Import and Export Certificate Exchange 2010

Here is the scenario , we are doing migration from Exchange 2003 to Exchange 2010. We have existing certificate called and we wish to move this over to Exchange 2010.

I think this will be much common thing in these type of migrations. I found out supper easy is not to kill yourself to try to share the existing cert and the URL being used to access the webmail. For instance if you are using =Valid Cert = Exchange-2003 Server

And as soon as you moved first user on Exchange 2010 , accessing Existing URL wont work for the user on Exchange 2010. Here is what I have done couple times to get around this type of issues and make migration pretty seamless to end users.

I purchased new cert and called it Valid Cert=Exchange 2010

I configured this cert on the E210 server and told costumer everyone who gets migrated on E210 will use this link to access their webmail. This made my job supper easy and at the end of the migration I export the cert from E03 imported into E210 and done with migration.

  • STEP 1: Export Certificate and Private Key from the IIS 6.0 server

    Create an MMC Snap-in for Managing Certificates:

    1. Start > run > MMC
  • Go into the Console Tab > File > Add/Remove Snap-in
  • Click on Add > Click on Certificates and click on Add
  • Choose Computer Account
  • Choose Local Computer
  • Close the Add Standalone Snap-in window.
  • Click on OK at the Add/Remove Snap-in window



  • Open Certificates Console Tree
  • Go to Personal
  • Right click Certificates
  • Choose ALL TASKS
  • Select Import to start the Certificate Import Wizard
  • Click Browse
  • Locate the .pfx file
  • Click Open
  • Next
  • Finish



After this is completed rest of the work is supper easy go to EMC and drill down to server configuration , you will see the certificate there , just assign services to this certificate to finish the work





Source link


Few Poweshell commands

HUB Transport Server


Get-Queue -server ‘servername’ (Check Queue on a Hub Server)

get-messagetrackinglog -resultsize unlimited -EventID “RECEIVE” -Recipients “” -sender “” -Server “XXXYYYPP123” -Start “7/27/2010 12:00:00 AM” -End “7/29/2010 11:59:00 PM”

(To track the messages in a hub server, edit the query as needed)

Mailbox Server


Get-MailboxDatabase -server cmsname -status | select name,mounted (To check the status (Mounted) of all mailbox database in a server)

Get-MailboxDatabase -server cmsname -status | select Name,Server,*backup*,Mounted (To check the last Backup of all mailbox database in a server)

Dismount-Database CMSNAME\CMSNAME-SG01 (Dismount a single database)

Get-MailboxDatabase -server cmsname | Dismount-Database (Dismount all the mailbox database in a server)



Get-StorageGroupCopyStatus -server cmsname (To check the replication status of all storage group in a server)

Test-ReplicationHealth (To check the replication health of a cluster)

Suspend-MailboxDatabaseCopy -Identity CMSname\CMSname-SG01 -SuspendComment “Maintenance on 001” (Pause the replication of a storage group)

Resume-MailboxDatabaseCopy -Identity cmsname\CMSname-SG01 (Resume the replication of a storage group, which was paused)

Restore-StorageGroupCopy CMSNAME\CMSNAME-SG01 (Ignore the consistency state and make database mountable, possible of data loss)

Update-StorageGroupCopy CMSNAME\CMSNAME-SG01 -DeleteExistingFiles (Reseed the replication which was failed)

Move-ClusteredMailboxServer -Identity ‘CMSNAME’ -MoveComment ‘Install Forefront on A node’ -TargetMachine ‘nodeb’

Troubleshooting Cluster Servers


1. Always use “Move-ClusteredMailboxServer” command to failover the server

2. Before failover the server, it is better to check whether the passive node is up to date.

Run “Get-StorageGroupCopyStatus” to see the target database is updated. The copy status should be Healthy and CopyQueueLength & ReplayQueueLength should be 0.

Do not failover the cluster if there is some value in CopyQueueLength or ReplayQueueLength unless it is really required. (Less value in CopyQueueLength & ReplayQueueLength is less data loss)

3. If the copy status failed first try “Resume-MailboxDatabaseCopy” then “Update-StorageGroupCopy” (Do not go for “Update-StorageGroupCopy” without seniours advise)

Question about Exchange 2010 DAG

Question which has been asked by an interviewer to me !!

How many nodes can I have in a DAG?

Anywhere from 1 to 16 mailbox servers can be included in a DAG.

Does DAG use SMB replication like CCR and SCR did?

No, DAG uses one TCP socket per database for replication.

Which ports does DAG use for replication?

