System Mailboxes In Exchange Server & How To Recover Them

MS Exchange

I was at a customer site where they had issues with moderated transport not working properly in Exchange 2010 and they had done a “cleanup” recently and deleted all accounts which were disabled. That gave me a clue as to why moderated transport wasn’t working ;) I had a look in AD and couldn’t find any of the system mailboxes which are created as part of Exchange 2010 setup. This has prompted me to write this post. So, here it goes…

Exchange 2010 creates three system mailboxes as part of the setup in the root domain. They are SystemMailbox{1f05a927-xxxx-xxxx-xxxx-xxxxxxxxxxxx}(where x is a random number/alphabet, the account is used for moderated transport), SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} (used for discovery)and FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 (used for federated email). The accounts are disabled in AD and they are not meant to be enabled or deleted. You can find the accounts in the “Users” OU by default.

System mailbox accounts in AD

You can also find the system mailboxes by running “Get-Mailbox –Arbitration” in Exchange Shell.

Arbitration mailboxes

Now, what if someone accidently deletes the system mailboxes from Exchange, leaving the AD accounts in tact? The recovery is easy enough. As the AD accounts exist, all we need is to mailbox enable them with the –Arbitration switch. For example, run the command below.

Enable-Mailbox SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} –Arbitration

Enable mailbox for arbitration accounts

What if someone deletes the disabled AD accounts as well? The fix is to run Setup.Com /PrepareAD from the Exchange 2010 DVD/ISO, as it is the AD preparation process (which is run as part of the 2010 setup) that creates the disabled system mailbox accounts in AD. Once the accounts are created, mailbox enable them using the command above.

The moral is to leave the disabled system accounts untouched Winking smile

Other Popular Articles


MS Exchange

Scripting Agent Initialization Failed: “File is not found” Error During Exchange 2016 Setup

MS Exchange

EAC Access While Co-Existing Exchange 2013 With 2010

MS Exchange

Delete All Calendar Entries In An Exchange 2010 Mailbox

  1. Hi Rajith,
    Good afternoon, I need your support and advice. In my active directory of my laboratory, disable the arbitration accounts, how do I do to re-create them again or if they should be disabled? Can you help me with this question please.

    Awaiting your kind reply.

    Greetings from Mexico.

    Your server and friend.

    Luis Gil.

    Reply
  2. I tried the Enable-Mailbox “SystemMailbox and seem to get a error stating the recipient, type is incorrect. any ideas?

    Welcome to the Exchange Management Shell!

    Full list of cmdlets: Get-Command
    Only Exchange cmdlets: Get-ExCommand
    Cmdlets that match a specific string: Help **
    Get general help: Help
    Get help for a cmdlet: Help or -?
    Exchange team blog: Get-ExBlog
    Show full output for a command: | Format-List

    Show quick reference guide: QuickRef
    Tip of the day #59:

    The special variable $_ represents the objects being passed from one cmdlet to another cmdlet in the pipeline. The $_ va
    riable is automatically initiated by the Shell and is bound to the current pipeline object. You can access the propertie
    s of the object assigned to the $_ variable as you would any other object. The following example shows how you can view
    the Name property of each mailbox object that is passed through the pipeline:

