Troubleshooting integration with Exchange Server 2010 Active Directory components

 

Applies to: Forefront Protection for Exchange

You may be unable to manage your Forefront Protection 2010 for Exchange Server (FPE) antispam settings even though the feature has been enabled. You may receive a warning message indicating that management of antispam is not yet enabled.

To diagnose this issue, access the Forefront Management Shell (click Start, point to All Programs, point to Microsoft Forefront Server Protection, and then click Forefront Management Shell) and type the following Windows PowerShell command:

Get-FseExchangeManagementStatus

This returns a value for ExchangeManagementAvailable. If this value is false, Exchange integration has not yet been achieved. This could be due to the following causes:

  • Pending Active Directory (AD) replication

    If FPE has successfully been installed, the problem may be due to AD replication. In most cases, it is expected that replication will complete in less than 15 minutes. If this is not the case, you may want to check with your Domain Administrator to verify if replication is pending, and force replication if necessary. The Domain Administrator can also verify if the server’s machine account has been added to Exchange’s Hygiene Management role group.

    The following Windows PowerShell commands may display an error message prior to full AD replication:

    • Set-FseSpamConnectionFilter and Get-FseSpamConnectionFilter

    • Set-FseSpamContentFilter and Get-FseSpamContentFilter

    • Set-FseSpamFiltering and Get-FseSpamFiltering

    • Set-BackscatterFilter and Get-BackscatterFilter

    • New-BackScatterKeys

    • Start-FseOndemandScan, Stop-FseOndemandScan, Suspend-FseOnDemandScan, Resume-FseOndemandScan, and Get-FseOndemandScan -Status

    • Set-FseTransportScan and Get-FseTransportScan

    • Import-FseSettings and Export-FseSettings

  • FseMachinePrep was not successfully completed

    If there are no pending AD replications, but the machine account does not exist in the Hygiene Management role group, you can attempt to re-add the machine account to that role group by running FseMachinePrep on the Exchange server. For more information, see Security credentials required for installing on Exchange Server 2010.

If FPE fails to successfully install due to a missing Hygiene Management role group, follow the Exchange instructions for running the AD preparation tool. For more information, consult your Exchange server documentation.