DAG uses a single port for replication and it is port 64327. This is configurable by administrators if needed.

Can you leverage Storage Groups with DAG?

Storage groups have been removed in Exchange 2010 in order to leverage database level failover.

Can I put a public folder database in a DAG?

No, in order to maintain PF database availability it is recommended to setup a public folder replica.

How do I failover to another datacenter? Can I do this after setup or does it have to be performed from initial setup?

SCR used to be the method for datacenter resiliency in Exchange 2007 and it has been replaced with DAG in Exchange 2010. The nice part about a DAG is you can add additional datacenter sites for failover at a later point post DAG setup.

How many NICs do I need in a DAG server? Does it all have to be on one subnet?

2 NICs per server minimum are needed for a DAG server node. DAG also supports multiple subnets (multi-datacenter locations).

Do I have to run a static IP for my DAG

No, DAG defaults to a DHCP based IP and can be used with either a static or dynamic IP

What OS can I run and what OS version for a DAG node is required?

Windows Server 2008 or Windows Server 2008 R2 Enterprise or Datacenter Edition is required.

Where can I put my file share witness?

It has to be in the same AD forest as the DAG and cannot reside on a DAG member. It is recommended to be placed on the hub transport in order to be administered by Exchange admins.

Do I have to pre-create my file share witness like in Exchange 2007?

No, Exchange 2010 will auto-create the FSW share with correct Exchange permissions.

Can I encrypt or compress DAG over the wire?

Yes to both. You would leverage the Set-DatabaseAvailabilityGroup cmdlet to enable either feature.

Any new DAG features coming in SP1 I should know about?

There are some enhancements which are slated (subject to change) to be included with DAG SP1 including:

Block mode replication

DAG server maintenance mode option

DAG database re-distribution

Better cross-datacenter DAG experience for Outlook users (read – fewer Outlook restarts needed)

Better DAG reporting

DAC mode available for one site now

Re-seeds can use spare storage

Other minor DAG additions and tweaks

How to Integrate Office Communications Server 2007 R2 with Exchange 2010

One of the new features of Outlook Web App (OWA) in Exchange 2010 is the ability for OWA to act as an IM client if you have Office Communications Server (OCS) in your environment. Once configured, you’ll be able to see and manage your buddy list, manage presence, as well as participate in IM conversations while logged in to OWA. Configuring this integration requires a number of steps on each of your Exchange 2010 Client Access Servers (CAS’). Many of the changes discussed in this blog post will cause brief service interruptions so it is highly recommended that you perform this work during a maintenance window where these interruptions are tolerable.

You’ll need to download two packages in order to proceed:

You can simply run the first download on one machine as it will extract the contents to C:\WebService Provider Installer Package (by default). Inside of this folder will be a number of installers which you’ll need to execute (in order) on each of your CAS servers:

  1. Visual C++ Redistributable (vcredist_x64.exe)
  2. Unified Communications Managed API (ucmaredist.msi)
  3. OCS Service Provider (cwaowassp.msi)

Finally, you’ll need to patch the UC Managed API by installing ucmaredist.msp

Note: If you have User Account Control (UAC) enabled on your CAS servers, you should execute all of these packages from an elevated command prompt

Once these packages are installed, you are ready to configure OWA for integration with OCS. You’ll need to have the name of the OCS Pool which you plan to have your CAS servers connect to on hand as well as some information about the certificate on each CAS server which will be used to secure communications between the CAS server and OCS. Specifically, you’ll need to collect the certificate issuer string as well as the certificate’s serial number. You can do this using the following PowerShell command:

Get-ExchangeCertificate | fl Subject,Issuer,SerialNumber

You should get text returned back similar to the following:

Subject :, OU=IT, O=“Some Company name Corporation”, L=Greenbay, S= Wisconsin, C=US

Issuer : CN=”DigiCert Global CA”,, O=DigiCert Inc, C=US

SerialNumber : 478C52B6B53E467F9331BB8CB4B2BDB8

Note: If you are using different certificates on each CAS server in your array, you’ll need to collect this data individually on a per CAS server basis

