Exchange 2013 CU9 Upgrade Issues

Earlier this morning I had to upgrade Exchange Server 2013 to CU9, The exchange upgrade Failed with the following error:
Start-SetupProcess -Name “iisreset” -Args “/noforce /timeout:120”
Process execution failed with exit code 1052

Microsoft states that you need to have your servers Powershell excution policy set to “Unrestrictive” before running the upgrade.  I did set the execution policy to “Unrestrictive” using the following command from an Administrative Powershell console:
set-executionpolicy “Unrestrictive”
However, my execution policy reverted back to “RemoteSigned” after running the first part of the upgrade GUI installer.  I therefor attempted to create a GPO that forces the executionpolicy to “Unrestrictive” so I would not have to run this command before every upgrade. However, the exchange pre-req analysis will complain that GPO is setting the executionpolicy.  You therefor have to set the GPO to “Not Configured” which negates the use of creating the GPO in the first place.
I found that simply running the command: set-executionpolicy “Unrestrictive” multiple times during the install will fix the installation issue. Maybe someone at Microsoft or someone smarter than me can tell us what the appropriate solution might be. Thanks!
Posted in Exchange 2013 | Leave a comment

LDAPS certificate process

If you ever need to create a CA signed certificate for active directory, follow this procedure for each domain controller.

#Create a file called request.inf in the c:\temp directory

;—————– request.inf —————–
Signature=”$Windows NT$

Subject= "CN=yourFQDN, OU=YourCompany, O=YourDepartment, L=YourCity, S=YourState, C=US."
KeySpec = 1 
KeyLength = 2048 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

OID= ; this is for Server Authentication

Hashalgorithm = sha256

Then run the following commands:

cd c:\temp

certreq.exe -new .\request.inf youserver.domain.2015.req

#wait for certificate from CA

certreq.exe -Accept .\yourservername_yourdomain_edu-2015-SHA2.cer

#The certreq utility will put this cert in the personal store of the local computer. I open up both the local computer certificate store, as well as the certificate store for “Active Directory Domain Services”. Once both personal stores are open, I simply drag the certificate into the “Active Directory Domain Services” personal store.  Make sure you open up the cert and verify the certificate chain is ok etc.  Active Directory will immediately see the new certificate and start using it if it is expire date is newer than the previous cert. So you don’t have to remove the old cert first.

This process has been tested on Active Directory 2008 R2

Posted in Active Directory, ldaps | Leave a comment

Exchange 2013 – Public Mailbox Size Increase

If you have an instance where you want to increase a public mailbox in Exchange 2013, follow these directions:
1. Determine which mailbox needs to be increased.
2. Get-Mailbox -PublicFolder -Identity Mailbox1 | fl prohibitsendquota
3. Now we will go ahead and increase the prohibitsendquota
4. get-Mailbox -PublicFolder -Identity Mailbox1 | set-Mailbox -PublicFolder -ProhibitSendQuota 21000000000
This increases the prohibitsendquota to approx 19.56GB. You may have to increase the prohibitsendreceivequota first to a value larger than 19.56GB. You can see that I set it to a value of 25GB first, before increasing the prohibitsendquota to 19.56GB

Posted in Exchange 2013 | 1 Comment

ADFS and Exchange 2013 Token Signing Certificate Rollover Process

Environment Verified On: Exchange 2013 CU9, ADFS 3.0, all running Windows Server 2012 R2

If you are currently running Exchange Server 2013 and ADFS, you will have to replace your token-signing certificate every year by default, unless you disable the auto certificate rollover feature of ADFS.  In older versions of Exchange (I am currently running Exchange 2013 CU9), you could only assign 1 Adfs Token-Signing Certificate Thumprint. This made it difficult for Exchange to trust the new certificate because you could only trust 1 at time. Now -AdfsSignCertificateThumprints parameter for the Set-OrganizationConfig is multi-valued.  Simply save both the “Primary” and “Secondary” token-signing thumbprints generated by the below command, and then apply them to your Exchange Organization Config.

#Run this powershell command on your primary ADFS server

Get-ADFSCertificate -CertificateType “Token-signing”

#Run this powershell command from one of your Exchange 2013 CAS servers, or machine with Exchange SnapIn functionality

Set-OrganizationConfig -AdfsSignCertificateThumbprints 133FC5293DFD48BC8E395D3EECBB0E9C9486EE14,EBB6F27D02F46CD0ED2F5C743672B93A845B4C01


  • Open the adfs management console
  • View the new primary token signing certificate.
  • Export this certificate to a file
  • Import this certificate file on each CAS server
    • Add this cert to the trusted root certificate authority store under the machine account
  • Use your load balancer to isolate each CAS server, and then reboot them 1 at a time

Now when ADFS rolls the Secondary certificate to Primary, Exchange will automatically trust the new Primary Cert,and OWA access will continue to function as normal without any downtime.


Posted in ADFS 3.0, Exchange 2013 | Leave a comment