Outlook versions prior to Outlook 2007.

Continue reading “Autodiscover”

Exchange 2013 Cumulative Update 6 (CU6)

Microsoft released the quarterly servicing update to Exchange Server 2013 – CU6 and updated UM Language Packs. Cumulative Update 6 includes significant improvements in Public Folder scalability and a fix for the HCW issue described in KB2988229. You can read the full blog post at the Exchange Team Blog.

A complete list of reported issues in Exchange Server 2013 CU6 can be found in the Knowledge Base Article KB2961810.

Download Cumulative Update 6 for Exchange Server 2013 (KB2961810).

Exchange 2013 coexistence with legacy Exchange versions and Kerberos authentication

If you would like to use Kerberos authentication during coexistence between Exchange 2010 and Exchange 2013 SP1 to remove the NTLM authentication bottlenecks in large Exchange environments, you have to consider some important things.

Kerberos is not enabled by default in Exchange 2013 SP1 and needs some manual configuration tasks.

Note: Exchange 2013 SP1 proxies connections to Exchange 2007 and Exchange 2010 resources utilizing NTLM authentication.

First of all you have to consider to re-use the existing Exchange 2010 ASA with new human-know credentials or create a new ASA for the Exchange 2013 SP1 organization.

If you consider to re-use the existing Exchange 2010 ASA:

  • Advantage: One ASA for both Exchange 2010 and Exchange 2013 SP1 servers
  • Disadvantage: You have to use human-know credentials instead of machine-generated credentials

If you consider to create a new ASA for the Exchange 2013 SP1 organization:

  • Advantage: You can use the .\RollAlternateServiceAccountPassword.ps1 script against Exchange 2013 SP1 multi-role servers.
  • Disadvantage: The Service Principal Names (SPN) must be moved from the existing Exchange 2010 ASA to the new Exchange 2013 SP1 ASA for any hostname you will be moving from Exchange 2010 to Exchange 2013 SP1

Continue reading “Exchange 2013 coexistence with legacy Exchange versions and Kerberos authentication”

Exchange 2013 Cumulative Update 5 (CU5)

Microsoft released the quarterly servicing update to Exchange Server 2013. There is only one new feature: improvements in the OAB management for distributed environments.

You can read the full blog post at the Exchange Team Blog.

A great fix is KB2924519 which repairs the CU2 Installation issue when Exchange was installed on another drive than C (for example D), then the empty D:\TransportRoles\Logs\SyncHealth\Hub was created.

Also there are some changes to the Hybrid Configuration Wizard as well. You can check out the article from Michael van Horenbeeck at the ENow blog.

The complete list of reported issues is available at the Microsoft support site.