Make note of the issuer and serial number values for the certificate. You’ll need to tell OWA to use this certificate for communications with OCS. To do this, browse to C:\Program Files\Microsoft\Exchange\V14\ClientAccess\Owa and open the web.config file with notepad. Scroll down and find the following section:

add key=”IMPoolName” value=”” />

add key=”IMCertificateIssuer” value=”” />

add key=”IMCertificateSerialNumber” value=”” />

These are the three values you’ll need to populate for OWA to make the connection to OCS. The first value should be the FQDN of the OCS pool you want to connect to, and the following two values should be copied out of the Get-ExchangeCertificate spew collected earlier as shown below:

add key=”IMPoolName” value=”” />

add key=”IMCertificateIssuer” value=’CN=”DigiCert Global CA”,, O=DigiCert Inc, C=US ‘ />

add key=”IMCertificateSerialNumber” value=”47 8C 52 B6 B5 3E 46 7F 93 31 BB 8C B4 B2 BD B8″ />

Warning: There are three extremely important things you need to do when customizing the configuration settings shown above:

  1. If your certificate’s issuer includes any double quotes (as mine does), you must enclose the data in single quotes instead of the default double quotes as shown above.
  2. You must insert the spaces in between each octet in the serial number as shown above.
  3. You must remember to update these values when you renew or replace the certificate on a CAS server.

Once OWA is configured, you’ll need to configure your OCS pool to trust the CAS servers. To do this, access the OCS Administration Pool, and open the Front End Properties of the pool (right click the pool, Properties>Front End Properties). On the Host Authorization tab, add an entry reflecting the certificate you configured in the web.config file in the previous step. You’ll also want to check the “Treat As Authenticated” and “Throttle As Server” checkboxes.

In order for this change to take effect immediately, you may need to restart the services on your OCS Front Ends. Doing this will disconnect any currently connected clients so it may instead be advantageous to wait for caches to refresh. The final step is to enable OCS IM integration for the OWA virtual directory. To do this, run the following PowerShell command:

1.Get-OwaVirtualDirectory -Server YourCasServer | Set-OwaVirtualDirectory -InstantMessagingType OCS

Users who are enabled for OCS should see their buddy list as well as a jelly bean to manage presence next time they login:

In summary, there are four key steps you’ll need to take in order to enable OCS integration with Outlook Web App in Exchange 2010. First, you’ll need to download the service provider and latest rollup for the components in the service provider download. Next, you’ll need to install the components downloaded on each Client Access Server. You’ll then collect certificate information from each CAS server and configure that information along with your OCS pool information in the OWA web.config file. Finally, you’ll add the CAS certificate to the list of trusted hosts in OCS and enable OCS integration on the OWA virtual directory

Mail queued up in Hub transport server – Back pressure


Although email is not always the best way to share files, the method is frequently used. As an administrator, you probably have to allow messages to be sent with attachments. Sometimes these attachments are relatively large. But you also have to balance this business requirement with making sure that your server hardware does not become overly utilized or that some users are denied service while others are processing super large messages.

In Customer Support Services we see a lot of critical server unresponsive type issues caused by someone trying to attach a really large file, say perhaps someone trying to share a DVD home video .ISO with their friends and coworkers.

Although we’ve attempted to harden Exchange out of the box, there are still a few things that you should consider doing to further limit the possibility of something like this happening.

Back Pressure

Exchange 2007 introduces a concept within Transport servers called Back Pressure. You can read all about it here. Suffice it to say, if your server becomes too busy, it will stop accepting new messages, and allow itself time to gracefully recover. It does this to protect itself from the extreme cases.

In short, Back Pressure is Exchange 2007’s way of monitoring available disk space, memory and uncommitted messages. When any of those resources exceed their corresponding thresholds for a sustained period the HUB server stops accepting anonymous submissions (medium threshold) or all submissions (high threshold). For example:

Event Type: Warning
Event Source: MSExchangeTransport
Event Category: ResourceManager
Event ID: 15004
Resource pressure increased from Medium to High.

Resource utilization of the following resources exceed the normal level:

Version buckets = 213 [High] [Normal=80 Medium=120 High=200]

Back pressure caused the following components to be disabled:
Inbound mail submission from Hub Transport servers
Inbound mail submission from the Internet
Mail submission from the Pickup directory
Mail submission from the Replay directory
Mail submission from Mailbox servers
Mail delivery to remote domains

With large messages, you have the possibility that a database transaction to commit the message into the database will take some time to complete. During that time, the database is tracking the commit with what is called version buckets or version store. So with large messages, you can guess that version buckets will often be the measure of how the mail queue database is keeping up. A few seconds of back pressure a few times per day is fine, but if your server(s) spend a lot of time in back pressure, then there’s the possibility that other messages aren’t being processed in a timely fashion.

Best Practices

An ounce of prevention is worth a pound of cure. So here are the best practices we recommend to protect your server(s) from large messages that might cause outages.