    Get-Mailbox | ForEach { $_.Name }

    VERBOSE: Connecting to SVREX01.mch.corp.int.
    VERBOSE: Connected to SVREX01.mch.corp.int.
    [PS] C:\Windows\system32>Enable-Mailbox SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c} -Arbitration
    A positional parameter cannot be found that accepts argument ‘1f05a927-a25f-44f6-8a0c-a38bbdb1c68c’.
    + CategoryInfo : InvalidArgument: (:) [Enable-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Enable-Mailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Enable-Mailbox “SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c}” -Arbitration
    The operation couldn’t be performed because object ‘SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c}’ couldn’t be
    found on ‘MCHDC03.mch.corp.int’.
    + CategoryInfo : NotSpecified: (:) [Enable-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=5baf4852-2147-4747-be2f-cb40288be380,TimeStamp=9/17/2015 7:47:
    21 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 199AF987,Microsoft.Exchange.Management.Recipient
    Tasks.EnableMailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Enable-Mailbox “SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c}” -Arbitration | Set-ADServe
    rSettings -ViewEntireForest:$true
    The operation couldn’t be performed because object ‘SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c}’ couldn’t be
    found on ‘MCHDC03.mch.corp.int’.
    + CategoryInfo : NotSpecified: (:) [Enable-Mailbox], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=d13bbb4b-5872-414f-883e-a47fa3e0fefe,TimeStamp=9/17/2015 7:48:
    19 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 199AF987,Microsoft.Exchange.Management.Recipient
    Tasks.EnableMailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Set-ADServerSettings -ViewEntireForest:$true
    [PS] C:\Windows\system32>Enable-Mailbox “SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c}” -Arbitration
    This task does not support recipients of this type. The specified recipient
    corp.int/Users/SystemMailbox{1f05a927-a25f-44f6-8a0c-a38bbdb1c68c} is of type UserMailbox. Please make sure that this
    recipient matches the required recipient type for this task.
    + CategoryInfo : InvalidArgument: (corp.int/Users/…c-a38bbdb1c68c}:RecipientIdParameter) [Enable-Mailbo
    x], RecipientTaskException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=2391b3dc-f797-4979-a9a1-8a060ac45fb0,TimeStamp=9/17/2015 7:48:
    41 PM] [FailureCategory=Cmdlet-RecipientTaskException] F13D71CB,Microsoft.Exchange.Management.RecipientTasks.Enabl
    eMailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Enable-Mailbox SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} -Arbitration
    A positional parameter cannot be found that accepts argument ‘bb558c35-97f1-4cb9-8ff7-d53741dc928c’.
    + CategoryInfo : InvalidArgument: (:) [Enable-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Enable-Mailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Enable-Mailbox “SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}” -Arbitration
    This task does not support recipients of this type. The specified recipient
    corp.int/Users/SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} is of type UserMailbox. Please make sure that this
    recipient matches the required recipient type for this task.
    + CategoryInfo : InvalidArgument: (corp.int/Users/…7-d53741dc928c}:RecipientIdParameter) [Enable-Mailbo
    x], RecipientTaskException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=a1c3f3f0-9f41-482f-ad0f-72b8b6770f5a,TimeStamp=9/17/2015 7:50:
    04 PM] [FailureCategory=Cmdlet-RecipientTaskException] 178673,Microsoft.Exchange.Management.RecipientTasks.EnableM
    ailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Enable-Mailbox “FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042” -Arbitration
    This task does not support recipients of this type. The specified recipient
    corp.int/Users/FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 is of type UserMailbox. Please make sure that this
    recipient matches the required recipient type for this task.
    + CategoryInfo : InvalidArgument: (corp.int/Users/…bf-00a95fa1e042:RecipientIdParameter) [Enable-Mailbo
    x], RecipientTaskException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=59114489-bfe0-4221-a126-28cdfe43d048,TimeStamp=9/17/2015 7:51:
    09 PM] [FailureCategory=Cmdlet-RecipientTaskException] 6525BED2,Microsoft.Exchange.Management.RecipientTasks.Enabl
    eMailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Enable-Mailbox “SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}” -Arbitration
    This task does not support recipients of this type. The specified recipient
    corp.int/Users/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} is of type UserMailbox. Please make sure that this
    recipient matches the required recipient type for this task.
    + CategoryInfo : InvalidArgument: (corp.int/Users/…8-e6c29d823ed9}:RecipientIdParameter) [Enable-Mailbo
    x], RecipientTaskException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=a49b3c9d-7abe-4fd9-aea4-83a4287e4b0d,TimeStamp=9/17/2015 7:51:
    51 PM] [FailureCategory=Cmdlet-RecipientTaskException] 708A5DE7,Microsoft.Exchange.Management.RecipientTasks.Enabl
    eMailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>Set-ADServerSettings -ViewEntireForest:$true
    [PS] C:\Windows\system32>Enable-Mailbox “SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}” -Arbitration
    This task does not support recipients of this type. The specified recipient
    corp.int/Users/SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} is of type UserMailbox. Please make sure that this
    recipient matches the required recipient type for this task.
    + CategoryInfo : InvalidArgument: (corp.int/Users/…8-e6c29d823ed9}:RecipientIdParameter) [Enable-Mailbo
    x], RecipientTaskException
    + FullyQualifiedErrorId : [Server=SVREX01,RequestId=6c34f3bf-c475-456d-aff9-67f0ddfc6c3f,TimeStamp=9/17/2015 8:21:
    09 PM] [FailureCategory=Cmdlet-RecipientTaskException] 708A5DE7,Microsoft.Exchange.Management.RecipientTasks.Enabl
    eMailbox
    + PSComputerName : svrex01.mch.corp.int

