The action cannot be completed error using Outlook – Exchange 2010 or Office 365

Hi,

Quick note from the field, if you are moving to Exchange Online / Office 365 you should double check your current office group-policy settings and registry for Outlook.

You should make sure that you did not enable the Closest GC setting, or configured a specific global catalog server with the DS Server registry entries under HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider

Both registry values, errors and methods for resolution are located at:

http://support.microsoft.com/kb/2507626 – Error in Outlook: “The action cannot be completed. The Bookmark is not valid”

http://support.microsoft.com/kb/319206 – How to configure Outlook to a specific global catalog server or to the closest global catalog server

And if we are on the subject, it’s also a good practice to make sure the following when moving to Office 365:

  • You do not have Autodiscover related registry settings also – http://support.microsoft.com/kb/2212902 – Unexpected Autodiscover behavior when you have registry settings under the \Autodiscover key
  • Make sure that the “Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server” option under account settings of the Outlook Profile is indeed selected. Office 365 is restricting clients to encrypt MAPI traffic – see the following KB for additional information (originally written for Exchange 2010 RTM) – http://support.microsoft.com/kb/2006508

ilantz

TCP/IP KeepAlive, Session Timeout, RPC Timeout, Exchange, Outlook and you

Update June 21th, 2016 following feedback and a (true golden) blog post by the Exchange Team – Checklist for troubleshooting Outlook connectivity in Exchange 2013 and 2016 (on-premises) I’ve updated the recommended values for the timeout settings, and shortened the article overall for better reading. Do read the post in general, and in topic – check the CAS & Load Balancer configuration paragraphs.


Hi Again,

This post will spotlight networking considerations that are mostly overlooked. I’ve gathered a few of these issues that might brought you here searching for an answer:

  • Outlook is retrieving data from the Microsoft Exchange Server
  • The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action
  • Sent items are stuck in Outbox or delayed
  • Outlook freezes or stuck when sending a message
  • Event ID 3033 regarding Exchange Server ActiveSync complaining about the most recent heartbeat intervals used by clients
  • Other strange / weird issues “but PING works! / telnet to the port works great!” – my personal favorite

The mentioned issues or symptoms could take place in any network environment, thus more common in complex network setups where multiple devices are protecting / route network traffic. Some typical configurations examples could be one of the following:

  • Outlook Anywhere or RPC over HTTP is being used, servers are protected or published by ISA / TMG / UAG / F5 / Juniper or any other reverse proxy / publishing solutions
  • Exchange servers are located behind a firewall, router or other network device
  • Clients / Remote clients are located behind a firewall, router or other network device (just to be clear on that…)
  • Exchange servers are being load-balanced with an external physical / virtual appliance

If you’ve read this post up until here and got disappointed because the above does not fit your issue, I’d like to suggest reviewing other RPC troubleshooting topics that might help Troubleshooting Outlook RPC dialog boxes – revisited or Outlook RPC Dialog Box Troubleshooting

Exchange Server traditionally (2000 to 2010) used MAPI over RPC to communicate “natively”, RPC is known to be “sensitive” and that’s why Exchange Server 2013 and beyond allows only Outlook Anywhere (RPC over HTTP) connections from clients which in my opinion is a great change that will simplify future deployments.

Client<>Server connections in general remains active while data “flows” , mails are sent/received etc. but when the connection is Idle, we might have a situation that it will be terminated. Here comes the term KeepAlive – a “dummy” packet that makes sure the connection remain active while no data is flowing and idle.