  • Install SP1 RU8. This rollup update contains an extremely important fix that should not be missed. KB 960775 is the fix that you need, particularly if you allow Outlook 2003 clients prior to SP3 to connect to your server. These clients will not ask for the maximum limits before synching and submitting a large message to the server. This can easily cause transaction log file growth and performance problems on the Mailbox server. But, worse, the store-generated DSN messages are then submitted to Transport and the problem can spread. This fix eliminates the possibility of Hub servers being affected. Regardless of this fix, it may still be a best practice to update your clients to SP3 and block legacy (unsupported) clients to limit the damage that can happen on the Mailbox server.
  • Run ExBPA. Although BPA does not know what’s reasonable for your organization, it can make sure that at least size limits are in place. ExBPA can check all of your servers quickly.
  • Set reasonable size limits for your organization based on planning. See above section for commonly missed size limits. You can use the detail output from the BPA to make certain the limits are where you think that they are.
  • Particularly if you’re supporting anything larger than the default 10MB message size, make sure that you’ve updated your edgetransport.exe.config file to the latest guidance for your version of Exchange. At the time of this publishing, the Exchange 2007 guidance when running the latest service pack is as follows:
  • The ESE cache size should be 512MB on any server with more than 4GB of RAM – An easy example:

    DatabaseMaxCacheSize” value=”536870912″ />

    For servers with 8GB of RAM or more, particularly if they are dedicated Hub role with transport dumpster enabled, you can set the value as high as 1GB:

    DatabaseMaxCacheSize” value=”1073741824″

    The version bucket thresholds should be as follows –

    DatabaseCheckPointDepthMax” value=”20971520″ /> to DatabaseCheckPointDepthMax” value=”536870912″

    The checkpoint depth should be approximately half of the DatabaseMaxCacheSize –
    QueueDatabaseLoggingBufferSize” value=”524288″ to QueueDatabaseLoggingBufferSize” value=”5242880″

    QueueDatabaseLoggingFileSize” value=”5242880″ /> to QueueDatabaseLoggingFileSize” value=”31457280″

  • Consider hardening and isolating Internet-facing receive connectors such that spam processing and virus scanning processes for inbound “unclean” message streams are not impacting the rest of mail flow. Set reasonable receive connector limits. This obviously transcends the large message discussion, but this is especially true if you allow larger messages.
  • Make sure that proper exclusions are set for file-based Antivirus software and that temporary locations are also located on drives with adequate space and speed. Temporary files can be created while converting large messages. Scanning these temporary files can cause problems – use proper Exchange Antivirus for protecting the messages and file-level scanning to protect the server(s).


Message size limits will protect your servers and make sure they stay happily running, but there is not any “one-size-fits-all” guidance. Nevertheless, setting reasonable message limits and following the best practices can save you a great deal of trouble.


Microsoft Exchange Server 2010: Sizing and Performance

Microsoft Exchange Server 2010

Sizing for Exchange 2010 is one of the most common scenarios these days from any Exchange administrators. Correctly sized Exchange deployment will carry you to success hence paying attention to this is very important.
There are many resources available on the net I am going to post some of them here and hoping to clear our some of the questions…..

  • Microsoft Exchange Server 2010: Sizing and Performance – Get It Right the First Time


  • HP Sizer for Microsoft Exchange Server 2010


  • Deployment assistance


  • Upgrade Process from Exchange 2007 to Exchange 2010


  • msexchangeteam Blog


  • Getting Started With Exchange 2010


  • Exchange Pre-Deployment Analyzer


Microsoft Exchange Solution Reviewed Program (ESRP)

  • This is great to dig to see what Vendors have done to test E210 on their hardware.

Tips to increase the Performance of the Exchange Server 2003

There are few tips which we can able to increase the performance of the exchange server by mean of using network connections:

1. Updating driver files for the NIC card.

2. Disabling TCP – Chimney – > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] – “EnableTCPChimney”=dword:00000000 Or you can use the netsh command -> Netsh int ip set chimney DISABLED.

3. Try to to disable the RSS features. -> “EnableTCPA”=dword:00000000 – > “EnableRSS”=dword:00000000.

4. Adding the EnableAggressiveMemoryUsage registry entry to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters -> Set the EnableAggressiveMemoryUsage registry entry to 1.

Purpose to use the above tips

· Unable to connect (RDP) connection to the server.

· Unable to connect Exchange Server with Microsoft Outlook.

· Slow network performance.

· 32 MAPI sessions exceeded (9646 errors) causing the inability for Outlook clients to connect to the Information Store.

· Non-paged pool memory leaks.