Note: Some of the documentation referenced may not be fully available at the time of publishing of this post.

Exchange Server 2013 Cumulative Update 6 (CU6) was released today and provides several important updates for modern Public Folders. This blog post introduces you to the updates delivered in CU6 and discusses our on-going investments in public folders.

10x Increase in Public Folder Limits

CU6 delivers the first round of investments we have made to scale up the limits for Public Folders in Exchange Server 2013. CU6 raises the folder count limit to 100,000 folders. This is a 10x increase over the prior limit as defined in the Exchange Server 2013 limits for public folders. This enables you to migrate and deploy larger Public Folder hierarchies on premises with Exchange Server 2013. Customers can immediately take advantage of this new scale by deploying CU6.

In addition to the increased folder scale capabilities CU6 delivers improvements for concurrent access of Public Folders by reducing lock contention in store for hierarchy sync and content mailbox access.

As you scale the number of public folders in Exchange you might need to keep track of the number of folders that have been created. Exchange PowerShell provides an easy way to see the current public folder count in Exchange Server 2013. Using the Get-PublicFolder and Measure-Object cmdlets you can readily get a current count of your public folders created in Exchange 2013.

Get-PublicFolder –Recurse –ResultSize Unlimited | Measure-Object
Count    : 40051
Average  :
Sum      :
Maximum  :
Minimum  :
Property :

Mail-Enabled Public Folder Permission Changes

This is an important change for customers already using Public Folders in Exchange Server 2013. Prior to CU6 unauthorized senders were able to send messages to mail-enabled Public Folders which means external users could send email to mail-enabled Public Folders regardless of permissions. With CU6, administrators must grant Anonymous users Create Items permissions in the mail-enabled Public Folder to allow external users the ability to send email to the mail-enabled Public Folder. Refer to the CU6 release notes Public Folders section for guidance on updating your configuration.

Automatic Public Folder mailbox readiness management after migration

An additional change delivered in CU6 for Public Folders helps improve the administrator experience post migration. All PF mailboxes serve hierarchy by default in Exchange Server 2013. We have introduced new logic to check if the hierarchy is fully synced to a mailbox after migration. If it is, then the mailbox is automatically made available to serve public folder hierarchy connection else we wait for full sync to complete. This eases work for admin to manually manage readiness of a mailbox after migration completes. Admins can still turn hierarchy serving off and on (default = on) as they please. Refer to the Public Folder article for specific attributes to control hierarchy sync.

Public Folder Deployment Guidance

The increased scale capabilities for public folders in CU6 enables more advanced configurations to begin migrating to modern Public Folders. To meet the needs of these large scale migrations the team has created deployment guidance to assist customers migrating larger scale public folder hierarchies. This deployment guidance will become available in the next few weeks. We will update this post with a link once it is available.

What’s Next

This is the first round of public folder scale improvements we are working to deliver as we shared in the prior Exchange team blog post. Scale improvements are targeted to increase again in a future update. Scale improvements will remain our top priority for Public Folder updates. Other updates such as OWA support for calendar and contacts and Public Folder reporting tools are expected to follow after delivering further scale updates.

Brian Shiers
Technical Product Manager

Frequently asked questions

Q: Is there a limit for the number of sub-folders within a single public folder?
A: The recommended maximum number of sub-folders is 1000. This is the level that has been validated and is the same limit used in Exchange Online.

Q: Is there a limit for the folder depth of the hierarchy?
A: The recommended maximum depth of the hierarchy is 300 folder levels. This is the level that has been validated and is the same limit used in Exchange Online.

Q: Does the increase in folder count change the number of public folder mailboxes or quota for public folders?
A: The number of public folder mailboxes and the total public folder quota remain unchanged. These and other limits are documented in Public Folder Limits article.

Note: We have learned that customers using Exchange Server 2013 and Exchange Server 2007 co-existence can experience an issue causing Exchange Server 2013 CU6 databases to failover. Please refer to KB2997209 for the specific scenario impacted.

The Exchange team is announcing today the availability of our most recent quarterly servicing update to Exchange Server 2013. Exchange Server 2013 Cumulative Update 6 and updated UM Language Packs are now available on the Microsoft Download Center. CU6 represents the continuation of our Exchange 2013 servicing and builds upon Exchange 2013 CU5. The release includes fixes for customer reported issues, minor product enhancements and previously released security bulletins. A complete list of customer reported issues resolved in Exchange 2013 CU6 can be found in KB 2961810. Customers running any previous release of Exchange 2013 can move directly to CU6 today. Customers deploying Exchange 2013 for the first time may skip previous releases and start their deployment with CU6 as well.

We would like to call your attention to a couple of items in particular about the CU6 release:

• As discussed at MEC 2014 and other forums, CU6 includes significant improvements in Public Folder scalability. More details about this in Public Folder Updates in Exchange 2013 CU6: Improving Scale and More.
• CU6 includes a fix for the HCW issue discussed in KB 2988229. A reminder for those customers who installed the Interim Update which resolved this issue: it's NOT necessary to uninstall the Interim Update prior to installing CU6.

For the latest information and product announcements about Exchange 2013, please read What's New in Exchange 2013, Release Notes and Exchange 2013 documentation on TechNet.

CU6 includes Exchange-related updates to Active Directory schema and configuration. For information on extending schema and configuring Active Directory, please review Prepare Active Directory and domains in Exchange 2013 documentation.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., CU6) or the prior (e.g., CU5) Cumulative Update release.

Note: Documentation may not be fully available at the time this post was published.

