Exchange General FAQ3

All replies

  • 1. What is Direct Trust Certificate?

    When Exchange Server is installed with the Hub or Edge transport role a default certificate is created during the installation process. Because Exchange is generating the certificate as opposed to a real certificate authority, the certificate is considered to be self signed. This default certificate will become the Direct Trust Certificate.

    The Direct Trust Certificate is stored in two locations, the local computer Certificate Store, and in Active Directory on the Exchange Server object in a binary field called msExchServerInternalTLSCert (Also found on ADAM servers in case of Edge). The certificate stored in the directory does not provide access to the private key, the private key is only accessible via the local server. If Exchange cannot access the certificate from both locations (AD and the Local Computer Certificate Store) then there will be mail flow issues between Hub servers and between Hubs and Edge servers.

    2. What is the usage of Direct Trust Certificate?

    The Direct Trust Certificate is used by Exchange under very specific conditions:

    •       To establish a secure channel between Hub servers within the Organization for SMTP traffic. This uses the Microsoft proprietary SMTP Extension called X-AnonymousTLS.

    •       To establish a secure channel between Hub and Edge servers within the Organization for SMTP Traffic. Again, uses X-AnonymousTLS.

    •       Used in a form of authentication when communicating between Hubs and Edge known as Direct Trust.
    •       To establish secure LDAP connections from Hub to Edge for Edge Synchronization.

    •       To encrypt and decrypt EdgeSynchronization credentials which are stored in the directory.

    3. How to determine Direct Trust Certificate?

    In Exchange server 2007 RTM version, there is no built in way to determine the direct trust certificate. If there are multiple certificates installed, any valid certificate has the potential to be the Direct Trust Certificate as long as the CertificateDomains contains the fully qualified domain name of the local computer.

    Here are guidelines that can be used to make an educated guess about which certificate may be the Direct Trust Certificate. The following command may be of use:

    Get-ExchangeCertificate –DomainName <FQDN of local computer> | FL Thumbprint, Status, IsSelfSigned, NotBefore

    Essentially, note all certificates that contain the fully qualified domain name of the local computer, their “Not Before” date, and whether or not they are self signed. If any of the certificates are not self signed then the newest non-self signed valid certificate is most likely the default. If all of the matching certificates are self signed then the newest valid certificate is most likely the default.

    Note: You can’t remove a Direct Trust Certificate using the Remove-ExchangeCertificate command.

    In Service Pack 1, the Get-TransportServer command can be used to retrieve the InternalTransportCertificateThumbprint property to easily determine which certificate is the default.

    4. What is Direct Trust?

    Direct Trust is a form of authentication that occurs via X-AnonymousTLS. It does not occur every time X-AnonymousTLS is negotiated but only when a Hub Transport server is negotiating with an Edge Transport server or vice-versa. Because Direct Trust uses X-AnonymousTLS, the ExchangeServer AuthMechanism must be enabled on any receive connector that is being used with Direct Trust.

    Essentially, the sending server sends a copy of its Direct Trust Certificate to the receiving server. The receiving server will check its Direct Trust Cache to see if the certificate belongs to any of the servers in the cache. The Direct Trust Cache is list of all Hub and Edge transport servers that are in the directory along with some server details and their associated “Direct Trust Certificate”. If the receiving server finds a match then authentication is successful, otherwise authentication will fail.

    When a match is made, the receiving server will associate the session with a SID based on the type of server it matched. In other words, if the sending server is a Hub server the Edge server will associate the session with the “Hub Transport Servers” SID and apply ACLs to the session based on that SID. Edge servers sending to Hubs are associated with the “Edge Transport Servers” SID. In this case, the permissions are not associated with the individual SERVERNAME or “Exchange Servers” group but the SID.

