Disabled user account prevents ActiveSync remote wipe to succeed

It is a common security practice to disable user accounts before a former employee’s device is wiped. But Exchange ActiveSync remote wipe command is received successfully only when the target device can connect and authenticate to Exchange.

Remote wipe command queued.wipe pending

ActiveSync device attempts to connect to Exchange server while the AD account is disabled or password is invalid. The attempt fails with HTTP Error 401: Unauthorized

10:10:54 10.1.1.10 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=…&cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 401 1 1326 437

ActiveSync device successfully connects to the Exchange server

10:42:17 10.1.1.10 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 15

ActiveSync device successfully retrives policy update

10:42:18 10.1.1.10 POST /Microsoft-Server-ActiveSync/default.eas User=jsmith&DeviceId=…&DeviceType=iPhone&Cmd=Provision&CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 93

ActiveSync device successfully confirms device wipe started

10:42:18 10.1.1.10 POST /Microsoft-Server-ActiveSync/default.eas User=jsmith&DeviceId=..&DeviceType=iPhone&Cmd=Provision&CorrelationID=<empty>;&ClientId=… &cafeReqId=…; 443 Contoso\jsmith 10.1.1.20 Apple-iPhone4C1/1206.70 – 200 0 0 62

Device wiped successfully .wipe successfull

Now you can disable the user account in Active Directory.

(example logs truncated for readability.)

The WinRM client cannot process the request

Syptoms:

Error message when you try to start Exchange 2013 Management Shell (EMS):

VERBOSE: Connecting to EX-LON01.contoso.com.
New-PSSession : [EX-LON01.contoso.com] Connecting to remote server
EX-LON01.contoso.com failed with the following error message: The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : -2144108297, PSSessionOpenFailed

Additionally browsing the http://localhost/PowerShell site failed with HTTP 500 error and also in IIS Manager, opening Authentication settings of the PowerShell virtual directory under Default Web Site returns an error about the problem in the virtual directory’s the web.config file:

PowerShell

Resolution:

After comparing the /PowerShell virtual directory’s web.config file to the same file from a working server, it turned out there was an incorrect “<security> </security>” section where it was not allowed.
After removing the section /Powershell virtual directory was accessible and EMS was able to start and connect to the local server.

Get-Mailbox cmdlet returns value of the legacy msExchHomeServerName attribute

Symptoms:

PowerShell cmdlets Get-Mailbox, Get-CASMailbox and Get-Recipient returns the ServerName icorrectly.

Example:

Get-Recipient jsmith | fl Name, ServerName, DataBase

Name       : Smith, John
ServerName : EX-LON1
Database   : LON-DB01

# find out on which server has the active copy of the database

Get-MailboxDatabase LON-DB01 | fl Name, Server

Name   : LON-DB01
Server : EX-LON02

Reason:

Get-Mailbox, Get-CASMailbox and Get-Recipient returns the value of the legacy msExchHomeServerName attribute which is updated when the mailbox is created but not updated later anymore due to a change in introduced in Exchange 2010

More Information:

Exchange 2010: HomeMTA and msExchHomeServerName are not updated on mailboxes.

Exchange AD topology does not discover all DC from all AD sites

Symptoms:

Exchange 2013 AD topology discovery runs every 15 minutes and discovers all the In-site Domain Controllers/Global Catalogs, but Out-of-site Domain Controllers/Global Catalogs are listed only from one another AD site.

First discovery finds all In-Site DC/GC from New York site (NY-DC & NY-DC2) and lists only DC/GC from London site (LN-DC1 & LN-DC2)

Log Name:      Application
Source:        MSExchange ADAccess
Event ID:      2080
Task Category: Topology
Level:         Information
Keywords:      Classic
Computer:      NY-Ex1.contoso.com
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=1234). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)

In-site:
NY-DC1.contoso.com CDG 1 7 7 1 0 1 1 7 1
NY-DC2.contoso.com CDG 1 7 7 1 0 1 1 7 1

Out-of-site:
LN-DC1.contoso.com CDG 1 7 7 1 0 1 1 7 1
LN-DC2.contoso.com CDG 1 7 7 1 0 1 1 7 1