    [PS] C:\Windows\system32>

    Reply
  3. Out of curiosity – are these exchange user objects movable to a different OU? or are they subjected to stay in the default USERS OU?

    Reply
  4. Hi Rajith,
    I am trying to delete a Exchange 2010 mailbox DB after moving all three system mailboxes that you mentioned in your article; However, I have found one more system mailbox in the database that I am not able to move because the object is not found in AD. The system mailbox is “SystemMailbox{9b3a09cd-305f-4d58-8efb-84c130476569}”. This Exchange 2010 environment was upgraded from Exchange 2007, so I am not sure if this system mailbox is stuff left behind from this upgrade or it is an important component of Exchange 2010. So you know, I am not able to see this mailbox by running any of the Get-Mailbox -arbitration command, the only way I can see this mailbox is by running the command Get-MailboxDatabase mailboxdb1 | Get-MailboxStatistics. Is it okay to delete this mailbox? Can I move this mailbox to another database without deleting it?

    Reply
  5. Hi Rajith,

    I noticed that my system mailboxes (FederatedEmail.4c1f4d8b-…, SystemMailbox{1f05a927-….}, SystemMailbox{e0dc1c29-…} and DescoverySearchMailbox {D919BA05-….})) was deleted so I wanted to re-create them using the setup.com /PrepareAD command from my exchange 2010 server.

    It runs fine up until it does the “Configuring Microsoft Exchange Server” and then gives the following error:

    “The well-known object entry with the GUID “29a962c2-91d6-4ab7-9e06-8728f8f842ea”, which is on the “CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com” container object’s otherWellKnownObjects attribute, refers to a group “CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=domain,DC=com” of the wrong group type. Either delete the well-known object entry, or promote the target object to “RoleGroup”.”.

    I deleted the Organization Management group because I know that I can restore it using LDP.exe. But then when I run the setup again it wants me to delete the Organization Management object within the deleted objects. And I know if I do that I will not be able to recover it from the tombstone objects should something go wrong with the setup.

    So can someone please confirm that they have tried this before and that it actually worked without messing up anything.

    Or another solutions would be to let me know how to “promote the target object to “RoleGroup””

    Looking forward to your expert advice.

    Thanks in advance!!

    Reply
  6. Remember to run the following command first, if you are trying to view the arbitration mailboxes from a child domain:

    Set-AdServerSettings -ViewEntireForest $True

    Reply
  7. Hi Rajith,

    Great article.Could you please clarify my query if you had a time? Why Exchange 2010 does not have independent System mailbox than Exchange 2003?

    Thanks in Advance

    Reply

Leave a Comment

Disable Windows Copilot Using Intune

Windows Copilot is Microsoft’s take on making life easier for Windows users using the power of AI. This article explains how to disable the feature using Intune, if your organization is not ready yet to walk into the AI world.

Disable Windows Copilot Using Intune

We need to create a Configuration Profile for Windows devices in the Intune portal to disable Windows Copilot. Below are the steps that we need to create the profile.

Launch the Intune Portal and login as a Global Admin or Intune Admin.