    5. How to troubleshoot Exchange 2007 VSS Issues?

    Notes: Most of the VSS issues have been fixed in the service pack (SP), please ensure that you have applied latest SP at first

    • Has the VSS ever worked before? If this has never worked, it may just be a configuration issue
    • Gathering useful logs for troubleshooting the issue
    • Look in both the system and application event logs for errors that may indicate problems with VSS
    • Using the VSSAdmin tool to run the commands below, it can show error messages if they exist
    • List Providers
    • List ShadowStorage
    • List Volumes
    • List Writers
    • Usually, we use an exchange-aware application to do the VSS backup. In order to verify if the issue is due to the application, we can remove the application (or disable it) and use built-in windows server tools to perform a backup for testing

    Notes: In an exchange 2007 cluster (LCR/CCR), we can use NTBackup on the active node, and use VSSAdmin on the passive node (please follow the first two steps in this article for VSSAdmin)
    VSS Frequently Asked Questions
    Troubleshooting Exchange 2007 VSS Backups
    Best Practices for Using Volume Shadow Copy Service with Exchange Server 2003

    6. How to determine the maximum number of users per mailbox store in the Exchange Server 2007?

    • There are several values we need to get at first:
    • Set the Mailbox Quota for users, which can tell how many users can stay in one mailbox store
    • Calculate the size of White Space for one mailbox, it’s about [The average amount of mail send/receive per mailbox per day]

    Notes: White Space can be oversized if online maintenance isn’t completed properly

    • Calculate the size of Mailbox Dumpster, it’s about [Average size of each soft-deleted item X Amount of mail send/receive per mailbox per day X Deleted Item Retention Setting (14 days by default)]

    Notes: It’s usually 5 percent of the Mailbox Quota

    • Now, it’s time put all values above together to obtain our Actual Mailbox Size, the formula for one mailbox is: Mailbox Quota + White Space + Mailbox Dumpster
    • After we know the actual mailbox size, we can base on maximum recommended database size below to calculate the  maximum number of users per mailbox store
    • Databases hosted on a Mailbox server without continuous replication: 100 GB
    • Databases hosted on a Mailbox server with continuous replication and gigabit Ethernet: 200 GB

    7. How to perform the bulk management in the exchange?

    Notes: Serious problems might occur if you perform the procedure incorrectly, please familiar the methods below in a testing lab at first, and backup the valuable data before executing the task into the product environment

    • Q: How to convert Contact into User mailbox? (Exchange 2003|Exchange 2007)

       A: Export all Contact information into a CSV file to modify, and then import the file for creating the mailboxes in bulk

    • Export the Contact information into CSV file

    Csvde –r objectclass=contact –f c:\contact.csv

    • Export user account’s attribute into another CSV file as reference

    Csvde –r objectclass=user –f c:\user.csv

    • Open user.csv file by using Excel, remove unnecessary columns, just remain the following:


    • Now we copy&paste the contact information from contact.csv into user.csv. For those un-exist columns in the contact.csv, please refer the corresponding values of user object in the user.csv to fill in

    Notes: Lower down password max length and complexity before importing the file

    • Import the changed user.csv file

    Csvde –I –f c:\userchanged.csv

    • Verify newly created user account in ADUC, ESM will show user’s mailbox after login once
    • Q: How to add users into Distribution Group in bulk? (Exchange 2007)

       A: Export the value of users into a txt file, and import the file with Import-Csv cmdlet

    • Export the value

    Csvde -r objectclass=user -l "Name" -f C:\addmember.txt

    • Import the file via Exchange Management Shell (EMS)

    Import-csv C:\addmember.txt | foreach {add-distributiongroupmember DGName -member $_.Name}
    How to use Csvde to import contacts and user objects into Active Directory
    Using the Import-Csv Cmdlet

    8. How to save password when using Outlook Anywhere

    When using Outlook Anywhere, if the Basic Authentication is used, you will be prompted for the user’s password. The solution to stopping the password prompt is to use NTLM on both Client Access Server and Client side.

    After that, if still comes up the password, please save passwords by using following method on the client:

    a. Run control userpasswords2
    b. Under Advanced tab, click Manage Passwords
    c. Please add following entry:

    Log on to: *.domainname (such as *

    Username: domain\username

    Password: password

    Then, please restart the client to check whether we still need to provide password when logging on Outlook.

