Skip to main content

Posts

Featured Post

Block access to Exchange Admin center from external network

This is present by some time now but people usually forget about this security necessity. You can block access to on-prem Exchange admin center by using client access policy. New-ClientAccessRule - Name "Restrict EAC Access" - Action DenyAccess - AnyOfProtocols ExchangeAdminCenter - ExceptAnyOfClientIPAddressesOrRanges 192.168.10.1/24 - ExceptUsernameMatchesAnyOfPatterns *something* Don't expect EAC to bi invisible when you connect to it because of policy. You can still connect to it but when you log in it shows the following screen...  
Recent posts

Batch Add Microsoft Exchange 2019 exclusions to Windows Defender on Windows 2019/2022

When you install Microsoft Exchange 2019 on Windows 2019 or 2022 server it is suggested to add some exclusions to Windows Defender. Since the list is quite large, use PowerShell to add exclusions. Exclusion list can be found at  Running Windows antivirus software on Exchange servers | Microsoft Learn SECURITY PRECAUTION  - Don't just blindly copy below commands and exclusions but check them. If anyone manipulated the below list on this site without my knowledge you will end adding exclusions you don't want to have. Run  PowerShell  on Windows 2019/2022 Exchange 2019 server  as administrator. # Define the exclusion paths $folderExclusions = @(     "$env:SystemRoot\Cluster",     "$env:ExchangeInstallPath\ClientAccess\OAB",     "$env:ExchangeInstallPath\FIP-FS",     "$env:ExchangeInstallPath\GroupMetrics",     "$env:ExchangeInstallPath\Logging",     "$env:ExchangeInstallPath\Mailbox",     "$env:ExchangeInstallPath\Tr

Apple iPhone Text responses go to wrong country code

A user wrote: Recently I went to Portugal and when I was there I bought a sim card and put it in my iPhone 11 Pro, with my primary e-sim still in it. When I got home to Australia, I deactivated the Portugal sim-card, deleted it and took the sim card out. Now when someone call me I respond with text, my iPhone changes the calling numbers country code to +31. I had the same problem. Despite turning "Dial assist" on/off, checking Country, Language and all the suggested stuff it did not work for me. What I did at the end was deleting country prefix from contact numbers --> Save --> Added country prefix again . It works now.

Reason: [{LED=250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded};{MSG=};{FQDN=};{IP=};{LRT=}]

 If you got this error checking the mail flow for a distribution group, it means the distribution group is closed and only internal senders can send e-mail to this group. When outside user sends e-mail to this group you get  Reason: [{LED=250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded};{MSG=};{FQDN=};{IP=};{LRT=}] Set Delivery for this group to internal and external users and your problem will be solved. 

Check if you have users with both mailboxes on-prem and online

An Exchange Online license was applied to the user before the Exchange GUID got synchronized from on-premises Active Directory. For synchronized accounts, having the Exchange GUID synchronized from on-premises is used to tell Exchange Online that the mailbox hasn’t been migrated yet, and is what allows customers to pre-license accounts prior to migration.  From:  My user has a mailbox both on-premises and in Exchange Online. So, in my case many times we get into situation where license is applied before Exchange GUID is synchronized to O365. I am using this script to check whether user has two mailboxes. Script closes Exchange session BEFORE it opens connection to Exchange Online as both use same commands. You can use Get-Mailbox both on-prem and Online, therefore it is crucial to close connection before you open other. # DISCLAIMER: # This code is provided "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of

An untrusted certification authority was detected while processing the domain controller certificate used for authentication additional information be available in the system event log . Please contact your administrator.

 I was trying to log in with Smart card (Yubico in my case) but server could not log me in and returned the error: An untrusted certification authority was detected while processing the domain controller certificate used for authentication additional information be available in the system event log. Please contact your administrator. Checked the certificate store and required certificates were in the store. In my case Root CA and Intermediate CA certificates. When I ran the command  certutil -viewstore -enterprise NTAuth in the elevated PowerShell window I got no certificates. Therefore, I exported the intermediate certificate from the store (certmgr.msc), put it in the C:\TEMP path and ran: certutil -enterprise -addstore ntauth "C:\TEMP\intermediate.cer" After that I was able to sign in with smart card. Whay certificate was not propagated through domain is still a mystery :) 

Microsoft Azure Backup Server SMTP settings

 If you are using Microsoft's Azure Backup server to backup your Exchange you might want to use notifications if anything goes wrong with it. In the Options window when you enter credentials for the sending account it keeps failing to send test E-mail saying wrong username and password (error 2013).  The problem is that this account needs to have local admin rights on the Azure backup machine.  Yeah, don't ask why.