Microsoft Exchange: Unable to export Exchange attributes (MxExchArchiveGUID) from Active Directory after shut down

Hi everyone, has been awhile, due to Chinese New Year. Anyway, is good to be back!

Situation for this issue, is that you have shut down the Microsoft Exchange server and you are in the process of rebranding (Example, changing UPN, email address or Logon), but you encounter that some users having the issue to open their online archiving. Hence, you would like to export their MsExchArchiveGUID from Active Directory and perform a comparison with the Cloud’s Archive GUID instead of turning on the Exchange Server (You do not want to make your effort redundant). However, no matter how you try with this command on your Active Directory, Get-ADUser -Filter * -Properties * | Export-csv filename.csv and you still can’t get them to show up on your csv file.

This article would require review of the reference links.

Don’t panic! All you got to do is:

  1. Prepare a test PC (OS version of Windows 10 at least) or a server (Non-critical ones, OS version of Windows Server 2012 R2) that is a domain joined
    • I would recommend using a test PC, to avoid the hassle of checking whether the Windows Server is critical or notor the hassle of stuck at Exchange Server Wizard (Role Selections)
  2. Prepare an account that has a domain admin rights.
  3. Make sure you know what your Exchange Server’s version (Example, CU 2013, CU 2010, CU 2016, or CU 2019).
    • If you don’t remember you can always relocate the Exchange Server’s object from your AD. Else, you have to guess.
  4. Logon the PC with the account that has domain admin rights > Install the RSAT tool onto the PC
    • Recommended RSAT tools are: Active Directory Domain Services and Lightweight Directory Services Tools, and Server Manager
  5. Install IIS 6 Metabase Compatibility and IIS 6 Management Console
  6. Reboot the PC
  7. Relogin to the PC with the account that you had logon too, go to browser and search for your Exchange Server CU version and then download the package
  8. Export/eject the .iso file, run the Setup.exe
  9. Choose the option of not to allow windows update > Next
  10. Agree the license agreement > Next
  11. On Recommended setting page > Choose recommended or not.
  12. On the Server role Selection > Choose only Management tools > Next
  13. Location of the installation you can remain with the default
  14. On Checking the prerequisites page, if you faced any of these errors just follow the instructions on how to resolve them or Google Search how to do it based on your PC’s OS version.
  15. Once you have successfully downloaded the exchange management tool you can start to export your msExchArchiveGUID
  16. Once finish remember to revert you configuration to the PC



Exchange Migration: Outlook kept prompting for password after migration

Hi guys and girls, hope you are doing well, as the pandemic is still on-going, hope that you guys are keeping cleanliness and safety first.

Today’s topic is about exchange migration of mailboxes from on-premises to Office 365. This issue is where the legacy windows client or legacy office apps has issue with their outlook applications keeps prompting for credentials and showing disconnection. The issue also do happen to Windows 10 machines but not as aggressive as the Windows 7 machines.

This environment has the following items,

  1. Exchange server: 1 unit, version 2013, CU23 (latest)
  2. Windows client: Combination of Windows 7 and Windows 10
  3. Office applications: Combination of 2013, 2016, 2019 and Microsoft 365 apps for business in both windows 7 and windows 10 categories
  4. Migration method: Remote move migration
  5. Hybrid establishment: Yes
  6. Microsoft 365 license: Business standard/basic

As we all know that the major pre-requisites must met before starting the hybrid and perform migration.

We notice intermittent connections while running the Wireshark on Windows 7 with M365 business apps, while trying to login using the migrated account credential on an Outlook app. We ran a re-creation of the outlook profile and the prompt for credential has stops. This is definitely not the right solution. Solutions is dependent with what caused the issue.

At first we suspected something got to do whitelisting on the network layer but we had confirmed that the whitelisting are correctly configured. Next, we suspected something go to do with compatibility on windows with/or office apps version. This is not a very good idea. After quick research, I came about modern authentication could be the caused, and there where I had an idea on suggesting to turn off the security default in Azure portal and then turn off the modern authentication in Office 3655 tenant. After 10 to 15 mins, the intermittent connections no longer shows up on the Wireshark.

Modern authentication is enabled by default for every new Office 365 tenants, so please be aware if your environment has legacy windows client running or legacy office applications, do consider to turn them off first before proceeding to deploy Microsoft 365 apps.

Azure portal > Azure AD > Properties > Manage security defaults
Office 365 admin center > Settings > Org Settings > modern authentication

Modern authentication was the one the interfered with the machines and it kept challenging the users to key in credentials due to the compatibility was not met. Once the modern authentication is turn off, the environment now is running basic authentication.


