Exchange Management Service Broker troubleshooting in K2 blackpearl

Points to take note:

  • The following screenshots are taken on K2 Core 4.1 VM with blackpearl 4.5 Update KB001420.
  • Exchange2010 and Blackpearl are installed on the same machine.
  • The logged in user is denallix\administrator.
  • Pre-requisites:
  • KB001189 quotes you need a second service account. This is not compulsory and I have used K2 service account to do all the operations. So only one account is sufficient.
  • All the errors start with “Please make sure the K2 service account has impersonation rights in Exchange” This is a misleading message, so ignore that bit and look for the text after that.


Option 1: Set Authentication Mode to ServiceAccount [DENALLIX\K2Service]

“DENALLIX\K2Service” is member of following AD roles:

With the settings in place, we can create a meeting “On Behalf Of” any user as shown in the next 3 screenshots

Error: The SMTP address has no mailbox associated with it.
Cause: This happens if the “On Behalf Of” field has an invalid email address or the email is not found in Exchange

Error: The SMTP address format is invalid.
Cause: This happens if the “On Behalf Of” field does not have a value in the format of a valid email address


Option 2: Set Authentication Mode to Impersonate [Enforce Impersonation is unchecked]

The following Exchange Management Shell screenshot shows “DENALLIX\K2Service” is part of Exchange’s ApplicationImpersonation role. This was done during installation by the K2 setup manager.

Get-ManagementRoleAssignment Role “ApplicationImpersonation”

If you want to know more about Role Based Access Control (RBAC), please check this:

With the above settings in place, we can create a meeting “On Behalf Of” any user as shown in the next 2 screenshots. The smartobject tester tool is running under the context of logged in user denallix\administrator


Option 3: Set Authentication Mode to Impersonate and check “Enforce Impersonation”

Since the logged in user is denallix\administrator, the Smartobject tester tool ran using those credentials:

Error: The account does not have permission to impersonate the requested user.
Cause: ‘denallix\administrator’ account is not part of Exchange’s ApplicationImpersonation role

new-ManagementRoleAssignment Name “_suImpersonateRoleAsg” Role “ApplicationImpersonation” User “”

Note: After executing the new-ManagementRoleAssignment powershell cmdlet, you must wait 5-10 minutes (depends on exchange setup) for the smartobject to pick up those changes.

After waiting for the exchange role refresh, you should be able to create the meeting with Enforce Impersonation enabled.


Option 4: ‘Run as different user’ option to launch Smartobject tester tool, Set Authentication Mode to Impersonate and check “Enforce Impersonation”

The error is same as explained previously. But if you try to execute the new-ManagementRoleAssignment powershell cmdlet, you will get an error as below:

This is due to the usage of same name “_suImpersonateRoleAsg” in the command. So delete the existing entry and then add the user to the role.

Remove-ManagementRoleAssignment “_suImpersonateRoleAsg”

The above screenshot confirms that _suImpersonateRoleAsg role will be removed which has Administrator as the member. Since the role has now been deleted, you can add “Run as” user to the exchange role.

As mentioned earlier, you must wait 5-10 minutes before trying to create the meeting request.


Outlook cannot resolve user hidden from Exchange address lists

I tried to add an Exchange 2007 mailbox user to my Outlook profile as an additional mailbox. Outlook was unable to resolve the username or the email address.

I realised that this particular user is Hidden from Exchange address lists and so it does not appear in Global Address list.

The workaround to add this user without un-hiding is to use the LegacyExchangeDN attribute of that user from active directory. To find the value of this attribute, you need to have Active Directory Service Interfaces Editor (ADSI Edit). ADSI Edit (Adsiedit.msc) is an MMC snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or just open the Adsiedit.msc file from Windows Explorer.