Navigate to Devices -> Windows -> Configuration Profiles.

Windows Configuration Profile Intune

Click on Create -> New Policy.

Select Windows 10 & later as the platform and Settings Catalog as the profile type & click on the Create button.

Settings Catalog Intune CoPilot

Give the policy a meaningful name & description and click Next.

Policy Name Disable CoPilot

Within the configuration settings, click on the Add Settings option.

Add Settings Disable CoPilot

Search for ‘copilot’, Windows AI will come up as the category. Click on Windows AI and the Turn off Copilot in Windows (User) setting will come up. Check the box and click Next.

Turn off CoPilot Setting Intune
Turn off CoPilot Setting Intune Summary 1

Specify scope tags if required and click Next.

Select tags CoPilot Intune

Select who this policy should apply to in the Assignments section. I have selected to add all users. If you want to test the setting, you can create a test group and select that group here.

Similarly, you can also exclude certain group from disabling AI (say IT team) if required.

Add all users disable copilot intune

A summary of selected settings will be displayed. Click on the Create button to setup the policy to disable Windows Copilot.

Create configuration policy disable CoPilot Intune 1

Wait for the replication to complete in the cloud backend and login to your machine. Your chatty Copilot should now be disabled.

Disable Windows Copilot On Windows 11 Pro

Follow the steps below to disable Copilot on a personal Windows 11 Pro machine (say your own laptop).

Search for ‘group’ in Windows 11 and click on Edit Group Policy option.

Group Policy Windows 11 Disable Copilot

Navigate to User Configuration -> Administrative Templates -> Windows Components -> Windows Copilot.

Windows Copilot GPO setting

Double click on Turn off Windows Copilot setting on the right pane.

Select Enabled and click OK.

Turn off copilot gpo Windows 11 Pro 1

Close the Group Policy Editor. This will disable Windows Copilot on a Windows 11 Pro machine.

Summary

We have learned to disable Windows Copilot using Intune and Group Policy on Windows 11 machines.

Please let me know if you have any questions in the comments section.

Promote Windows Server 2025 To Domain Controller

Domain controllers are the backbone of any Active Directory domains in the Microsoft world. Any Windows server can be promoted to be a domain controller. In this article, we will go through the steps of promoting a Windows 2025 Server to be a domain controller.

Windows Server 2025

The latest version of the server operating system has been named Windows Server 2025. You can start with a 2025 Server & create an AD domain or you can promote a member server that is already a part of a domain.

The Windows Server 2025 needs to be installed on a machine before it can be promoted to be a domain controller.

Promote Windows Server 2025 To Domain Controller

If you have been working with Windows servers long enough, everything starts with the Server Manager app. Promoting a server to a domain controller is no different.

Launch ‘Server Manager’ & click on Add roles and features.

Windows 2025 Server Manager

You land on the summary page that explains what is required to run this wizard successfully. Click Next.

Windows Server 2025 Add Remove Roles

Select Role-based or Feature-based installation and click Next.

Windows Server 2025 Role Based Install

Select the server that needs to be promoted and click Next.

Windows Server 2025 Destination Server

Select Active Directory Domain Services (second option) and click on Add Features.

Windows Server 2025 AD Domain Services

Go with the default options for features that need to be installed.

Windows Server 2025 AD Domain Services Features

A summary of AD DS pops up next, click next to continue.

Windows Server 2025 AD DS

Select Restart the server automatically if required and click Install.

Windows Server 2025 AD Restart Server

You get to keep an eye on the progress of the installation.

Windows Server 2025 AD Install Progress

Once the role has been installed, you will find an exclamation mark on the top right corner of the Server Manager. Click on that and select Promote this server to be a domain controller.

Windows Server 2025 AD Install Continue

You get an error straight away (which you have never seen before) – Error determining whether the target server is already a domain controller. Role change is in progress or this computer needs a restart.

Windows Server 2025 Domain Controller Setup Error

We never needed to restart the server after installing the role in the DC promotion process. Given that it is an insider build of Server 2025, I am hoping that this will get fixed before the public release.