Exchange Hybrid, Exchange Online & Outlook: How to get more email storage space?

Well currently, most enterprise users are using local storage to save their emails. For those whom are on SSD storage would be a problem and also goes for normal HDD storage uses.

What is online archive? Online archive is basically like your local/normal archive feature that you usually sees on your outlook but instead it is online/cloud and it provides 1TB of space. If the organization did enable this and they probably would also enable retention policy, this is just set a policy to automate moving primary emails to the online archive based on a range of period. Anyway, this is up to the organization settings and decision.

*Note: Retention Policy has many functionality and it is also part of security related

To have online archive your organization must have license like Office365 ProPlus, E3, Office365 Business or Office365 Business Premium.

How to enable online archive?

  1. If the organization is in a hybrid environment, using Exchange 2016 and Exchange Online, as the IT Admin could enable the online archive from exchange 2016.
  2. If the organization is in a hybrid environment, using Exchange 2013 (as a bridge for migration to exchange online) and had older version of exchange too than as IT admin you could only enable online archive via Exchange Online. This is because there could be possible is the unique id causes. (not much of issue if you have plans to upgrade exchange 2013 to exchange 2016)
  3. If the organization is fully utilize Exchange online only, than as IT Admin you could enable online archive from exchange online > recipient > select specific recipient > mailbox feature.


  1. If you would wish to bulk enable, than perform using powershell, but there are other categories in Office 365 you could enable the online archive, such as from security and compliance.
  2. If you would wish to disable it and wants to use back only the primary mailbox than below is a reference on how to perform it.



Exchange 2013 Decommission: Unable to uninstall exchange 2013 because still holding older exchange records.

If you already migrate all exchange 2013 arbitration mailboxes to exchange 2016 but you found there are still the older exchange arbitration mailboxes in exchange 2013 which is useless, and these mailboxes shows as disable object in the Active Directory (Windows Server 2016). However, these has prevent you from disable or remove the mailboxes from the exchange 2013 via exchange powershell and prevent you to proceed to perform the uninstall of exchange 2013, because its status is still show as “Active”.

Here are the steps on how to resolve it;

  1. Make sure anti-virus is disable
  2. Remove these old arbitration mailboxes/Discovery mailboxes/Monitoring Mailboxes (please refer the reference for the sample  list) object from Active directory
  3. Before removing the object, take note to check the object’s “homeMDB” attribute with the value of the Exchange 2013 Mailbox Database name(You can get it by typing this powershell command in the exchange powershell “Get-MailboxDatabase” ). (If you remove the wrong one will be troublesome to recover)
  4. Go to exchange 2013 > Open control panel > Programs and features > Select the Microsoft Exchange cumulative update > Right click it and select uninstall > refresh control panel page make sure it is uninstall
  5. After completion uninstall, restart the server > disjoin the server from domain > remove the server object from Active Directory



If you complete above step but still unable to uninstall via GUI because an error pop-up saying “incomplete installation…” than please run the cmd as administrator and use the cmd command to uninstall. (Please refer to reference)




Exchange Hybrid & PowerShell: How to customize a permission of a role?

Again not brain surgery. Just need you to calm your mind and enjoy understanding it.

Yes, I know that there would be defaults settings or features that doesn’t mean the customer’s requirement, so they always requested for customization.

So basically I expect that you know what are the default roles in exchange hybrid and its permissions inside. Anyway, you have to be the administrator only you could able to view where are the roles. You can find it at your exchange hybrid console > Permission > Admin roles.


  • I prefer to use Power Shell to create this customize permission role because it provides more details of what are the functions runs in each role type.
  • And you can dig deeper by removing/adding certain role’s type function that you would not wish to be in your customization.
  • Try not to configure the default roles given
  • Always create a new role

Using Interface to create Admin Roles Group

However, interface doesn’t actually allows you to create customize roles.

To create a new customize permission role you go to this directory Exchange Hybrid console > Permission > Admin roles > “+”

Example below;


Select what roles you want for your customize permission;


Using Power Shell to create customization

What I would do is I will copy a default role and its permission into my new role, which is closer to my client’s request and than I will eliminate the permission based on a comparing function such as “Query if the role’s permission doesn’t has this permission than remove the those permission”. This will definitely save much more time.