    9. How does the Autodiscover work to make Outlook 2007 connect to Exchange server automatically?

    Outlook 2007 is the primary consumer of Autodiscover in Exchange 2007 which enables a first-time connection to an Exchange Server 2007 mailbox to automatically configure a client without having to know the Exchange server name and address. And also enables the client to autoreconfigure itself to continue functionality without interruption when any change in the organization.

    For domain-connected user, when connecting for the first time and/or are creating a new profile you will see the Account Basics dialog with your e-mail address already populated. Outlook 2007 queries Active Directory for this to work. This step should not be confused with Autodiscover. Outlook performs this Active Directory lookup using its own process. After that, Outlook will connect to Autodiscover to make a request to extend more than just basic connectivity information, such as OOF, OAB, Availability and so on.

    For non domain-connected user, when connecting Exchange server by using Outlook Anywhere, you will be required to enter your e-mail name and password. Then, other information will be finished by Autodiscover.

    10.  How does the Outlook 2007 work with older Exchange server? Such as Exchange 2003.

    In an Exchange environment that does not include Microsoft Exchange Server 2007 or later, Outlook still attempts to locate Exchange mailboxes. Active Directory includes a mailbox server property that can be set for each user. If standard Autodiscover attempts fail, Outlook tries to configure simple Exchange connections to an earlier version of Exchange server by using the Exchange mailbox server property.

    The process as below:
    1. Automatically retrieve e-mail address from Active Directory if domain joined machine.
    2. Retrieve Exchange Server name if found and store for later.
    3. Look for SCP objects or SCP pointer objects that correspond to user’s e-mail address, and find the correct Autodiscover server to connect to; then connect and retrieve settings.
    4. If previous step fails, attempt DNS discovery of Autodiscover XML (allowing for 10 redirects).
    a. HTTPS POST: https://DOMAIN/autodiscover/autodiscover.xml
    b. HTTPS POST: https://autodiscover.DOMAIN/autodiscover/autodiscover.xml
    c. HTTP GET: http://autodiscover.DOMAIN/autodiscover/autodiscover.xml (only to follow redirects, not to get settings)
    d. DNS SRV lookup: _autodiscover._tcp.DOMAIN (only to follow the redirect the SRV record points to)
    5. If previous step fails, attempt local XML discovery and use XML found on the local machine if applicable.
    6. If previous step fails but an Exchange Server name is found in step 2, configure Exchange account based on Exchange Server name

    11. How does Outlook 2007 find the Autodiscover service?

    Outlook 2007 use two methods: Service Connection Point (SCP), DNS (two predefined URL, HTTP redirection and SRV)

    12. What is the relationship between Autodiscover and Certificates?

    When Outlook connects to the Autodiscover URL which it has obtained from either an SCP or DNS query, it must process the certificate which resides on the IIS server where the Autodiscover virtual directory is located. The certificate may either be the Exchange Server 2007 self-signed certificate or a regular certificate with a properly published and accessible root certificate.

    For the domain-connected user, if Outlook 2007 obtained the Autodiscover URL by using the SCP method, Outlook considers this to be “safe” and ignores the certificate prompt it receives even if the Exchange Server 2007 self-signed certificate is being used and a root certificate is not present on the local workstation. The prompt does still display if there is a name mismatch.

    For the non domain-connected user, Outlook connects Autodiscover to use DNS to determine the URL. This also means that Outlook should not trust a self-signed certificate at all. As a result, Outlook will be failed to connect Exchange server by using Outlook Anywhere.

    For more information, please refer to the relevant article:


    13. How to update GAL in Outlook?

    1. Launch Outlook 2007 using any profile.
    2. Hold down the CTRL key on your keyboard and click the Outlook icon in the notification area of the Windows taskbar, also known as the notification area.
    3. In the menu that appears, click Test E-mail AutoConfiguration.
    4. Enter your E-mail Address and Password (if not logged into the domain) in the respective edit boxes.
    5. Choose all selection.
    6. Click Test to check if any error would be logged there.

    After that please check authentication all related virtual directories from IIS Manager.
    1. /EWS: integrated authentication
    2. /Autodiscover: basic and integrated authentication
    3. /OAB: integrated authentication
    More information to share with you:
    How to Update a Global Address List

    If you can see the GAL updated in Exchange Management Console, from OWA we also can see the updated GAL, but we cannot see the updated GAL?