Restart the server, launch Server Manager and click on the Promote this server to be a domain controller option again.

Windows Server 2025 AD Install Continue 1

I am setting up a brand new AD forest and hence I select the third option (Add a new forest) and enter my root domain name.

Windows Server 2025 Add a forest

Next window brings the option to set your forest & domain functional level and the DSRM password. In the insider build, it shows what looks like a variable (the Windows server version on which the you are working).

Windows Server 2025 Forest Functional Level

You can leave the default options in the DNS options wizard and click next.

Windows Server 2025 DNS Options

Enter the netbios name of the domain in the next window and click next.

Windows Server 2025 Netbios Domain Name

You can stick with the default paths for the AD database, log & sysvol folder or pick a location of your choice.

Windows Server 2025 AD Paths

Review the selections that you have made so far and click next.

Windows Server 2025 Options Review

Wait for the green check mark on the prerequisites page and click next.

Windows Server 2025 Pre reqs Check

Click Install in the final window & wait for the magic to happen. Once the machine gets restarted (which it will do automatically), you will have a brand new domain controller based on Windows Server 2025.

Windows Server 2025 AD Snap In

Summary

Promoting a Server 2025 to a domain controller follows pretty much the same steps as previous operating systems. The Insider build has few errors that needs to be fixed, but hey, it is an insider build!

Please let me know if you have any questions in the comments section.

Install Windows Server 2025 – Full Guide

Microsoft has released an insider preview of it’s next server operating system named Windows Server 2025. We will have a look at the installation steps involved in setting up a 2025 server.

Windows Server 2025

Microsoft has gone with the same look and feel of Windows 11 operating system in it’s current server operating system – Windows Server 2025. As the product is in insider preview, there might be slight changes before it hits the public shelves.

It is refreshing to see a ‘modern’ feel in the installation process of a server operating system. Gone are the days where the installation of a consumer based OS felt much better compared to it’s server counterpart.

Installing Windows Server 2025

Let’s take a look at the steps involved in setting up a Windows Server 2025 machine. First step is to download the ISO from the Windows Insider portal.

Next step is to boot the virtual / physical machine from the ISO which will kick off the installation of Server 2025.

First option to select is the language settings. Pick the one based which relates to you and click next.

Windows Server 2025 language settings

Select the keyboard settings in the next screen and click next.

Windows Server 2025 keyboard

You get the option to select whether you want to Install Windows Server or Repair the installation. The bottom left corner also has the option to go to the previous version of setup.

Windows Server 2025 setup option

You are asked to enter the product key, which is available in the Windows Insider portal.

Windows Server 2025 product key

Next option to choose is the type of image you want to install – Windows 2025 core or full blown desktop experience.

Windows Server 2025 Desktop

You need to agree to the licensing terms to move forward in the next step.

Windows Server 2025 Agreement License

Select the partition on which the server OS should be installed and click next. You also have the option to slice the partitions the way you see fit in the same screen.

Windows Server 2025 Disk Partitions

The Ready to Install window comes up, click the install button.

Windows Server 2025 Install 1

Installation of Server 2025 is underway and you get to see the progress.

Windows Server 2025 Install Progress

Once the installation is complete, you need to enter an administrator password of your choice to finalize the setup.

Windows Server 2025 Password

And there you go! You see a Windows 11 login screen staring at you ;-)

Windows Server 2025 Login Screen

After logging in, you get to set the options around sending diagnostic data to Microsoft, which I always set as ‘required only’.

Windows Server 2025 Diagnostic Data

The Windows Server 2025 desktop looks similar, doesn’t it? ;-)

Windows Server 2025 Desktop Feel scaled

Now that the server is up and running, you can promote it to be a domain controller.

Summary

The Windows Server 2025 has the same look and feel as a Windows 11 operating system. The installation options also provide that modern ‘feel’ and makes it a bit soothing to the eyes!

Please let me know if you have any questions in the comments section.