Exchange 2013 CU5 upgrade fails with error – The object already exists

Just ran into this one,

An existing Exchange 2013 CU2 installation was requested to be updated to CU5, nothing special there…

Once trying to run the CU5 setup.exe /PrepareAD , the setup failed with an error:
[02/07/2014 11:57:49.0192] [1] [ERROR] Active Directory operation failed on The object 'CN=Default,CN=OWA Mailbox Policies,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com' already exists.
[02/07/2014 11:57:49.0192] [1] [ERROR] The object exists.

Digging in the ExchangeSetup.log file, I’ve tried to identify the cause.

[02/07/2014 11:57:49.0192] [1] [ERROR] The following error was generated when "$error.Clear();
$policyDefault = Get-OwaMailboxPolicy -DomainController $RoleDomainController | where {$_.Identity -eq "Default"};

if($policyDefault -eq $null)
New-OwaMailboxPolicy -Name "Default" -DomainController $RoleDomainController
" was run:
Active Directory operation failed on The object 'CN=Default,CN=OWA Mailbox Policies,CN=Exchange,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com' already exists. ---> System.DirectoryServices.Protocols.DirectoryOperationException:
The object exists.

So I’ve tried to reproduce the test manually using the same command in the setup:
Get-OwaMailboxPolicy -DomainController $RoleDomainController | where {$_.Identity -eq "Default"}
And the result was indeed $null .. which made no sense here… because it does exists, as the error states – the object ‘CN=Default,CN=OWA Mailbox Policies,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com’ already exists.

Then I’ve noticed that the CN was “default” with lower “d” … although the Where-Object and -eq should be case insensitive, the check failed…

get-owamailboxpolicy before the change - default

So, I’ve modified the value to be “Default” with capital “D”:

Set-OwaMailboxPolicy -Identity default -Name Default

get-owamailboxpolicy after the change

that did the trick :) and the setup.exe /PrepareAD was successful.


Posted in Exchange 2013 | 3 Comments

The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine

Just noticed now that the new build of Windows Azure Directory Synchronization Tool, is missing the DirSyncConfigShell.psc1 file..
more over the Coexistence-Configuration PSSnapin is also gone…

So if you’ve trying to use the known way to force a synchronization with DirSync, use these PowerShell commands to achieve what you were used to.

Import-Module DirSync


enjoy !

Posted in Office 365 | 6 Comments

This message could not be sent – Error 0x80070005 – Office 365 | Report non-inherited Send-As permissions script

After a few incidents from Office 365 deployments, I’d like to share this issue to help anyone facing it.

If you or anyone of your users tried to send an email and use the “From” option to send as another recipient you might face NDR’s (non delivery reports) which will include these errors:

  • Delivery has failed to these recipients or groups
  • This message could not be sent. Try sending the message again later, or contact your network administrator.  Error is [0x80070005-00000000-00000000]

Using Exchange Server Error Code Look-up (Download Err.exe), 0x80070005 resolves back to MAPI_E_NO_ACCESS or E_ACCESSDENIED which bring us to the actual cause of the issue.

SendAs / Send-as permissions are not retained in migrations to Office 365 just because it is based on an ACL set in Active Directory and ACLs are not synced to Office 365.

To add a SendAs permission use the Add-RecipientPermission cmdlet with Exchange Online Remote PowerShell or use the Exchange Admin Control Panel and add the Send As permission from the “Mailbox Delegation” menu.

Add-RecipientPermission "Help Desk" -AccessRights SendAs -Trustee "Ayla Kol"

See the full reference about the command here –

As a result of this issue, I’ve created a small script to report which recipients (of any type) have non inherited SendAs permissions ACL’s.  You can later use the report to re-create the permission in 365.

Download the script here:


Posted in Exchange 2010, Exchange 2013, Office 365, PowerShell | 2 Comments

Setting Office 365 UsageLocation value using the Country attribute value


Since Office 365 projects started, setting users` licenses with scripts has been somewhat of an issue.

There are great scripts out there to automate assigning licenses to users, but the prerequisite of assigning an Office 365 license to a user is to choose the Usage Location for that user. When dealing with several dozens or hundreds of users that might be fine, but for large scaled deployments this becomes also an issue. and I’ve decided to script it and share this in case anyone will need this as much as I did.