If you aren’t sure about  what default role should you copy than try to extract the detail list of each roles permission. Simply just type the following code below;

Get-ManagementRole * | Get-MangementRoleEntry
  1. Go to your Exchange Hybrid Server > Open the Exchange Power Shell console (Run as Administrator)
  2. Run these commands below
    #To get a list of role type
    #Get function details of each role type
    Get-ManagementRole "RoleTypeName" | Get-ManagementRoleEntry
    #Create a new Customize Role copying a default role type
    New-ManagementRole -Parent "RoleTypeName" -Name "NewCustomizePermissionRoleName"

    *RoleTypeName would be these at the picture below, circle in red

    Role type name

    Get-ManagementRoleEntry is basically get the list of permissions that is inside the role.

    *Each roles has its own list of permissions

  3. If you wish to limit or remove a role type’s function/permission, than you can run this command
#Find your customization that you had created
#Query where if the function is not the name "Get-RemoteDomain" & "New-RemoteDomain" remove the other's functions
Get-ManagementRoleEntry "NewCustomizePermissionRoleName\*" | Where { $_.Name -NotLike "Get-RemoteDomain" -and $_.Name -NotLike "New-RemoteDomain" } | Remove-ManagementRoleEntry

#Query your modified customization, to check whether are the modification correct
Get-ManagementRoleEntry "NewCustomizePermissionRoleName\*"  | select name,role | ft

#If you wish to undo than just run this command
#It will get the function "Get-Mailbox" from Role Type and add into your customization
Get-ManagementRoleEntry "RoleTypeName\Get-Mailbox" | Add-ManagementRoleEntry -Role "CustomizePermissionRoleName"



Exchange 2016: “Database is mandatory on UserMailbox”

When you are setting up a new exchange server to upgrade the current exchange server, with all the prerequisite has been applied and the next step is the run the setup.exe file of the exchange CU. However, you notice that the interface of the setup has stop at Step 7 which is “Mailbox role setup” because of an error encounter.

Usually the interface doesn’t really provide you the detail reason of error occur.

“Mailbox role: Transport service : Error”


Untitled picture

To know get more understanding of the error, Go to > Windows Explorer > open C:\ Drive > Select Exchange Setup Log Folder > Open Exchange Setup txt file > Scroll to the bottom to get the details.



*Error: Database is mandatory on UserMailbox;

Below is the sample logs and error that causes the setup to stop, and it seems that there is a system mailbox “SystemAttendantDependent_xxx” found corrupted. Usually if is corrupted means that this account’s the value of HomeMDB attribute is empty. The solution to this is to add the correct value for HomeMDB attribute of the corrupted account.


Here how it is done;

  1. To find whether are there any other corrupted mailboxes;
    • Open your current exchange server’s powershell
    • Run this command
      • Get-Mailbox -Arbitration | Select Name, Database
      • Then it will show you number of corrupted mailboxes with WARNING stated
  2. Go to ADSI Edit > Connect to Default naming context  > Users container > search for a valid user account with mailbox > Open properties
  3. Find the attribute HomeMDB > Copy the value (*Optional: You can paste the value into a notepad for temporary)
  4. Go to ADSI Edit > Connect to Default naming context  > Users container > search for a corrupted account > Open properties
  5. Find the attribute HomeMDB > Replace the empty box with the copied value
  6. * Do this for corrupted mailboxes that you found, which is blocking your success to complete setup of your new exchange.
  7. Rerun the setup.exe
  8. If successful setup than continue with the post-installation.


There could be other related corrupted account (Can’t be find from the exchange powershell) that has blocking your success to complete setup of your exchange. Please look into details of the logs to find out what are the other corrupted accounts and replace their empty value attribute with the correct ones.

Office 365 & AD & Exchange Hybrid: How to create remote mailbox in Exchange Hybrid for existing user, in Active Directory and Office 365?

When you have existing user active directory record and you’ve accidentally had provision the mailbox at Office 365. Thus, result you unable to add the user into any distribution group and etc. because it doesn’t have record in Exchange Hybrid. Besides, user’s primary email address wasn’t correct, such as “” instead of “”.

Here are the steps to resolve your problems;

Implication: None (for me)

*Note: You have to be familiar with PowerShell. Best to try it on a test user account first.

  1. Go to Exchange Hybrid server
  2. Open Exchange Powershell Management
  3. Type the following commands;

    Enable-remotemailbox “userDisplayName” -RemoteRoutingAddress “”

  4. Go to Azure AD Server
  5. Open Windows Powershell

    Start-ADSyncSyncCycle -PolicyType Delta

  6. You will than review that particular user’s the mailbox in Office 365, has more email addresses shown in the email address category itself. And also the Primary email address has change to the right one.


*Note: This may take half an hour for the overall settings to be propagated at the user side. Because at the user side they will still view their primary smtp as the incorrect one, even though the modification has done.