Here’s my “how-to” suggestion:

  • Configure the RPC timeout on Exchange servers to make sure that components which use RPC will trigger a keep alive signal within the time frame you would expect
    reg add "HKLM\Software\Policies\Microsoft\Windows NT\RPC" -v "MinimumConnectionTimeout" -t REG_DWORD -d 120
  • Consider modifying the server TCP/IP KeepAlive to reduce the chance of “IDLE” connections being terminated – (Default is Two hours – The recommended value is 30 minutes , and no less then 15 minutes) – this controls the OS TCP behavior with idle connections, could greatly improve responsiveness and scalability – http://support.microsoft.com/kb/314053/EN-US
  • Make sure that you are aware of any router, firewall or any other network device that is placed between your clients and your servers. Once you do – note their session timeout, session TTL or session ageing setting for the relevant protocol and port! (this could be tricky, so do not treat this lightly)

The trick for success here is that timeout settings should be configured without overlapping one another while following the client access “path” – for example – Client > FW > Load Balancer > Server:

  • FW timeout TCP/IP timeout – 40 minutes
  • Load Balancer – TCP/IP timeout – 35 minutes
  • Server – TCP/IP timeout – 30 minutes

If additional network devices are placed between the server and your clients, make sure that session timeout settings continue to be configured accordingly.
With today’s security measures, network security has become much more complex. A typical corporate network will implement many different network appliances or software based solutions to secure data, restrict access, prevent attacks and unwanted traffic.
Bottom line – don’t think you are done with network considerations just because “ping works” or an email comes with a statement like “your port is now open”.

I hope this post will benefit others as this issue was and will probably remain common with Exchange and other client / server services.

Don’t get timed out 🙂
Ilantz

Additional useful links and sources of data:

Office Client and Office Server 2013 product line was released!

Hello Everyone,

A huge release by Microsoft, all client and server office products are out ! Login to your Technet / MSDN Subscriptions and start downloading 🙂

Lync Server 2013

Exchange Server 2013

Office Web Apps 2013

Office Professional Plus 2013 (x64 and x86)

SharePoint Server 2013

Visio Professional (x64 and x86)

Project Professional 2013 (x64 and x86)

Enjoy !

ilantz

Solving Sync Issues Error 80004005-501-4B9-560 in Exchange 2010 RTM and SP1

Update

The current “Best Practice” is to upgrade your Exchange Server to Service Pack 2 and apply Update Rollup 3 for Exchange Server 2010 Service Pack 2 (KB2685289), as this issue has been permanently solved.

See Synchronization of an organizational forms library fails when you use Outlook in Cache mode in an Exchange Server 2010 for additional information.


Hello Everyone,

Since the first migrations of Exchange 2003 to Exchange 2010 we’ve seen a really annoying error within Outlook 2003, 2007 and Outlook 2010 when trying to De-commission  legacy servers, specifically when moving all public folders replicas including the EFORMS REGISTRY system folder and it’s children folders. once the organizational forms ( respectively you might see a different folder name within your organizatino ) is replicated only to the Exchange 2010 – a log / error message will be created in the Sync Issues upon an Outlook Send/Receive operation:

11:56:54 Synchronizing Forms
11:56:54 Downloading from server ‘public folder server
11:56:54 Error synchronizing folder
11:56:54 [80004005-501-4B9-560]
11:56:54 The client operation failed.
11:56:54 Microsoft Exchange Information Store

Notice: Use this method at your own risk ! This method is for organizations that do not use Forms !

Many posts and different resolutions were recommended, my original “fix” for this issue was to not replicate the organizational forms folder to the new Exchange 2010 public folder when starting to De-commission the Exchange 2003 server, practically “leaving it behind”.

I recently handled a situation where the Exchange 2003 server was already removed, and the forms folder was already replicated to Exchange 2010, and the error was already in place. I could not use Exchange 2003 System Manager to remove the replica, Exchange Management Shell or EXFolders. You cannot really leave an empty replica list within the tools.

MFCMapi to the rescue 🙂

  1. Open MFCMapi, click the session menu, select the logon and display store table option.
  2. Double click public folders, expend the public root tree, expend NON_IPM_SUBTREE, expand EFORMS REGISTRY.
  3. Locate and select the organizational forms folder.
  4. Scroll the property list to find the PR_REPLICA_LIST entry – double click it and clear the value inside – clear means delete the values inside the property. Setting PR_REPLICA_LIST to NULL actually leaves us with an empty replica list – which “solves” this issue.
  5. Note that when you click to apply the change of the PR_REPLICA_LIST the property list will immediately shrink, this is normal 🙂
  6. Exit Outlook, wait and see that indeed the Sync Issues folder does not include a new log with the 80004005-501-4B9-560 error.