The Exchange Team

The Exchange team is announcing today the availability of Update Rollup 7 for Exchange Server 2010 Service Pack 3. Update Rollup 7 is the latest rollup of customer fixes available for Exchange Server 2010 Service Pack 3. The release contains fixes for customer reported issues and previously released security bulletins. Update Rollup 7 is not considered a security release as it contains no new previously unreleased security bulletins. A complete list of issues resolved in Exchange Server 2010 Service Pack 3 Update Rollup 7 may be found in KB2961522. Customers running any Service Pack 3 Update Rollup for Exchange Server 2010 can move to Update Rollup 7 directly.

The release is now available on the Microsoft Download Center. Update Rollup7 will be available on Microsoft Update in September.

Note: The KB article may not be fully available at the time this post was published.

The Exchange Team

The Exchange team is announcing today the availability of Update Rollup 14 for Exchange Server 2007 Service Pack 3. This latest rollup supports recent DST updates. The rollup contains all previously released security bulletins and fixes and updates for Exchange Server 2007 Service Pack 3 as well. This is not a security release, but customers are encouraged to deploy these updates to their environment once proper validation has been completed. More information on this rollup is available in KB2936861.

Note: The KB article may not be fully available at the time this post was published.

The Exchange Team

Update: On August 25, 2014, the pelnet.ps1 script was updated to fix a minor bug.

EHLO Exchange community,

It seems that PelNet has been well received and I’ve been receiving requests to add much wanted functionality to PelNet. So this article is a quick update on some of the cool new features that administrators can use to help troubleshoot and validate mail flow.

The new features added in this release:

1. Ability to test against multiple recipients – this is useful if you want to test to multiple external domains without having to run the tool again.
2. Optimized remote execution against transport servers for better performance across a large amount of servers.
3. The ability to validate if TLS negotiation is working. This is one of the most useful feature additions.

The above features gave birth to two new parameters validateTLS and CertThumbPrintOverride.

Let’s recap the parameters with the new ones introduced.

• AddressSpace: Which AddressSpace should the script look for in the Send Connectors?
• sendConnector: Specify if you want the scope to be a single Send Connector.
• SourceTransportServers: Accepts comma separated list of transport servers to test from.
• smartHost: The smarthost you want to test against. Accepts comma separated list value. (when validating TLS be sure to use FQDN of remote host – certificate validation will fail if IP is used)
• mailSubmissionTest: Use this switch if you want the script to submit the mail to the mailbox. If you omit the parameter the script will skip the DATA portion of the SMTP verb.
• From: From address (postmaster@contoso.com)
• Rcpt: Recipient Addresses –accepts comma separated list of addresses (testmailbox@fabrikam.com,testmailbox@wingtiptoys.com)
• LogFolderPath: Log file and report location, default will be current path if not specified.
• Port: Default is 25, but you can specify a custom port if you need to.
• validateTLS: This switch will enable TLS validation – this changes the SMTP verb array being used to include the STARTTLS verb (and some other more complicated stuff).
• CertThumbPrintOverride: This allows the operator to override the logic used to determine the SMTP certificate assigned to the transport servers.

  This can also be used to test TLS to a specific host before assigning the certificate to the SMTP service in Exchange, i.e. pre-validations prior to production change. The certificate needs to be in the local machine certificate store.

  It’s important to note that the code logic uses best effort to determine the SMTP certificate assigned. Using the CertThumbPrintOverride parameter allows you to override this easily.

Script Execution Examples

Show the full help with examples

Get-help .\pelnet.ps1 -full

To test mail flow and validate TLS to a smarthost against all the transport servers on port 25 to multiple recipients. (Will not submit the message for delivery)

.\PelNet.ps1 -From postmaster@adatum.com -Rcpt user1@contoso.com,user2@fabrikam.com,user3@wingtiptoys.com -smarthost webmail.contoso.com -validateTLS

To test mail flow and validate TLS to a smarthost against all the transport servers on port 25 to multiple recipients. (Submits the message for delivery and override the certificate to use)

.\PelNet.ps1 -From postmaster@adatum.com -Rcpt user1@contoso.com,user2@fabrikam.com,user3@wingtiptoys.com -smarthost webmail.contoso.com –validateTLS –mailsubmissiontest –certThumbprintOverride 1A13124HJG1234K12JHG312J123D

To test mail flow and validate TLS to EOP from your hybrid servers on port 25 to multiple recipients (also submit the mail to EOP).

.\PelNet.ps1 -From postmaster@adatum.com -Rcpt user1@contoso.com,user2@fabrikam.com,user3@wingtiptoys.com -smarthost adatum-mail-onmicrosoft-com.mail.protection.outlook.com –validateTLS –sourceTransportServers E15HYBRID01,E15HYBRID02 -mailsubmissiontest

The TLS validation logic will authenticate against the remote server with the certificate assigned to SMTP or the certificate that matches the thumbprint used in the override parameter. If the remote host is configured with Opportunistic TLS and the handshake fails the session will fall back to unencrypted SMTP.

The console output won’t show the verb’s being sent as the code is invoking on multiple servers concurrently, but the final output table and output file will be exactly as previously described in PelNet 1.0.

From the below output:

STARTTLS verb being sent with server responding with 2.0.0 SMTP Server Ready and subsequent SSL Stream is established by authenticating against target host using certificate that matches thumbprint provided (or dynamically found using best effort).

Verbs being sent over SSL stream and successful recipient lookup.

The following is an example of a certificate validation issue on one server:

Some of the most common certificate validation errors are:

• Certificate revocation list not found.
• The remote hostname does not match the name on the certificate.
• Certificate is expired.
• The root certificate is not installed on the sending server, i.e. the server does not trust the remote certificate it received.

The above validation error was quickly fixed by installing the root certificate from the Contoso environment on the EX14-02 server.

Until next time,

Michael Hall
Service Engineer
Office 365