This script is has a really simple logic, trace down the Country attribute value for each user, match that with the two letter country code (required for the PowerShell Set-MsolUser command) and set that value for the user.

I’ve worked up to match the list from to the countries available for selection within the Office 365 portal.

Keep in mind that the script will not handle any spelling errors, so be sure to maintain the country value BEFORE you run this script. If you are using Directory Synchronization this should be more productive as your Active Directory will also benefit from this move…

The script will try to find an exact match of the country value, although – case Insensitive.

grab it here:

Please share your comments if you have any, I would love hearing this script is being used.


Posted in Office 365, PowerShell | 2 Comments

Exchange Hybrid Configuration failed with error Subtask Configure execution failed

Hi Again,

While setting up the Hybrid Configuration Wizard on an Exchange 2010 server for Office 365, I’ve encountered this error:

[2/4/2014 13:36:8] INFO:Running command: Get-FederationInformation -DomainName '' -BypassAdditionalDomainValidation 'True'
[2/4/2014 13:36:8] INFO:Cmdlet: Get-FederationInformation --Start Time: 2/4/2014 3:36:08 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --End Time: 2/4/2014 3:36:16 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --Processing Time: 7690.8.
[2/4/2014 13:36:16] INFO:Disconnected from On-Premises session
[2/4/2014 13:36:17] INFO:Disconnected from Tenant session
[2/4/2014 13:36:17] ERROR:Updating hybrid configuration failed with error 'Subtask Configure execution failed: Creating Organization Relationships.

Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Operation is not valid due to the current state of the object.
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)

Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_4_2014_13_35_39_635271177398297855.log.

Looking at the application log in the Exchange server showed an Event ID 403 with source MSExchange Common:
The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

After checking of course, the Federation certificate was just created… and is indeed valid…..

All that was required was a quick “restart” to the application pools on the server, I usually just restart the MSExchangeServiceHost and MSExchangeProtectedServiceHost services. after that the wizard completed successfully :)

Hope this helped anyone,


Posted in Exchange 2010, Office 365 | 2 Comments

Manually adding a secondary SMTP proxy address for hybrid Exchange Online and Office 365

Update - 07-30-2014 – Thanks for the feedback about this post, I’ve republished the code. it is now wrapped as a script and also logs results to a log file. download the new version…

I’ve been busy with more Office 365 and Hybrid Exchange Online deployments and came up with a script I hope will help some of you out there.

While deploying an Hybrid Exchange Online setup, one of the steps the Hybrid Configuration Wizard is doing is modifying the email address policy and adding “” to the relevant EAP policies. This is great although there’s a good chance you have some mailboxes that are set with EmailAddressPolicyEnabled:$false

I’ve written a function script that will help you add the additional secondary SMTP proxy address to those mailboxes easily :)

Here’s an example on how to use the script:

.\Add-OnMicrosoftSMTP.ps1 -Tenant:ilantz

The script will require your “Tenant” name, for example – if your Office 365 tenant is, enter ilantz as the tenant name. Once entered it will find all mailboxes with the property EmailAddressPolicyEnabled:$false and will try to add the routing SMTP address – (following the default Exchange Hybrid Configuration Wizard settings). If that SMTP proxy address is already taken, the function will add a random 5 digit number to the alias –

The script will catch and display any exceptions that may occur during the process. and will automatically log the results to a log file.

Get the script here –

Revision History
1.0    Initial release
1.1    Updated and rewritten as a script instead of a function which caused confusion
1.2    Added Logging of successful addresses being added and failures

Enjoy !


Posted in Exchange 2010, Exchange 2013, Office 365, PowerShell | 8 Comments

The Outlook Web App address is out of date – Office 365 Hybrid

Quick note from the field..

I’ve encountered an issue with an Exchange 2010 and Office 365 Hybrid configuration, users that were moved to Office 365 and tried to reach the original On-Premise OWA URL were receiving an error – The Outlook Web App address is out of date.