Use this method at your own risk ! and again – this method is for organizations that do not use Forms !

Some references for you usage:

Troubleshooting: Error synchronizing folder Synchronizing Forms 80004005-501-4B9-560

Outlook synchronization error [80004005-501-4B9-560] with a Microsoft Exchange Server 2010 mailbox

“80004005-501-4B9-560” synchronization error logs are generated in the Sync Issues folder in Outlook in a Business Productivity Online Suite Dedicated environment 

Office Suite – Latest Updates

Hey again,

I tend to always spend some time looking up the latest Office / Outlook updates, and found this following link from the office center on TechNet to be much useful.

It has a nice table of the latest Service Pack, Latest Public Update and Latest Cumulative Update for Office 2003 / Office 2007 / Office 2010

http://technet.microsoft.com/en-us/office/ee748587 – Update Center.

Enjoy !

Office 2007 Cumulative Update for February 2011 is now released

To follow my previous blog “Watch out from latest outlook updates !

the Exchange team has announced that the Office 2007 Cumulative Update for February 2011 is now available.

The update adds Personal Archives support in Outlook 2007.
For more details about the hotfix, see KBA 2475891: Description of the Office Outlook 2007 hotfix package (Outlook-x-none.msp): February 22, 2011. and also fixes quite a lot of issues that were presented from the original outlook December hotfix, Autodiscover issues, POP3 Authentication issues and few more..

As always ! test your hotfix !

Happy Archiving 🙂

Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere

Hi again,

This issue has came up too much, so I wanted to blog something short about this.

Prerequisites:

  • Update (Added June 29th 2013) – If using Exchange 2013, check out Exchange 2013 Outlook Anywhere Considerations for some additional specific Exchange 2013 issues.
  • Exchange 2007 or 2010
  • Outlook 2003 / 2007 / 2010
  • Windows XP / 7 / etc..
  • Outlook Anywhere ( RPC over HTTP ) enabled – with Basic Authentication or NTLM Authentication
  • Autodiscover – working correctly 😉

So, you’ve got it all configured, you enabled Outlook Anywhere, configured ISA 2006 / TMG / UAG to publish the Outlook Anywhere (or not), you published Autodiscover records an all is working great !

BUT ! you have this annoying user credentials pop ups, and users are going nuts ! and so do you !@ ( enough sarcasm ) it may work for a while, and then you are prompted again for user and password, or even worse – it might not work at all…

Here’s what can go wrong in bullets because we have a few different issues that might cause troubles..

  • Outlook Anywhere is configured to use NTLM authentication:
    • Solution 1 – Configure MSSTD or the Certificate Principle Name correctly (see below)
    • Solution 2 – Configure your clients local security policy, in specific – LmCompatiblilityLevel to 2 or 3
    • Solution 3 – If you try to pull NTLM with ISA / TMG / UAG, either configure “Kerberos Constrained Delegation” – check links below for the white-paper from Microsoft” or change the publishing rule to apply to “All Users” and in the Authentication Delegation tab choose the option “No delegation, but client may authenticate directly”
  • SSL Certificates issues
    • Outlook Anywhere was enabled for – mail.company.com (ExternalHostName), but you have a wildcard certificate or the certificate subject name does not match mail.company.com
    • Solution – Configure MSSTD or the Certificate Principle Name correctly (see below)
  • Outlook Anywhere continuously keep being configured automatically !%

So what’s that MSSTD or Certificate Principle Name ? well it’s a method Outlook can verify that the server you are connecting to indeed holds the correct SSL certificate subject name before sending credentials to.. well yeah it ain’t that secure.

