O-Xchange Notes from the Field!

Monday, December 30, 2013

Delivery status notifications in Exchange Server

Non-delivery reports (NDRs) are system messages that report the delivery status of a message to the sender. The messages are a subclass of a general message information structure that is known as delivery status notifications. Delivery status notifications describe three kinds of situations:
  • Success (2.X.X numeric codes)
  • Persistent transient failure (4.X.X numeric codes)
  • Permanent failures (5.X.X numeric codes)
NDRs are generated when a message cannot be delivered. If the computer can detect the reason for the failed delivery, it maps the reason onto a status code, and a corresponding error message is printed. For NDRs, most numeric error codes are reported in the form of "5.X.X" and are described as permanent failures. However, certain transient conditions cause "4.X.X" codes. 


Check the Event Viewer from PowerShell

Below are examples of checking the event viewer via PowerShell.
Running local with event id and date range
Get-WinEvent -FilterHashtable @{logname='application';id=4107;StartTime="1/15/11";EndTime="1/17/11"}
Running on remote computer with event ID
Get-WinEvent -computername <remote computer> -FilterHashtable @{logname='application';id=15006}

Allow Exchange 2013 to accept remote powershell from Orchestrator

Scenario: Orchestrator was not able to connect and run Exchange powershell commands. The error received is:
Error opening remote PowerShell runspace to endpointhttp://exchangeservername/powershell: Connecting to remote server failed with the following error message : The WinRM client cannot process the request.
1. Make sure the Execution Policy on the Exchange Shell is set to RemoteSigned.
a. Use Get-ExecutionPolicy to see what it is.
b. Use Set-ExecutionPolicy RemoteSigned to set it.
2. Enable Basic and Windows Authentication on the Powershell IIS Site.
a. Expand: Default Web siteàPowershell.
b. Click on Authentication
c. Enable Basic and Windows Authentication.
The above steps did the trick for me, but the site below offers a few more steps.

Remove stale ActiveSync Devices from Exchange 2010

Scenario: Exchange accounts have a max of 10 ActiveSync devices per account. This script will remove stale devices that are older then 180 days.
The initial report will take hrs to run. the code is listed below. This will run and export the results to a CSV file.
$DevicesToRemove = Get-ActiveSyncDevice -result unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSuccessSync -le (Get-Date).AddDays("-180")}| Export-CSV C:\scripts\staleeas.csv

The code below will remove the device by pulling the list from the CSV you created above.
import-staleeas.CSV | foreach-object {Remove-ActiveSyncDevice -Identity $_.guid -confirm:$False}

Issue user getting error “Could not read the Calendar”

Issue: User is getting an error when trying to open shared calendar.
“Could not read the Calendar”
run: outlook.exe /cleanviews
url to findings:
Also link to useful outlook cmd line switches.

Thursday, December 12, 2013

Subscribing to folders in Outlook 2011 when using IMAP

Scenario: When you are using Outlook 2011 and your mail profile is setup to connect via IMAP, you may not see all of your folders\subfolders in your mailbox.
Solution: These folders may need to be subscribed to. Follow these steps to import these folders into Outlook 2011.
1. With Outlook 2011 open, select Tools --> IMAP Folders.
2. You will see a list of folders available to import into Outlook. You can click each folder and select Subscribe.
3. The new susbscribed folders will now be located in the folder list on the left hand pane of Outlook.

Troubleshooting EAS that stopped processing on a Exchange 2010 Server

Scenario: We had an Exchange 2010 server that stopped processing requests for Exchange Active Sync. Users were getting the error “Unable to verify the account information” on their mobile devices or other connection related messages. This problem was not enterprise wide and only a problem for whichever mailboxes were hitting this one Exchange 2010 Client Access server.
Solution: We had to find the server that was not processing the Exchange Active Sync requests. Once rebooted, the server started processing the requests again. Below are the key troubleshooting steps we took to validate the problem on the single server.
Troubleshooting Steps:
1. Test the problem user’s account with Microsoft Remote Connection Analyzer – Exchange ActiveSync test (https://testconnectivity.microsoft.com/). Where the test was failing, there was a common X-CalculatedBETarget Exchange 2010 server amongst all of the accounts.
2. In a web browser, going to the website: https://<servername>/Microsoft-Server-ActiveSync and comparing the behavior of the failed server to a good server. On the failed server we were getting the error message: 500 – Internal Server Error. There is a problem with the resource you are looking for, and it cannot be displayed. On the good server we were getting: The page cannot be displayed because the HTTP version is not supported. This let us know that this server was having a problem with the IIS website.
3. Taking it a step further, we browsed to the ActiveSync site from the Servers IIS manager. Here we got a similar, but more detailed error: HTTP Error 500.19 – Internal Server Error. The requested page cannot be accessed because the related configuration data for the page is invalid. Comparing these contents to a working server’s content, this helped support that there was a server problem.
4. Reviewing the IIS logs for this Ex2010 server also revealed that every ActiveSync request had a Http code of 500 (the 4th column from the end of each log entry).
5. Restarted the Server -- ActiveSync worked on that server when it came back up.

