Message Delivery Restrictions to groups-> Only senders in the following list

(Get-DistributionGroup -Identity “Group Name”).AcceptMessagesOnlyFrom | Select-Object Name | Export-Csv C:\test.txt

Advertisements

Exchange 2010 Server – Authentication Requirements to confirm ActiveSync, EWS, OWA, and RPC over HTTPs functions

Settings required once Outlook Anywhere, ActiveSync and EWS have already been configured and enabled within the Exchange 2010 Console or Shell.  To make sure that the services are operational for the end user client stations / devices, IIS Authentication for the Default Web Site’s subsites/virtual directories are to be matched to the below:

Autodiscover
Anonymous Authentication Enabled
ASP.NET Impersonation Disabled
Basic Authentication Enabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled

ecp
Anonymous Authentication Enabled
ASP.NET Impersonation Disabled
Basic Authentication Enabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled

EWS
Anonymous Authentication Enabled
ASP.NET Impersonation Disabled
Basic Authentication Enabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled

Microsoft-Server-ActiveSync
Anonymous Authentication Disabled
ASP.NET Impersonation Disabled
Basic Authentication Enabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Disabled

owa
Anonymous Authentication Disabled
ASP.NET Impersonation Disabled
Basic Authentication Enabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled

Rpc
Anonymous Authentication Disabled
ASP.NET Impersonation Disabled
Basic Authentication Enabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Disabled

RpcWithCert
Anonymous Authentication Disabled
ASP.NET Impersonation Disabled
Basic Authentication Disabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Disabled

Make sure that the Default Web Site’s bindings do NOT have a hostname or hostname.domainname assigned to a port and IP address.  All configurations for hostname to be used internally and externally are now configured within the Exchange 2010 Console or Shell.  It is not dependent on IIS any longer like that of the Exchange 2003 services.

On the IIS Exchange Server, at the command prompt, run iisreset to restart the web services so that it can pick up the new configurations.

Hiding Distribution Group Membership – Exchange 2010

This feature is not available natively in Exchange 2010 due to the way permissions are assigned in later versions of Exchange, and was removed as a feature as it is an insecure way of achieving the end result (looking at a user in the GAL will show what groups they are a member of).

The replacement method provided by Microsoft is to use  Dynamic Distribution Groups which enumerate the group membership based on an LDAP query for a particular attribute being set on the user object, therefore membership is determined by the Hub Transport server at the point it is delivering the message.

If you do not wish to convert to dynamic groups, there is an alternative method, whereby an attribute on the Distribution Group object, which is accessible via ADSIEdit, named ‘hideDLMembership’ can be set to true, which will prevent the expansion of groups in Outlook and OWA.

Attempting to expand the DL membership in Outlook will give the following error message:

Exchange 2007 Logs

Connectivity
Connectivity logging records the connection activity of the outgoing message delivery queues that exist on computers that have the Hub Transport server role or Edge Transport server role installed. The purpose of the connectivity log is not to track the transmission of individual e-mail messages. The connectivity log tracks the connection activity from the sending queue to the destination Mailbox server, smart host, or domain.

Agent
Agent logs record the actions that are performed on a message by specific anti-spam agents that are installed and configured on a computer that is running Microsoft Exchange Server 2007 that has the Edge Transport server role or the Hub Transport server role installed

Message Tracking
A message tracking log is a detailed log of all message activity as messages are transferred to and from a computer that is running Microsoft Exchange Server 2007 and that has the Hub Transport server role, the Mailbox server role, or the Edge Transport server role installed. Exchange servers that have the Client Access server role or Unified Messaging server role installed don’t have message tracking logs. You use message tracking logs for message forensics, mail flow analysis, reporting, and troubleshooting.

Protocol Logs
Protocol logging records the Simple Mail Transfer Protocol (SMTP) conversations that occur between e-mail servers as part of message delivery. These SMTP conversations occur on Send connectors and Receive connectors that are configured on Microsoft Exchange Server 2007 servers that have the Hub Transport server role or the Edge Transport server role installed. You can use protocol logging to diagnose mail flow problems.

A single SMTP conversation that represents the sending or receiving of a single e-mail message generates multiple SMTP events. These SMTP events cause multiple lines to be written to the protocol log. Multiple SMTP conversations that represent the sending or receiving of multiple e-mail messages can occur at the same time. This creates protocol log entries from different SMTP conversations that are interspersed. However, it is easy to use the session-id and sequence-number fields to sort the protocol log entries by SMTP conversation.

 

Disable ESMTP (BDAT) on Send Connector

421 4.4.2. connection dropped error on some domains:

BDAT is part of ESMTP protocol – while Ex2007 supports ESMTP, it does not support BDAT due to vulnerabilities that would crash smtp server (Exchange 2000 era). You can see all the ESMTP commands Exchange 2007 supports by telnet to the server and execute EHLO. While only very small number of domains still use BDAT, it is not necessary to make any changes to Exchange 2007.

 

If you want to fix this problem, you have to disable ESMTP on Exchange. To do this, issue this command on the HUB transport server:

Set-SendConnector -Identity <name of your send connector> -ForceHELO $true

Finding AD & Exchange schema version

    Active Directory Schema Version

dsquery * cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr objectVersion

    Exchange Schema version

dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=domain,dc=local -scope base -attr rangeUpper

 

**replace bold with your domain name