    It is by design.

    OWA will do an LDAP query which is why it immediately shows the updated display name (Immediately is based on a 1 DC environment. With multiple DCs replication of course will take time, at least 15 minutes).Outlook on the other hand goes through NSPI. NSPI won't reflect the change until the hierarchy table has been rebuilt. By default this is done every 720 minutes (12 hours).You can try to change it to 1.

    Note: Related parameter on DC is NTDS\Parameters\Hierarchy Table Recalculation interval (minutes).

    Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756   ( ) How to back up and restore the registry in Windows.

    Note: After outlook can see the modified address list, please change value on Hierarchy Table Recalculation interval (minutes) back to 720.

    14. How to deal with OWA Large GAL crash issues?

    When you search contact in large GAL in OWA, it may crash. Since the default value on MaxTempTableSize is 1000. So we need to change the MaxTempTableSize on the DC to a value higher than the 10000 default. After that we need to change value on msExchQueryBaseDN.

    MaxTempTableSize: While a query is processed, the db layer may try to create a temporary database table to sort and select intermediate results from. The MaxTempTableSize limit controls how large this temporary database table can be. If the temporary database table would contain more objects than the value for MaxTempTableSize, the db layer performs a much less efficient parsing of the complete DS database and of all the objects in the DS database.

    msExchQueryBaseDN is the mechanism used to limit certain users to see only a subsection of the address book in OWA. msExchQueryBaseDN is stamped on Active Directory user objects and points to an Address List (AL) or an Organizational Unit (OU). This AL will be used as the Global Address List (GAL) for the user, and the user will see a GAL including only user accounts in this OU. You can set msExchQueryBaseDN using LDAP.

    How to view and set LDAP policy in Active Directory by using Ntdsutil.exe
    How to set the msExchQueryBaseDN attribute for users via powershell
    How to restrict OWA address searches to multiple organizational units


    15. How to Set OWA Language?

    Before Exchange 2007, the http header define the OWA language, so language settings depend on Client side.

    For Exchange 2007,we can use set-mailbox -identity "mailbox" -language "fr-FR" to define OWA user interface.

    Language setup for a mailbox with Exchange Server 2007

    How to manage Outlook Web Access features in Exchange Server 2003

    XGEN: How Special Folder Names Are Assigned in Outlook Web Access (OWA)

    16. What are the frequently used email attributes when mails are routing in Exchange Server?

    legacyExchangeDn: This attribute is a unique legacy distinguished name which identifies your mailbox. This attribute is mainly used for backwards compatibility purposes for the Mail Application Programming Interface (MAPI) clients, for example, /o=org/ou=site/cn=recipients/cn=gyip.
    proxyAddresses: A multi-valued attribute that contains all the e-mail addresses for which you can receive mail. The format of this attribute is PREFIX :proxy, where PREFIX is either SMTP, X400, GWISE, or NOTES, for example,
    targetAddress: This attribute is the e-mail address to which you want to redirect the mail. This attribute is formatted like the proxyAddresses attribute, where there is a prefix that defines the address type, for example, "". The attribute is only for mail-enabled user or mail-enabled contact.

    17. How are legacyExchangeDn and proxyAddresses attributes used when the message is processed by Exchange server?

    a. When the message is submitted by using SMTP client, the SMTP address is used to submit the message. In addition, the Sender and Recipient are resolved by searching the proxyAddresses attribute. For example, if the recipient’s SMTP domain is configured as authoritative domains but the recipient email address cannot be found in proxyAddresses attribute of all the users. Then, a NDR message will be generated indicated that the user does not exist. In contrast, if the message sent to an external recipient, nevertheless, the recipient email address can be found in the proxyaddresses attribute of the local user, the message will be delivered to the local user instead of the external recipient.