The Outlook Web App Address Is Out Of Date

What should have happen is that the OWA will offer the users to use the URL configured on the TargetOwaUrl parameter on the Organization Relationship to the Office 365 routing domain. After some digging I’ve realized that this hybrid setup was performed using the manual steps that were documented for Exchange 2010 SP1, so the Hybrid Configuration Wizard did not do it’s magic….

Anyhow, after comparing this setup with a working hybrid configuration including the OWA redirection, I’ve noticed that the TargetOwaUrl value did not had xxx/owa/xxxx in it’s URL.

So instead of – I’ve had

So after running Set-OrganizationRelationship -TargetOwaURL “” the redirection worked as expected.

Hope this helps out anyone,


See also: Simplify the OWA URL for Office 365 Hybrid

Posted in Exchange 2010, Office 365 | 1 Comment

Patch Alert – Vulnerability in Active Directory Federation Services – MS13-066

In case you’ve missed it, Microsoft has released a few security patches this week, among them a highly recommended patch that will safeguard your ADFS deployment from a possible DDoS attack -Microsoft Security Bulletin MS13-066

Make sure you visit the link above and patch your servers today !

Stay safe,


Posted in ADFS | Leave a comment

Update your Windows 7 SP1 and Server 2008 R2 SP1

In case you’ve missed it, Microsoft released a roll-up update Hotfix for Windows 7 SP1 and Server 2008 R2 SP1 which includes 90 updates (!) post-SP1 – An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1

Here’s a quote from the KB:

This article describes a hotfix rollup for Windows 7 Service Pack 1 (SP1)-based and Windows Server 2008 R2 SP1-based computers. This hotfix rollup contains 90 hotfixes that were released after the release of SP1 for Windows 7 and Windows Server 2008 R2. These hotfixes improve the overall performance and system reliability of Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers. We recommend that you apply this hotfix rollup as part of your regular maintenance routine and build processes for Windows 7 and Windows Server 2008 R2 computers.
Note This hotfix rollup primarily addresses the issues that occur on domain-joined client computers and servers. Therefore, this hotfix rollup is available only from the Microsoft Update Catalog. You can also install this hotfix rollup on computers that are running Windows 7 SP1 in nonenterprise environments. After you install the hotfix rollup, the performance of the computers may be improved.

stay updated :)


Posted in Server 2008 / R2, Vista / 7 | Leave a comment

Office 365 Migration Batch Error – Failed to overwrite the existing Migration Job Item found for “”

Hi Again,

During a simple migration (cutoff) to Office 365 Exchange Online, I’ve encountered a few errors that prevented the migration batch to complete successfully, and wanted to share in case anyone is struggling with them.

  • Active Directory operation failed on The object ‘CN=user,,OU=Microsoft Exchange Hosted Organizations,DC=EURPR01A001,DC=prod,DC=outlook,DC=com’ already exists.

This error states that the migration batch failed to create a new object because that specific name is already taken. sadly enough the value for the CN=xxxx is taken from the alias property of the user/contact/group being migrated from the on-premise server.. and alias is not unique within (most) Exchange deployments.

To Solve this, work with the “alias” property value on your local AD to locate the conflicting objects, work with the results of the migration job and cross-reference until you will eliminate all duplicates of the alias values.

  • Failed to overwrite the existing Migration Job Item found for “” [Mailbox]; the Job Item was created with different Recipient Type [Contact]. You may delete the newly created Mailbox and recreate the actual Contact for

This error could be a result of your actions to fix duplicates issues, if for some reason the migration batch started with being a contact and that object has changed it will fail to “update/sync” and will continue to expect the original object type which was different in this example a contact.

To solve this Connect to Exchange Online Using Remote PowerShell and work with two commands – Get-MigrationUser and Remove-MigrationUser to remove the incorrect object from the migration batch and then resume it. This will make sure the new (correct) object will be synced successfully. Here’s an example of how to use these commands:

Get-MigrationUser -Identity | FL

Notice the output here and make sure this is indeed the incorrect object that needs to be removed, and then pipe the output to remove that user from the Migration Batch:

Get-MigrationUser -Identity | Remove-MigrationUser

Once removed, you can resume the migration again and it should now sync correctly your mailboxes.

Hope this helps !


Posted in Office 365 | Leave a comment