Microsoft Exchange Proxy Settings

This setting is actually being configured automatically since Exchange 2007 and continue to be with Exchange 2010.

So here’s what you can do with it – all examples follow the Set Outlook Provider cmdlet syntax:CertPrincipalName

    • You have a wildcard certificate – Run this command:

Set-OutlookProvider EXPR -CertPrincipalName msstd:*.company.com

    • You have a differnet subject name on your SSL certificate then the ExternalHostName you configured for Outlook anywhere on your CAS server

Set-OutlookProvider EXPR -CertPrincipalName msstd:correctsubject.company.com

    • You don’t want that “only connect to proxy servers that have this principle name in their certificate” check box marked at all ! 🙂

Set-OutlookProvider EXPR -CertPrincipalName none

New feature with Exchange 2010 – The Set-OutlookProvider cmdlet now allows Outlook 2010 clients to connect exclusively through RPC over HTTP (Outlook Anywhere) before trying RPC over TCP connections when connecting over the Internet. !

This means you can control the check box “On fast network, connect using HTTP first, then connect using TCP/IP”, here’s the two options:

    • Always connect using HTTP (mark “on fast networks”) :

Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect

    • User TCP/IP first then HTTP (default):

Set-OutlookProvider EXPR -OutlookProviderFlags:None

This should cover it, no more pop ups and hopefully Outlook Anywhere and you will be friends again !

ilantz

Credits (or links) :

When, if and how do you modify Outlook Providers?

Set-OutlookProvider

Publishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG

Exchange 2013 Outlook Anywhere Considerations

Watch out from latest outlook updates !

Hey everyone,

There has been a growing concern about the issues from latest Outlook 2007 / 2010 updates:

http://blogs.office.com/b/microsoft-outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx

Microsoft has released the updated http://support.microsoft.com/kb/2412171 KB, but seems not all trouble were solved, mainly the AutoDiscover issue, since http://support.microsoft.com/kb/2479671 was released followed by the “original” 2412171KB numerous issues have been identified with outlook features.

I’d advice to stay away from these updates until all is clear.

Update – Office 2007 Cumulative Update for February 2011 is now released

Ilantz

Exchange Calendar Update Tool – Extract Mailboxes from Exchange 2010 fails

Every year at December, we at Israel ( and at some other points of the year, over the world.. ) have to rebase some calendar appointments..

This entry is not about daylight saving bashing 😉 but just a note to anyone that will use the Exchange Calendar Update Tool against Exchange 2010 mailboxes and servers.

I did not had enough time to actually find out why and what is the appropriate fix for this, but here’s a workaround for the error and the empty result when extracting the mailboxes from the servers..

If you will examine the logs in the msextmz extract log, when trying to search for the mailboxes on the required servers, you will notice that the output will be empty, and zero mailboxes will be reported.

needless to say that this obviously eliminates the possibility for extracting timezones from the mailboxes – i will not cover this issue, because in Israel we need to rebase the appointments just to reflect the current daylight saving durations..

Any way here’s the error:

[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Please log on to a profile with administrator privileges.
[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Unable open mailbox table for server /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EX-2010.  Error 0x80004005.
[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Returning Error 0x80004005

You can easily report the mailboxes from powershell using:

Get-mailbox -ResultSize:unlimited -RecipientTypeDetails usermailbox | select ServerLegacyDN, LegacyExchangeDN | Export-Csv mailboxes.csv

Then use excel to export the data and match it with the format for the update tool which should be like this:

ServerLegacyDN <TAB> LegacyExchangeDN <TAB> TimeZone

Save that to a TXT, watch the formatting and tabs ! remove all the csv hyphens,commas etc..

 

Hope this will be fixed anytime soon, or a clarification will be published..

until then, good luck !

and Happy Holidays !

ilantz

 

Some Links:

Using the Exchange Calendar Update Tool to address daylight saving time changes for Exchange Server

December 2010 DST Cumulative Update for Windows operating systems