    b. When the message is submitted by using MAPI client such as Outlook or OWA, the legacyExchangeDn is used to submit the message. Therefore, if the submitted recipient’s legacyExchangeDn cannot be found in AD user object, a NDR message will be generated indicated that the recipient does not exist. The issue can be caused by several factors. You need to check:
    1) Whether the issue occurs sending a new message or replying an old message? If you reply a message, the MAPI property PR_SENDER_EMAIL_ADDRESS of the    original message is used to submitted the legacyExchangeDn. If the property is not matched the current legacyExchangeDN of the user in AD, the NDR message will be received.
    2) If the issue also occurs when sending a new message, you need to check NK2 (Outlook Autocomplete) file, Offline Address Book files which will be used to submit the recipient’s LegacyExchangeDN. You can rename the NK2 file and have Outlook works in Online Mode to narrow down the issue.

    Some related information:


    About Cached Exchange Mode


    18. When the targetAddress attribute is used?

    As I explained, the targetAddress is used to redirect the mail. The targetAddress attribute can be used when sharing an SMTP Mail domain with another system. For example:

    Company A and B need to share an SMTP mail domain “”. Therefore, Company A needs to deliver some messages to Company B. According to previous description, if the is configured as authoritative domains but the recipient email address cannot be found in proxyAddresses attribute of all the users. A NDR message is generated instead of sending to another organization.

    Based on the current situation, we can create a Contact in Company A with targetAddress attribute like below:


    When the external sender sends a message to, the CompanyA’s Exchange Server will resolve and recipient and redirect the message to Then, you can configure a Specific SMTP(Send) connector for the domain to send the message to CompanyB’s mail server.


    19. What’s the difference between database online defragment and offline defragment?

    Online Defragmentation   

    • Defrag the database online                                                           
    • Occurs automatically as part of the database maintenance process                   

    c. Detects and removes database objects that are no longer being used,                without changing the file size of the database

    Offline Defragmentation

    • Must dismount database first
    • Run Eseutil /d manually.
    • Reduce the physical size of the Exchange database

    20. How much free space I can have after a database offline defragment?

    1. Check the event log and look for recent occurrences of event 1221.

    Event ID: 1221 - The database name has amount megabytes of free space after online defragmentation has terminated.

    2. Dismount the database, and run ESEUTIL.EXE /MS databasename provide you with a more accurate estimate on the recyclable space found in the store.


    21. How to troubleshoot database cannot mount issue?

    1. If all stores are unable to mount, please check if the following services is started first:

    Microsoft Exchange Information Store
    Microsoft Exchange System Attendant

    Then check if you run a File-Based Antivirus Software scanning against the program and database files of an Exchange computer. Please disable the anti-virus software and test the issue again. In order to isolate the issue, you can also create a new database to see if it can be mounted. 

    2. If one specific is unable to mount, please first check if you are running Exchange Standard Edition, your mailbox stores will dismount when you reach the 16-GB size limit, KB 828070 addresses this issue.

    According to KB 314917, check if there is -1018 or -1022 error in the application log indicating a problem with your physical storage.

    Verify that the database was shut down in a clean (consistent) state. Use ESEUTIL /MH. If the database is shutdown in a dirty (inconsistent) state, you cannot mount it and you must replay at least one transaction log file to bring it to a clean state.

    Verify the integrity of the database. Use ESEUTIL /G, which will check the low-level integrity of the database.



    Jeff Feng - MSFT
    Friday, April 24, 2009 6:50 AM
  • Hi,

    This is venkat  .

    could you  the provide the Quesition  and answers on Exchange server 2007 clustering ?

    please help me .

    Sunday, October 18, 2009 9:43 AM
  • i have the same issue.....please help me

    Tuesday, January 18, 2011 8:08 PM
  • Wednesday, February 23, 2011 12:16 PM
  • Thanx Jeff
    Mohammad Mati ur Rahman
    Sunday, April 10, 2011 4:15 PM
  • Thanks Jeff
    Saturday, August 06, 2011 11:38 AM
  • it is very useful. Could you provide more about Exchange Server 2010 SP1.


    Khemarin Set
    Tuesday, August 09, 2011 3:27 AM
  • Good done. Thanks!
    Friday, September 23, 2011 2:32 AM