421 4.4.2 Connection dropped due to SocketError during 2003/2010 co-existence

If you notice in the Exchange 2010 event logs or message queues that emails are sticking in the routing group connector between 2010 to 2003 or vice-versa, people will always say to check the routing group connector and perform Mail Flow Troubeshooting from the Exchange 2010 console.  What is often missed is that someone may have put an SMTP connection filter on the Exchange 2003 side so check that too:

1. In Exchange 2003, open the console
2. Navigate down the admin group to the 2003 exchange server
3. Expand protocols
4. Check the properties on the SMTP virtual server and make sure that the Exchange 2010 servers are present in the Allowed IP range under the Connection settings (not relay)
5. The default is to allow connections, but some places lock this list down to specific IP addresses and the 2010 servers need to be on this list if that is the case

Change the Exchange 2010 namespace

If you want to change the domain URL associated with Exchange 2010 (e.g going from webmail.domain.com to owa.domain.com or even to owa.domain2.com) then the following values need to be updated:

1. Internal/External DNS values (DNS server)
2. OWA url (2010 console on each CAS server)
3. ECP url (2010 console on each CAS server)
4. ActiveSync url (2010 console on each CAS server)
5. OAB (2010 console on each CAS server)
6. Outook Anywhere url (2010 console on each CAS server)
7. EWS (Using Powershell)
8. Certificate principal name if originally changed from $Null using Set-OutlookProvider
9. AutodiscoverServiceInternalURI if domain.com is changing (yes it is uri and not url)
10. Outlook CAS array url value if domain.com is changing
11. DAG url value if domain.com is changing

Windows phone 8 devices keep prompting for password when synching to Exchange

With the recent release of Windows Phone 8, there have been problems noticed with the Lumia 920 phone whereby if you are synching to Exchange through TMG or ISA it can keep prompting for a password.  The fix is as below and requires a change to the TMG/ISA server:

1. Open the web listener for the ActiveSync rule
2. Open its properties
3. On the Forms tab select Advanced
4. UNTICK the box which says Apply session timeout to non-browser clients

You may see that iPhones and other devices work fine, but Windows Phone 8 devices have the above issue.

Use DSACLS to export permissions on a directory object

This is useful if you need to perform some permission changes to an AD object using ADSIEdit or via a console.  The DSACLS can be used to export the current permissions, but cannot be used to export those permissions and import them in a disaster recovery scenario.  You would need to modify the output and run specific DSACLS commands against the object or manually set them again.  Therefore DSACLS is useful mainly as an audit tool to compare before and after permissions.

As an example, to export the current permissions applied to the top level Exchange container, use the following:

DSAcls “\\ldomaincontroller:389\CN=Exchange Org Name,CN=MicrosoftExchange,CN=Services,CN=Configuration,DC=domain,DC=com” > c:\admin\perms.txt

The output is not the easiest of logs to read, but with some scripting and editing you can arrange the file into something a bit more user friendly.