This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
One of the advantages with deploying Exchange Online in a hybrid configuration (i.e. Exchange on-premises and Office 365 Exchange Online in the cloud) is that you can easily move mailboxes back and forth.
It can be done with PowerShell but one of the straightforward methods is from the Exchange Admin Center (EAC), where there’s an option (to the bottom right of the mailbox panel, under recipients in the Enterprise tab) to move a mailbox to Exchange Online, or to another database (locally), with most of the settings pre-populated for you (like the target mail domain or tenantname.mail.onmicrosoft.com).
Moving back requires a slightly different process though and needs to be performed from the migration panel in the Office 365 tab of EAC.
You’ll also need to know the name of the database you want to move the mailbox to on-premises, and the mail domain name.
One of the challenges I found with moving mailboxes to/from Exchange Online using the EAC was that I sometimes see a migration batch marked as “Completed” but with 0 of 0 synced, 0 of 0 finalized, 0 failed. This seems to happen if a previous mailbox move had failed; deleting the failed migration batch before re-attempting seems to allow the mailbox move to run successfully.
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
Lync (now Skype for Business) is a bit of a mystery to me. Occasionally I get close enough to mess around the edges, but never to truly understand how it works. And when it dives off into telephony well, that’s another world…
Some people say ADFS is required but we had it working with Azure AD Sync (with password sync), so maybe not. The test system I was working on threw up its own set of challenges though so if you do follow what I found (with help from various colleagues including Martin Boam, Kevin Beacon and Mark Vale), your mileage may vary.
The basic steps for configuring Lync hybrid (split domain) are:
Make sure Office 365 is working, your directory is syncing and users have licenses assigned.
Also, make sure that Skype for Business Online and Lync have the same configuration – i.e.:
Domain matching (if partner discovery is enabled on the on-premises deployment, then open federation must be configured for the online tenant; if partner discovery is not enabled, then closed federation must be configured for the online tenant).
Blocked domains.
Allowed domains.
On the Lync Front End server (I was using Lync 2013 but you can use 2010 with the March 2013 update or later and the Lync 2013 administration tools deployed), configure the Edge server Set-CsAccessEdgeConfiguration -UseDnsSrvRouting -AllowOutsideUsers $true -AllowFederatedUsers $true -EnablePartnerDiscovery $true (you may need to adjust the setting for partner discovery, based on the domain matching above).
Set up the hosting provider with New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.lync.com" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root.
If prompted for a target server, the URL is the same as when you access the Skype for Business Online Admin Center from the Office 365 portal. For me that was admin1e.online.lync.com.
You may also need the -AllowClobber switch when importing the session.
You may also find that you need to Import-Module SkypeOnlineConnector.
Set up the shared namespace with: Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true.
(again, admin1e.online.lync.com works for me but might not for all tenants).
To check for a successful move, either type Get-CsUser -Identity alias@domainname.tld or look in the Lync Control Panel. Office 365 users will show the home pool as LyncOnline and when you click though to the details, Lync will flag that the user is homed in Office 365:
Further reading
Other posts I found useful include MVP Paul Robichaux’s post on fixing the “Cannot find registrar pool” error for sipfed.online.lync.com (one of the issues I had, although my problems seemed to run deeper than Paul’s – I had to delete my hosting provider from the Lync Control Panel, then recreate it in PowerShell).
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
A couple of weeks back, I found myself having to investigate what had caused an Active Directory user account to be updated. We could see the last modified time on the Object tab for a user account in Active Directory Users and Computers (dsa.msc) and it’s also available using PowerShell.
What I really wanted to know though, was what attribute(s) on the object had changed.
It turns out that viewing Active Directory object updates is remarkably simple – even as a normal (non-admin) user. First of all you need to know the distinguished name (DN) for the object. If you don’t have access to any administrative tools then the following script might be useful (taken from the “Hey, Scripting Guy!” blog):
Set objSysInfo = CreateObject("ADSystemInfo") strUserName = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUserName) strOUName = objUser.Parent
Set objOU = GetObject(strOUName) Wscript.Echo objOU.distinguishedName
If you run this script, it will display something like:
OU=Users,OU=companyname,DC=domainname,DC=tld
I also needed to know the name of a domain controller – that’s easy as the %logonserver% environment variable will provide the information.