Mailboxes, for example, have the following LegacyExchangeDN structure:

/o=Organisation/ou=Administrative Group/cn= Recipients/cn=Username

So for example a user called support, in the Contoso organisation in the Europe Administrative Group would have the following LegacyExchangeDN:

/o= Contoso/ou=Europe/cn=Recipients/cn=support

Once you have the ADSIedit installed from navigate to Domain>CN=Users>

Right Click on the user and select Properties. You can get the value of LegacyExchangeDN by clicking on Edit

Forefront High CPU utilization or Quarantines with Virus name: ‘Exceeded Internet Timeout’

Today few of my colleagues started to receive emails from Exchange 2007 Server as follows:


The original contents of this file have been replaced with this message because of its characteristics.
File name: ‘Body of Message’

Virus name: ‘Exceeded Internet Timeout’

Since we have an Edge Transport Server that has forefront server security installed, I tried to login to the server to check the logs. The CPU is at its peak and the server is inaccessible. After a long wait, I finally managed to get in there, but I am still unable to open Services or Event Log.

I checked the Hub Transport server and all the outbound emails are in the queue. The Edge Transport server is not processing inbound or outbound emails. I did a hard reset and still 100% CPU utilization.

When I managed to get the Services console open, I stopped the following services in this order.

  1. Microsoft Exchange Transport
  2. FSCController

Then the server started to behave normally. On the Application Event Log, the following entries appear.

  • The execution time of agent ‘FSE Routing Agent’ exceeded 300000 (milliseconds) while handling event ‘OnSubmittedMessage’. This is an unusual amount of time for an agent to process a single event. However, Transport will continue processing this message.
  • Transport scan exceeded the allowed scan time limit.
  • At least one of the engines that is in use is slated to be discontinued. You need to take immediate action to prevent a reduction in malware/spam protection. Details can be found at:

After a few minutes of search on Bing (, I found out that Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products.

The AhnLab, CA and Sophos engines will be retired on Dec. 1, 2009.  As of this date, customers will not receive any updates for these retired engines. Any customers running the AhnLab, CA or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman and VirusBuster.

So I had to disable the Forefront Security for Exchange Server.

From a command prompt, navigate to the Forefront Security for Exchange Server installation directory (C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server). Disable Forefront Security dependencies by typing:

FSCUtility /disable

To confirm that the Forefront Security dependencies have been removed, type:

FSCUtility /status

Restart the Exchange services (Microsoft Exchange Transport). Now the emails should go without being scanned.

Do the changes to the engines in Forefront Administrator console. Make sure you do it to the Transport Scan Job as well as Default.

If you think that the scan engines are corrupted, you can delete the folders at “C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\Data\Engines\x86″ So the next time the Forefront updates according to the schedule, it will get the latest engine and recreate the folders.

After you disable the retired engines in the console, you can enable the Forefront for exchange again.

FSCUtility /enable

Hopefully, the CPU utilization will be normal and the emails are checked for viruses.

How to export Exchange 2007 mailbox to a PST file

What is a PST file?

Taken from Wikipedia: a Personal Storage Table (.pst) is a file used to store local copies of messages, calendar events, and other items within Microsoft software such as Microsoft Exchange Client, Windows Messaging, and Microsoft Outlook.

If an employee leaves the company and you want to export the mailbox to a PST file and store it as a backup, it is very easy to do this in Exchange 2007.


  • Remote computer that has Outlook 2007 installed. This is a must. Don’t install Outlook on the Exchange server itself
  • Exchange Management Shell installed from Exchange 2007 media
  • Windows Power Shell installed

Login to the remote computer with your domain credentials. Note that the domain credentials that you use to login must have FULLACCESS permission on the mailbox you are exporting. If not, this will fail.

If you want to give yourself FullAccess permission on a mailbox, you can run the following script from either PowerGUI or Exchange Management Shell. Change the script according to your requirements.

Add-MailboxPermission -Identity “John Crawford” -User “Contoso\Administrator” -AccessRights FullAccess

After the permission has been added, open up the Exchange Management Shell (EWS) on the remote computer and run this script.