Next discovery finds all In-Site DC/GC from New York site (NY-DC & NY-DC2) and lists only DC/GC from Tokyo site (TK-DC1 & TK-DC2)

Log Name:      Application
Source:        MSExchange ADAccess
Event ID:      2080
Task Category: Topology
Level:         Information
Keywords:      Classic
Computer:      NY-Ex1.contoso.com
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=1234). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)

In-site:
NY-DC1.contoso.com CDG 1 7 7 1 0 1 1 7 1
NY-DC2.contoso.com CDG 1 7 7 1 0 1 1 7 1

Out-of-site:
TK-DC1.contoso.com CDG 1 7 7 1 0 1 1 7 1
TK-DC2.contoso.com CDG 1 7 7 1 0 1 1 7 1
Resolution:
This is by design in Exchange 2013.
Previous versions of Exchange server discovered all Out-of-site Domain Controllers from every other AD site that had direct AD link defined. This was found to be resource intensive and time consuming therefore starting with Exchange 2013 randomly selects an AD site to use the Domain Controllers in case In-site Domain Controllers became unavailable.

Failure: This mailbox database contains one or more mailboxes

Symptom:

Some Exchange databases cannot be removed because of error message states there are mailboxes in the database.

Get-MailboxDatabase -Server Server1 | Remove-MailboxDatabase

Result:
This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes orarbitration mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox –Database . To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database -Archive. To get a list of all public folder mailboxes in this database, run the command Get-Mailbox -Database -PublicFolder. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database -Arbitration.

[Remove-MailboxDatabase], AssociatedUserMailboxExistException    + FullyQualifiedErrorId : [Server=Server1,RequestId=26a04655-6a66-4990-9a07-7599f69850d0]….

Resolution:

To identify the mailboxes that are still in the mailbox database use the –Verbose switch with Remove-MailboxDatabase cmdlet

Get-MailboxDatabase -Server Server1 | Remove-MailboxDatabase -Verbose

Result:
VERBOSE: [12:28:53.599 GMT] Remove-MailboxDatabase : Runspace context: Executing user:
Contoso.com/Admins/Administrator, Executing user organization: , Currentorganization: , RBAC-enabled: Enabled.
VERBOSE: [12:28:53.599 GMT] Remove-MailboxDatabase : Active Directory session settings for ‘Remove-MailboxDatabase’ are: View Entire Forest: ‘False’, Default Scope: ‘Contoso.com’, Configuration Domain Controller: ‘DC1.Contoso.com’, Preferred Global Catalog: ‘DC1.Contoso.com’, Preferred Domain Controllers: ‘{ DC1.Contoso.com }’
VERBOSE: [12:28:53.599 GMT] Remove-MailboxDatabase : Beginning processing Remove-MailboxDatabase
VERBOSE: [12:28:53.599 GMT] Remove-MailboxDatabase : Instantiating handler with index 0 for cmdlet extension agent “Admin Audit Log Agent”.
VERBOSE: [12:28:53.615 GMT] Remove-MailboxDatabase : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }
VERBOSE: [12:28:53.615 GMT] Remove-MailboxDatabase : Searching objects “DAG-DB1” of type “MailboxDatabase” under the root “$null”.
VERBOSE: [12:28:53.630 GMT] Remove-MailboxDatabase : Previous operation run on domain controller’DC1.Contoso.com’.
VERBOSE: [12:28:53.646 GMT] Remove-MailboxDatabase : Verifying that there is no associated mailbox user or move request on the mailbox database “DAG-DB1”.
VERBOSE: [12:28:53.646 GMT] Remove-MailboxDatabase : Mailbox with DistinguishedName “CN=Doe\,John,OU=Users,DC=Contoso,DC=com” is still present in this database.
VERBOSE: [12:28:53.661 GMT] Remove-MailboxDatabase : Admin Audit Log: Entered Handler:OnComplete.
This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes orarbitration mailboxes. To get a list of all …

Note:

The returned DistinguishedName will identify the Active Directory account associated with the mailbox still present in the database.
If the account belowngs to a user mailbox use the Get-Mailbox cmdlet to find out whether it is a primary mailbox or an archive mailbox (or both).