Armed with that information, I could then use the repadmin.exe command to find out some more information about the user object. I did need to install the Remote Server Administration Tools (RSAT) for Windows 8.1 to get repadmin on a client machine (there are similar RSAT packages for Windows 7 and Windows 10 too). Specifically, the command I used was repadmin.exe /showobjmeta servername "CN=Mark Wilson,OU=Users,OU=companyname,DC=domainname,DC=tld"
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
I had an “interesting” problem on an Exchange server last week… I could access the Exchange Control Panel using https://localhost/ecp but it I tried to use its externally-accessible namespace (which I needed to in order to run the Exchange Hybrid Configuration Wizard), it kept looping on the authentication prompt. The password was correct but it just came straight back to a prompt again…
It turned out to be an issue with HTTP redirection in IIS and, following the MSExchangeGuru post on HTTP redirection issues with the ECP virtual directory I set up HTTP redirection on the Default Website but turned it off for OWA, ECP and the various other virtual directories. I also checked that SSL was not required for the PowerShell virtual directory.
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
Yesterday, I wrote about the SSD upgrade I carried out for my family’s PC. The PC was originally supplied with a Windows 8 OEM licence, upgraded to 8.1, then to 10 and was correctly licenced and activated. Everything I’d read suggested that, as the machine signature was registered with Microsoft, changing the hard drive shouldn’t affect the licensing situation and it should activate after a clean install (skipping the opportunity to enter a product key during installation). For that reason, I was a little alarmed when it didn’t work.
Windows 10 was installed, but activation failed, and it seemed the only option was to go to the Store and pay almost two-hundred pounds for a copy of Windows 10 Pro. That got me thinking… “Pro” – but this was a Windows 8.1 PC (not 8.1 Pro)…
I then downloaded the correct media (Windows 10 Home), reinstalled, and it activated automatically with no problems at all. So, the moral of that little story is to make sure that you install Windows using the correct media, in order for Windows 10 licence activation to work.
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
Some time ago, I noticed that our family PC was running really slowly. It only has 4GB of RAM and sometimes the boys leave their flash-based websites open when they switch users (which can be a resource hog), but it was more than that (4GB should have been enough really). I dug a little deeper and found that the disk was running at a constant 100% – clearly that was the bottleneck!
I adjusted the virtual disk settings (away from the Windows defaults, which were pitifully small, to something I found recommended on the ‘net) and, whilst it helped with the system responsiveness, the disk queue was still sitting a little higher than I expected (in Resource Monitor) and Task Manager still said the disk was running at 100%.
Fast forward a few weeks and I’d been busy, the machine had been upgraded to Windows 10 and it seemed to be behaving itself. That was until, one Saturday morning, when I was just rushing out of the door to take the kids to football, I spotted the PC sitting on the kitchen counter with a boot error, followed by a failed attempt to boot from the network. “That’s great!”, I thought (actually it was some rather more grumpy words than that), “another job to fit into an already-packed weekend…”.
As it happened, I’d already been considering a solid state disk (SSD) upgrade after a customer had told me about the unit he had bought, the performance difference it had made, and how low the prices were. Our hard disk drive (HDD) failure just forced the point and I bought a 120GB Samsung EVO 850 SSD for only marginally more than the cost of a replacement 500GB Seagate Momentum Thin HDD (we don’t really need that much space anyway).
I didn’t have time to fit the drive this week, but I set to work this afternoon, following the advice in the video below to take our laptop apart and swap the drive:
SSD installed in laptop – a lot easier than expected and very fast Windows 10 build (struggling to activate now tho’) pic.twitter.com/7OOR7jxwkI
I’ll come back to the activation issue in a future post, but the SSD is awesome. Incredibly fast! And disk queues are a thing of the past (as is OEM-supplied crapware as I now have a clean PC build).
As for the old HDD, it still works… sort of. At least, I may be able to get some data off it if the spinning rust stays spinning for long enough. I bought an Anker USB 3.0 2.5″ HDD/SSD external enclosure and am very impressed. It’s so easy to use that my son fitted the old disk in seconds (no screws, just the SATA connection and slide the cover on) – perfect if you are going to clone from one disk to another (I didn’t, because I didn’t have a bootable system).
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
I’m starting this blog post with a caveat: the process I’m going to describe here is not a good idea, goes against the advice of my colleagues (who have battle scars from when it’s been attempted in a live environment and not gone so well) and is certainly not recommended. In addition, I can’t be held responsible for any unintended consequences of following these steps.
Notwithstanding the above, I found myself trying to configure the Exchange Hybrid Configuration Wizard (HCW) in a customer environment, where the wizard failed because it was looking for servers that don’t exist any more.
I explained the situation to my customer, who discussed it with his Exchange expert, and they directed me to go for option 2 – this was a test environment, not production, and they were prepared to accept the risk.
Sitting back and waiting for the process to complete.
With a backup completed, I could then:
Run ADSI Edit.
Open the configuration naming context.
Navigate to CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=organizationname,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domainname,DC=tld
Delete the records for the servers that no longer exist.
Restart each of the remaining Exchange servers in the organisation in turn.