Can't load OWA Premium by using Internet Explorer 11 in an Exchange Server environment

When you try to access Outlook Web App (OWA) Premium by using Internet Explorer 11 in a Microsoft Exchange Server 2013, Microsoft Exchange Server 2010, Microsoft Exchange Server 2007, or Microsoft Exchange Server 2003 environment, OWA Light is loaded instead.
To work around this issue in Exchange Server 2013, Exchange Server 2010, Exchange Server 2007, or Exchange Server 2003, use Internet Explorer 11 in compatibility mode to access OWA. To do this, press F10 to display the menu bar, go to the Tools menu in Internet Explorer 11, and then click Compatibility View settings. Then, add the OWA site to the list of sites to be viewed in compatibility view.

Logging into Outlook Web Access (OWA) always defaults to OWA Lite.

issue: Logging into Outlook Web Access (OWA) always defaults to OWA Lite
synopsis: The accessibility option in OWA designed to assist the visually impaired is selected.
1.Go to Options.
2.Click Accessibility.
3.Clear the Use the blind and low vision experience check box.
Clearing this check box prevents the mailbox from always defaulting to OWA Lite.

Tuesday, November 26, 2013

Permission issues Ex2013 shared calendar with Ex2010 mailbox

​​Scenario: A user with a mailbox in Exchange 2010 is getting permission errors in Outlook when trying to access and edit a shared calendar of a mailbox in Exchange 2013 even though the correct permissions are set for that Exchange 2010 mailbox. The error is:
"You do not have permission to veiw this calendar. Do you want to ask user to share his or her Calendar with you?"
Resolution: Enable Outlook to connect to Exchange using HTTP for the Exchange 2010 mailbox in the Outlook Profile
1. Start Outlook if not started already.

2. Navigate to your Outlook Account Settings:
a. Outlook 2013/2010: Click on File --> Account Settings--> Account Settings.
b. Outlook 2007: Click on Tools --> Account Settings.

3. Select your Exchange account, and then click Change.

4. Click More Settings, and then click the Connection tab.

5. Under Outlook Anywhere (Exchange over the Internet for 2007), select the Connect to Microsoft Exchange using HTTP check box.

6. Click Exchange Proxy Settings.

7. Make sure the following settings are set:
a. Enter the URL to connect to  proxy server for Exchange: https://mail.domain.com
b. On fast networks, connect using HTTP first,... is checked.
c. On slow networks, connect using HTTP First,... is checked
d. Proxy Authentication Settings is set to Basic Authentication.

8. Click OK to close each Outlook window.

9. Restart Outlook

10. If your are prompted for authentication, use the following:
a. username: domain\username
b. password: your password.

Monday, November 25, 2013

IMAP4 backend service not authenticating to any mailbox on that server.

Scenario: The IMAP4 Backend Service cannot connect to local mailboxes in Exchange 2013 after confirming there was a certificate on the Exchange 2013 server with the IMAP and POP services assigned. The symptom on the client end is failed authentication prompts when connecting to their mailbox via imap using valid credentials and IMAP being enabled on their mailbox.
The IMAP log displays the following: 
NO AUTHENTICATE failed."";Msg=""AuthFailed:LogonDenied
The application log in the event viewer displays the following:
EventID 1102: The IMAP4 service failed to connect using SSL or TLS encryption. No valid certificate is configured to respond to SSL/TLS connections. Check the configured host name as well as which certificates are installed in the Personal Certificates store of the computer.

1. Remove the certificate and re-add the certificate again on that Exhange 2013 server.
2. In Exchange Management Shell run the following: Enable-ExchangeCertificate -Thumbprint XXXXXXXXXX -Services POP,IMAP
3. Restart the Imap and Pop frontend and backend services.

Thursday, November 21, 2013

Exchange Management Console initialization failed when opening

Scenario: You have installed Exchange 2010 management tools on a computer, but EMC can no longer connect to the server (we knew this server was turned off). You receive this error message:
Initialization Failed
The following error occurred while attempting to connect to the specified Exchange server 'servername'.
The attempt to connect to http://servername/Powershell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : The WinRM client cannot process the request because the server name cannot be resolved.
1. Navigate to C:\users\(username)\AppData\Roaming\Microsoft\MMC and deleteExchange Management Console.
2. Navigate to: HKCU\Software\Microsoft\Exchangeserver\v14\AdminTools and deleteNodeStructureSettings.

EMC was able to connect to a different server and open successfully.

Monday, November 18, 2013

Connecting to Exchange 2013 EWS with Exchange 2010 Folder Permissions

Scenario: When making Exchange 2013 EWS calls that proxies down to a Exchange 2010 mailbox connecting via shared folder permissions of another Exchange 2010 mailbox, the EWS connection may be unstable. Programs such as Starfish, SoapUI, or other programs making EWS calls, may or may not connect consistently and some errors encountered are 400 Bad Request errors.

Resolution: We created a new mailbox in Exchange 2013 and gave this mailbox the folder share permissions to the Exchange 2010 mailboxes. Making EWS calls to Exchange 2013 by using the 2013 mailbox to connect to the mailbox folders of the 2010 mailbox, EWS had become stable and successful.

Thursday, November 14, 2013

Exchange 2013 IMAP and POP Backend Services

Microsoft has made changes in Exchange 2013 for how IMAP and POP communicate between the Exchange servers holding the Client Access and Mailbox role. The roles below need the following services started for the Exchange servers to communicate properly with IMAP and POP.

Client Access Role: The following services need to be started for each server holding the CAS role to accept the connection from clients.
  1. MSExchangeIMAP4
  2. MSExchangePOP3

Mailbox Role: The following services need to be started for each server holding the Mailbox role to accept the connection from the CAS.
  1. MSExchangeIMAP4BE
  2. MASExchangePOP3BE

On servers where the Client Access and Mailbox roles are running on the same server, you manage both services on the same computer.

could not stop exchange transport service on local exchange server

Issue:​could not stop exchange transport service on local computer, error 1053. Unable to restart hung transport service

Resolution: start task manager, kill edgetransport.exe process
this kills the transport service. try restarting transport service

Wednesday, November 13, 2013

Removing Messages from Shadow Queues

To remove messages from shadow queues, run this command from Exchange Powershell:

Get-Queue -Server servername | Where {$_.Identity -like "*Shadow*"} | Get-Message | Remove-message -confirm:$false​

This will remove the messages from any Shadow queue without prompting you for confirmation.

Friday, November 1, 2013

About AutoComplete Address Cache in Outlook

About Frequent contacts in Outlook
Outlook provides a cache of email addresses as you use them in new email messages. This cache, sometimes called a nickname cache, is intended to improve user productivity. As you type an address in an email address field, Outlook lists possible addresses matching the letters you’ve entered. Autocomplete is a productivity enhancement that shows an address as you start to type a common recipient address so you can select the address instead of typing it
Clearing the Auto-Complete Address Cache
Outlook has an auto-complete cache to help fill in recipient information when adding recipients. If you want to delete this auto-fill cache, you can delete individual items or the entire cache. You remove individual items by typing an address on the To line of an email, and when the auto-fill suggestion is displayed, press the Delete key.

Wednesday, October 30, 2013

Exchange 2013 Mailbox Creation Hangs

Scenario: Mailbox creation hangs in Exchange 2013 in EAC and EMS, although the mailbox will eventually be created. When creating a mailbox in Exchange Management Shell and enabling verbose logging, the following log is displayed after it hangs:

VERBOSE: [19:50:51.165 GMT] New-Mailbox : Unable to generate the e-mail address. Unable to load address module 'C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\address\GWISE\AMD64\gwxpxgen.dll' for address type 'GWISE'. Additional message: 'The specified module could not be found'.

Resolution: There is a GWISE value still present in the Default Recipient Policy.
1. Open ADSI Edit.
2. Connect to the Configuration Naming Context of a Domain Controller or your domain.
3. Navigate to: Configuration --> CN=Services --> CN=Microsoft Exchange --> CN=<Exchange Name> --> CN=Recipient Policies
4. Right click on CN=Default Policy and select properties.
5. Locate the gatewayProxy attribute and remove the GWISE value.
Note: Other articles suggested looking at the disabledGatewayProxy as well and removing the GWISE value.

Mailbox Auditing in Exchange 2010

Scenario: You want to audit the activity in a mailbox. Auditing includes information on who does what in a mailbox.

Enable Auditing for a mailbox: Set-Mailbox -identity "Mailbox Name" -AuditEnabled $true
Search Audit Logs for a mailbox: Search-MailboxAuditLog -Identity "Mailbox Name" -showdetails
Disable Auditing for a mailbox: Set-Mailbox -identity "Mailbox Name" -AuditEnabled $false

By default, the audit logs are retained for 90 days and then purged. This can be controlled by the -AuditLogAgeLimit parameter. The logs are stored in the mailbox under the Audits Subfolder under the Recoverable Items Folder. The Recoverable Items Folder is a hidden folder.

Conditions for Log Truncation in Exchange

These are the conditions in which Exchange's Replication service will truncate the committed log files in Exchange:

Exchange 2010 & 2013
  • The log file must have been successfully backed up, or circular logging must be enabled.
  • The log file must be below the checkpoint (the minimum log file required for recovery) for the database.
  • All other lagged copies must have inspected the log file.
  • All other copies (not lagged copies) must have replayed the log file.
Exchange 2013
Exchange 2013 uses quite a big checkpoint depth (100MB), it’s usual to find a hundred or more transaction logs even when circular logging is enabled and the database is essentially quiescent. It’s far removed from the five or six transaction logs that a standalone database enabled for circular logging might use.

Wednesday, October 23, 2013

Entering Exchange Product Key in Exchange Powershell

Task: Enter in the Exchange Product Key in Exchange Powershell by using the command below.
Set-ExchangeServer servername -ProductKey aaaaa-aaaaa-aaaaa-aaaaa-aaaaa
Even though you can see the new edition on Exchange, the new edition/product key will not be fully activated until the Information Store service is restarted. The new editions functionality will not be there until the service restart. Restart it from Exchange Powershell Below.

Warning for Restarting Information Store Service after Exchange 2013 DB Creation

Scenario: A mailbox database or mailbox database replica was created on a server and you receive the following warning:
WARNING: Please restart the Microsoft Exchange Information Store service on serverservername after adding new mailbox databases. Alternatively, you can restart the server

Reason: The information store service in Exchange 2013 decides how much memory it will allocate for each database during the information store service startup. Therefore if you add databases after this is service is started, the information store does not have a predetermined amount of memory to manage the database.

Note: The database is still functional even if you do not restart the service, but restarting the serice is still recommended.
Note: In earlier versions of Exchange, the information store service tried utilizing as much memory as it could at the information store service startup.

Creating Exchange Databases and creating Database Copies in Exchange Powershell

Task: To create Exchange DB's and DB Copies, follow the following powershell commands below. Note everything with this highlight will need your adjusting.

Create the DB:
New-MailboxDatabase dbname -Server servername -LogFolderPath C:\dbfolder\Logs -EDBFilePath C:\dbfolder\DB\dbname.edb 
Mount the DB:
Mount-Database dbname 
Add the DB Copies to other DAG members:
Add-MailboxDatabaseCopy dbname -MailboxServer PassiveServerName -ActivationPreference 2 
Add-MailboxDatabaseCopy dbname -MailboxServer PassiveServerName -ActivationPreference 3 
Add-MailboxDatabaseCopy dbname -MailboxServer PassiveServerName -ActivationPreference 4 

Thursday, October 17, 2013

using Netsh

​Using Netsh:

-launch powershell as an administrator
-type netsh
-type interface ipv4
-type show interfaces (note the correct the interface name)

Add route  "Replication"
note that is the next hop to get to the network

tip: use netsh int tcp reset to reset TCP

Wednesday, October 16, 2013

Mailbox is Disabled after Reconnecting mailbox from disconnected state.

Scenario: After you reconnect a disconnected mailbox, you may receive the following error in Outlook Web App, ​ ‘Your mailbox has been disabled.’ You may also have trouble connecting to her mailbox in powershell or EMC saying the mailbox is not avaiable.

SolutionRun the following command in Exchange Powershell.
clean-mailboxdatabase <Database Name>

Outlook Web App Functionality Disabled

Scenario: When a user is in Outlook Web App (OWA), they may be experiencing one of the following issues:
  • Conversations are not being expanded.
  • Composing new or replying to messages is not possible due to the body or other parts of the message being disabled or greyed out.
Resolution: There was a DivX Plug Web Player HTML5 add-on in Internet Explorer that I had to disable. To disable this add-on, click on Tools-->Manage add-ons.
Troubleshooting Note: There may be other add-ons causing this issue as well where you might have to perform process of elimination with disabling/re-enabling add-on's.

Outlook Web App Functionality Disabled

Scenario:  When a user is in Outlook Web App (OWA), they may be experiencing one of the following issues:
  • Conversations are not being expanded.
  • Composing new or replying to messages is not possible due to the body or other parts of the message being disabled or greyed out.
Resolution: There was a DivX Plug Web Player HTML5 add-on in Internet Explorer that I had to disable.  To disable this add-on, click on Tools-->Manage add-ons. 
Troubleshooting Note: There may be other add-ons causing this issue as well where you might have to perform process of elimination with disabling/re-enabling add-on's.

Tuesday, October 15, 2013

View the Global Address List on ios device

Task: View the Global Address List on your iPad/iPhone.
PreReq: Contacts need to be enabled on the Exchange account on your iPad/iPhone.

1. Tap Contacts.
2. Tap Groups.
3. Tap your Exchange account name (e.g. Exchange) in the Directories section.
4. Enter a name and tap Search. (Your search criteria must be over 4 characters)
5. Tap the user account you are searching for.
6. The user's information will appear.
From here you can call, email, or gather contact information for the users you search.

Monday, October 14, 2013

modify domain names for hybrid org relationship

​Task: Modify domain names configured for an organization relatinship in a hybrid deployment
you can use powershell command below to complete task
$domains = (get-organizationrelationship 'On Premises to Exchange Online Organization Relations
Set-organizationrelationshp -id  'On Premises to Exchange Online Organization Relations
hip' -domainnames $domains

Friday, October 11, 2013

Add X500 Alias to Mailboxes with Old LegacyExchangeDN Value

Scenario: A user receives a bounce message (Non Delivery Report/NDR) when emailing to an internal user that contains the following:
Delivery has failed to these recipients or groups:

John Test<mailto:IMCEAEX-_O%3DYOUR%2B20ENTERPRISE%2B20EXCHANGE_OU%3DEXCHANGE%2B20ADMINISTRATIVE%2B20GROUP%2B20%2B28FYDIBOHF23SPDLT%2B29_CN%3DRECIPIENTS_CN%3DJTest451a@domain.edu<mailto:3DJTest451a@domain.edu>>
The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.
Cause: This issue occurs because the value for the LegacyExchangeDN attribute changed. The auto-complete cache in Microsoft Outlook and in Microsoft Outlook Web App (OWA) uses the value of the LegacyExchangeDN attribute to route email messages internally.
Resolution: Global Fix - Creating an X500 address based on the LegacyExchangeDN and adding it as an email alias to the recipients Exchange mailbox.

Copy/Extract the LegacyExchangeDN info from the NDR. This is located under the Generating Server portion. It looks like this:
Perform the following on that address:
•Replace any underscore character with a slash character /
•Replace +20 with a blank space.
•Replace +28 with an opening parenthesis character (.
•Replace +29 with a closing parenthesis character ).
•Delete IMCEAEX-.
•Delete @domain.edu.
Take the final result and add this as an X500 alias for the receiving mailbox by performing these steps:
1. Open the properties of the affected mailbox in Exchange 2010.
2. Click on the Email Addresses tab.
3. Click the drop down menu next to Add... and select Custom Address.
4. In the Custom Address properties window:
ii. Email Type: X500
5. Click OK out of all the mailbox windows and you are done.
Testing: You should be able to enter in the X500 into a new mail message and perform a check names. It should resolve to the users account.

Thursday, October 10, 2013

Exchange PowerShell to Recover Mailbox Items in Exchange 2010.

Scenario: A user is missing mailbox items because they were accidentally deleted or moved from the mailbox and the user cannot find these missing items in their "Recover Deleted Items" folder accessible in Outlook. (Note: How to access the Recover Deleted Items section in Outlook: Outlook 2010 & Outlook 2007)
Next Step: In Exchange 2010 PowerShell, a administrator can use the New-MailboxExportRequest command to create a PST of the users mailbox. The command will export the contents of the mailbox into a PST, in addition reveal the RecoverableItems folder which is a hidden folder in the mailbox that is not seen by Outlook. This folder may contain the contents of the missing items.

Ex2010 Powershell Commands:
Creating the PST Requests:
New-MailboxExportRequest username -filepath \\Servername\Share\File.pst
This will copy everything from the mailbox and put it in a .PST file that you can open in Outlook.

Monitoring the PST Requests:
-Shows the status of the move requests
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics
-Shows the percentage of completion
You can also attach the |FL shell command to existing command it will show all of the available information attached to the move requests.

After the PST request completes:
Once the PST is finished building, you can open it up in Outlook and try to find the missing mailbox items in the recoverable items folders. If you cannot find the missing items, its possible a restore will need to be performed from backup in order to find the missing data.

Thursday, October 3, 2013

Out of Office Not Working for a Single User

Issue: Out of Office is turned on for a user, but a Out of Office notification is not beingsent to internal/external users. You may see the Out of Office message internally BEFORE you send the message in the Outlook notification bar in the new message window.
Cause: Mailbox rules have corrupted or are conflicting with the Out-Of-Office rule in order to send a message to recipients.
Resolution: The resolution is to remove the conflicting rules in the mailbox. To do this:
1. From a run prompt use the following switch: outlook.exe /cleanrules .This will clean client and server rules for the mailbox. This is the fastest way of fixing this issue.
2. You can manually remove each rule in the mailbox.

Rules of Troubleshooting

​I came across these 8 rules of troubleshooting from the blog site referenced below and found it interesting enough to post it

The 8 Rules for Outstanding Troubleshooting Skills
  1. I always check the Event Viewer or other log files first when troubleshooting.
  2. I do not start troubleshooting until all software/hardware is patched up to the latest approved release.
  3. I do not make modifications unless I have a verified backup, have logged the change and I am reasonably certain what the end result will be.
  4. My job is to provide a solution. A “workaround” means that something is still broke, and I didn’t do my job.
  5. An end user only reports their perception of the situation; It is my job to verify the reality of the situation before attempting to find the solution.
  6. I never assume anything; I always verify everything with my own eyes.
  7. Asking for help from a co-worker implies I have confidence in their ability to assist, it does not imply failure on my part.
  8. I am never afraid to call a vendor or support line for 3rd party products. It’s their product and they will be more familiar with it than I will be leading to a faster resolution.

Wednesday, October 2, 2013

"the source data is corrupted or not properly base 64 encoded"

Encoding error trying to import cert from Comodo to Exchange or complete a pending Cert request on exchange server 2010:
"the source data is corrupted or not properly base 64 enocded"
Resolution: Download as X509 Certificate only, Base64 encoded from Cert Enrollment email sent by Comodo server. This is the enocding that worked for Exchange

Tuesday, October 1, 2013

Offboarding and Onboarding Mailboxes

Offboarding and Onboarding mailboxes to/from Office365
Moving mailboxes 2-way can be done using the EAC from Office365. You may also connect Powershell to Office365 and run any of the scripts below:

Onboarding to Cloud:
$opcred = get-credential [domain\admin]
Get-Mailbox xx| New-MoveRequest -Remote -RemoteHostName 'mail.domain.com' -RemoteCredential $opcred -TargetDeliveryDomain 'o365.mail.onmicrosoft.com'

Offboarding from the Cloud to OnPrem:
$opcred = get-credential [domain\admin]
Get-Mailbox xx| New-MoveRequest -OutBound -RemoteTargetDatabase 'Mailbox Database xxxxxxxx' -RemoteHostName 'mail.domain.com' -RemoteCredential $opcred -TargetDeliveryDomain 'domain name'

Track message logs for a user

Track message logs for a user

Step 1. Determine user's mailbox server
run the following scripts from Exchange powershell
For eg, to check the log for the recipients from sendertest@test.com:
Get-MessageTrackingLog -server servname -sender test@test.com | ft recipients,subject
To Get log from a certain time/date to a specific time/date. you can also change  eventid from send to deliver or fail etc
Get-MessageTrackingLog -server srvname -resultsize unlimited -start "9/29/2013 8:00am" -end "10/1/2013 3:00pm" -EventId "send" -Recipients test2@domain.edu