Outlook client ignores AutoDiscover Site Affinity

Symptoms:
Outlook 2007 or newer clients always connect to the Exchange 2007/2010/2013 Client Access server that was recently installed to get Autodiscover  information instead of connecting to the closest Active Directory site with Exchange 2007/2010/2013 Client Access server installed.

This happens despite the “AutoDiscoverSiteScope” appears to be properly configured:

Get-ClientAccessServer  | ft name, AutoDiscoverSiteScope
Name            AutoDiscoverSiteScope
—-            ———————
SERV-01       {SiteA, SiteB}
SERV-02       {SiteC, SiteD}

Cause:
When configuring the AutoDiscoverSiteScope option with Set-ClientAccessServer the following syntax is used:

Set-ClientAccessServer -Identity SRV-01 -AutodiscoverSiteScope “SiteA, SiteB”

However the underlying Active Directory object (e.g. CN=SRV-01,CN=Autodiscover,CN=Protocols,CN=SRV-01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT), CN=Administrative Groups,CN=First Organization, CN=Microsoft Exchange, CN=Services,CN=Configuration, DC=contoso,DC=com) indicates the syntax of command is incorrect because “SiteA, SiteB”  is considered as the site name when examined with ADSIEdit:

Site Affinity is misconfigured
Site Affinity is misconfigured

This happens because the Set-ClientAccessServer cmdlet does not validate whether the entered site name corresponds to a real Active Directory site.

Resolution:
To configure AutodiscoverSiteScope option in case of multiple sites use the below syntax:

Set-ClientAccessServer -Identity SRV-01 -AutodiscoverSiteScope “SiteA”,” SiteB”

Use ADSIEdit to validate the Active Directory object has the sites listed properly:

Site Affinity is configured correctly
Site Affinity is configured correctly

homeMTA points to Active Directory object that have been deleted

Symptoms:

After uninstalling Exchange server and removing its Active Directory object  Event ID 2937 logged in Application log on an Exchange server and/or Warning “One or more Objects properties are pointing to Active Directory deleted objects” is recorded in SCOM.

Example event logged in Event log
Log Name:      Application
Source:        MSExchange ADAccess
Event ID:      2937
Task Category: Validation
Level:         Warning
Computer:      EX1-LON.adatum.com
Description:
Process powershell.exe (PID=12345). Object [CN=Doe\, John, OU=Users,OU=London, ,DC=Adatum,DC=com]. Property [HomeMTA] is set to value [adatum.com/Configuration/Deleted Objects/Microsoft MTA
DEL:aae571ff-19d3-bbcc-bf8a-eed91e496ea1], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.

SCOM warning:
Process mmc.exe (PID=67890). Object [CN=Doe\, John, OU=Users,OU=London, ,DC=Adatum,DC=com]. Property [HomeMTA] is set to value [adatum.com/Configuration/Deleted Objects/Microsoft MTA
DEL:aae571ff-19d3-bbcc-bf8a-eed91e496ea1], it is pointing to the Deleted Objects container in Active Directory. This property should be fixed as soon as possible.
EventSourceName: MSExchange ADAccess

Knowledge: http://go.microsoft.com/fwlink/?LinkID=67336&id=D00ED0ED-D9B5-48DF-9FF7-32F1A9CC592B

Computer: EX1-LON.adatum.com

Note: process name can be different depending on what process accessed the object

Resolution:
Generally  recommended solution in MS Article “One or more Objects properties are pointing to Active Directory deleted objects” solves the issue except if on the object in question has the msExchHomeServerName attribute point to an Exchange server which no longer exist.

In this case running Get-Mailbox <Alias> | Update-Recipient has no effect.
To resolve the issue when both homeMTA and msExchHomeServerName attribute have invalid values, run:
$MBX = Get-Mailbox -Identity ‘Doe, John’
Set-Mailbox $MBX -Database $MBX.Database -Confirm:$true -Force -Verbose

Source:
http://www.yusufozturk.info/windows-powershell/how-to-fix-incorrect-msexchhomeservername-attribute-after-removing-an-exchange-mailbox.html

Note: alert might not be cleared in SCOM up to 24 hours