Export-Mailbox -Identity -PSTFolderPath C:\PSTBackup\John_Crawford.pst

You will get a confirmation prompt:

After pressing Y, the exporting starts

You can remove the FullAccess permission that you added earlier as follows:

Remove-MailboxPermission -Identity “John Crawford” -User “Contoso\Administrator” -AccessRights FullAccess

You can also set filters and actions to be performed while exporting. Some examples as follows:

Get-User john | Export-Mailbox -SenderKeywords -DeleteContent

Get-User john | Export-Mailbox -TargetMailbox sujeeth -TargetFolder reports -SubjectKeywords “laser eye” -DeleteContent

Get-User john | Export-Mailbox -PSTFolderPath C:\PST_Backup\john_crawford.pst -SubjectKeywords “laser eye” -DeleteContent

Get-User john | Export-Mailbox -TargetMailbox sujeeth -TargetFolder MessageCleanup -SenderKeywords -DeleteContent -MaxThreads 10

Use Remote SMTP server for MOSS Incoming e-mail settings

If Microsoft Office Sharepoint Server is installed on a server that doesn’t have a local SMTP server or you could not install SMTP service becuase Exchange 2007 runs on the same server, you could use the remote SMTP server as follows:

First find the account that Windows SharePoint Services Timer runs under.

Then login to the remote SMTP server (a local server that’s part of the same domain as your MOSS server)

I assume you have already installed SMTP service on the remote computer. Browse to the default SMTP mail directory (usually C:\Inetpub\mailroot) and setup a share for the mailroot folder called MossMailRoot

Add the service account (uk\sharepoint) for the mailroot folder with full permissions.

Now open Central Administration à Operations page on your MOSS server

Open Incoming e-mail settings and set E-mail Server Display address as sharepoint.local and the E-mail drop folder as \\<servername>\<sharename>\Drop

You need to update your DNS server records to point sharepoint.local to the remote SMTP server

On the Remote server, Open IIS console and drill down to Default SMTP Virtual Server. Add new Alias domain for sharepoint.local

The server setup is complete. Now browse to your Intranet page and setup Incoming E-Mail Settings for one of the libraries.

Now When the users send an email from their Outlook client to announcements@sharepoint.local the email will be received by your Exchange. Assuming you have Exchange 2007, you need to configure a Send Connector so that Exchange knows where to forward that email.

The Send Connector will have the following configuration

Once this send connector is configured, Exchange 2007 will forward all emails with sharepoint.local domain to the remote SMTP server. The email will be stored in the Drop folder.

The Windows SharePoint Services Timer service monitors this folder at regular intervals as the network path is given in its configuration. If it finds any emails, it will check for the recipient email address and routes the email to appropriate Sharepoint library. After that it deletes the email message from the Drop folder. That’s why you need to give modify permissions for the service account on the mailroot folder.

How to find Active Directory & Exchange Schema Version

Have you ever tried to find the current Schema Version of your Active Directory or Exchange. There is a very easy solution. I came across this article on Microsoft support written by Yuval Sinay MVP.


Active Directory Schema commutability:
13 -> Windows 2000 Server
30 -> Windows Server 2003 RTM, Windows 2003 With Service Pack 1, Windows 2003 With Service Pack 2
31 -> Windows Server 2003 R2
44 -> Windows Server 2008 RTM

Exchange Schema commutability:
4397 -> Exchange Server 2000 RTM
4406 -> Exchange Server 2000 With Service Pack 3
6870 -> Exchange Server 2003 RTM
6936  -> Exchange Server 2003 With Service Pack 3
10628 -> Exchange Server 2007
11116 -> Exchange 2007 With Service Pack 1

Why OOF…Why not OOO

Here’s an interesting historical question – when we say Out of Office, why does it sometimes get shortened to ‘OOF’? Shouldn’t it be ‘OOO’?
OOF was a command used in the days of Microsoft’s Xenix mail system, which set a user as ‘Out of Facility’ – ie Out of the Office.