The process seemed to work but the danger of manually removing servers from an Exchange organization like this is the potential side effects of “unknown unknowns” (which you can be sure won’t surface immediately). It did let me progress to the next stage of the HCW though. More on that in a future blog post…
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
Exchange didn’t used to be supported in Azure. It is now, subject to specific requirements; however there’s a big difference between “supported” and “works” and it was always theoretically possible.
My current customer has a test environment running on a number of Azure VMs. All was working well, until I started to test mail flow out of the organisation. My mailboxes (work and personal) are both on Office 365 and the reply came back as:
Delivery has failed to these recipients or groups:
Mark Wilson
Your message wasn’t delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
The following organization rejected your message: DB3FFO11FD037.mail.protection.outlook.com.
Basically, Exchange Online Protection was bouncing the mail. The error continued with diagnostic information for administrators and I could see that the message was leaving the organisation, then returning to the Exchange Edge server.
I could also see in one of the messages that it said:
“Remote Server returned ‘<DB3FFO11FD037.mail.protection.outlook.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.123.123.123] blocked using FBLW15; To request removal from this list please forward this message to delist@messaging.microsoft.com>'”
So I emailed and asked to be removed, quickly receiving a very polite but understandably automated and non-committal response:
“Hello ,
Thank you for your delisting request SRX1234567890ID. Your ticket was received on (Aug 28 2015 12:26 AM UTC) and will be responded to within 24 hours.
Our team will investigate the address that you have requested to be removed from our blocklist. If for any reason we are not able to remove your address, one of our technical support representatives will respond to you with additional information.
Regards,
Technical Support”
Within 24 hours, Microsoft had responded to say that we had been delisted from their blocklists (presumably they checked that the IP address was one of theirs – which was also one reason why we couldn’t add a reverse DNS record, as one might expect with an SMTP server) and the mail had started to flow:
“Hello ,
Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1234567890, which was opened in regards to your delisting request for 123.123.123.123.
The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2 hour delay before this change propagates through our entire system.
We apologize for any inconvenience this may have caused you. As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network. However, should we detect an increase in spam-like activity, the IP address may be re-added to our block list.
Should you have any further questions or concerns, please feel free to respond to this email.
Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.”
I’m glad the experience was with a customer’s test environment, and not live email flow, but worth remembering for the future…
[Ticket numbers and IP addresses in this scenario have been changed]
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
One of the recently announced changes to Office 365 is the ability to better control OneDrive for Business. Specifically, it’s now possible to control OneDrive for Business syncing to prevent data from being copied to non-domain-joined PCs, based on a list of approved domains, as well as to change the storage limit for users (perhaps 1TB is just too much data and something more restrained might reduce the impact on your network). There are also some changes around the “Shared with Everyone” folder, which used to be created by default but isn’t anymore.
It’s worth noting that, initially, this failed for me – SetSPOTenantSyncClientRestriction wasn’t a valid command in the version of the SharePoint Online Management Shell I had installed. I checked the version with Get-Module -ListAvailable | Format-List version, name and found I had version 15.0.4569.0 of Microsoft.Online.SharePoint.PowerShell. After updating to the latest version, I was at version 16.0.4316.0, which worked a treat:
Not only will OneDrive for Business Sync client requests originating from a domain that is not on the safe recipients list be blocked but all OneDrive for Business Mac Sync client requests will be blocked. This also means that a sync relationship will not be established unless they are joined to an allowed domain.
However:
Mobile clients are not blocked (there are separate MDM controls for this) and any files that have been previously been synced to the computer will not be deleted.
New or existing files added to the client will still be uploaded to the server and will not be blocked.
OneDrive for Business sync client prior to version 15.0.4693.1000 will stop syncing existing libraries.
Controlling the storage quota was a little more tricky. I found that I could use Get-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com to view the properties of a users’ OneDrive for Business site, but attempting to set the quota on the same site presented an error:
Set-SPOSite : Cannot get site https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com.
At line:1 char:1
+ Set-SPOSite -Identity
https://tenantname-my.sharepoint.com/personal/firstname_lastname …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite
I haven’t fixed that yet, so I’ll be returning to the topic again soon, no-doubt…
Post Script
There is a known issue with domain joined PCs failing to sync OneDrive for Business, even when added to a safe list, which is fixed by the 12 May 2015 update for OneDrive for Business (see Microsoft knowledge base article 2986244).
This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.
Every now and again, I find myself looking up the same things for Office 365 command line administration (i.e. using PowerShell), so it’s probably worth me writing them down in one post…
Of course, a connection to Office 365 from PowerShell is a pre-requisite – although that’s a lot simpler now than it used to be as there’s no longer any need for the Microsoft Online Services Sign In Assistant (MOS SIA), just: