Moving mailboxes to/from Exchange Online using the EAC

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the advantages with deploying Exchange Online in a hybrid configuration (i.e. Exchange on-premises and Office 365 Exchange Online in the cloud) is that you can easily move mailboxes back and forth.

It can be done with PowerShell but one of the straightforward methods is from the Exchange Admin Center (EAC), where there’s an option (to the bottom right of the mailbox panel, under recipients in the Enterprise tab) to move a mailbox to Exchange Online, or to another database (locally), with most of the settings pre-populated for you (like the target mail domain or tenantname.mail.onmicrosoft.com).

Moving back requires a slightly different process though and needs to be performed from the migration panel in the Office 365 tab of EAC.

You’ll also need to know the name of the database you want to move the mailbox to on-premises, and the mail domain name.

One of the challenges I found with moving mailboxes to/from Exchange Online using the EAC was that I sometimes see a migration batch marked as “Completed” but with 0 of 0 synced, 0 of 0 finalized, 0 failed.  This seems to happen if a previous mailbox move had failed; deleting the failed migration batch before re-attempting seems to allow the mailbox move to run successfully.

Configuring Lync hybrid (split domain) with Lync 2013 and Skype for Business Online

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Lync (now Skype for Business) is a bit of a mystery to me. Occasionally I get close enough to mess around the edges, but never to truly understand how it works. And when it dives off into telephony well, that’s another world…

I did recently have to configure a Lync/Skype for Business Online hybrid (split domain) for a customer though, as part of their Office 365 project. It brought up a few challenges, but MVP Adam Jacobs has a really good step-by-step guide to enabling split-domain within Office 365 Lync Online.

I described Lync Hybrid (split-domain) in a post for TechNet UK earlier this year – and I’ll stress again here that it’s not to be confused with Hybrid Voice… although there is plenty happening about Skype for Business and voice…

Some people say ADFS is required but we had it working with Azure AD Sync (with password sync), so maybe not. The test system I was working on threw up its own set of challenges though so if you do follow what I found (with help from various colleagues including Martin Boam, Kevin Beacon and Mark Vale), your mileage may vary.

The basic steps for configuring Lync hybrid (split domain) are:

  1. Make sure Office 365 is working, your directory is syncing and users have licenses assigned.
  2. Also, make sure that Skype for Business Online and Lync have the same configuration – i.e.:
    • Domain matching (if partner discovery is enabled on the on-premises deployment, then open federation must be configured for the online tenant; if partner discovery is not enabled, then closed federation must be configured for the online tenant).
    • Blocked domains.
    • Allowed domains.
  3. On the Lync Front End server (I was using Lync 2013 but you can use 2010 with the March 2013 update or later and the Lync 2013 administration tools deployed), configure the Edge server Set-CsAccessEdgeConfiguration -UseDnsSrvRouting -AllowOutsideUsers $true -AllowFederatedUsers $true -EnablePartnerDiscovery $true (you may need to adjust the setting for partner discovery, based on the domain matching above).
  4. Set up the hosting provider with New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.lync.com" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root.
  5. Make sure you have the Skype for Business Online Windows PowerShell Module and also the Microsoft Office Online Sign In Assistant (MOS SIA) installed.
  6. Connect to Skype for Business Online.
    • If prompted for a target server, the URL is the same as when you access the Skype for Business Online Admin Center from the Office 365 portal. For me that was admin1e.online.lync.com.
    • You may also need the -AllowClobber switch when importing the session.
    • You may also find that you need to Import-Module SkypeOnlineConnector.
  7. Set up the shared namespace with: Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true.

To move users to Skype for Business Online, all that’s needed is a single PowerShell command:

Move-CsUser -Identity sip:alias@domainname.tld -Target sipfed.online.lync.com -Credential $creds -HostedMigrationOverrideUrl https://admin1e.online.lync.com/hostedmigration/hostedmigrationservice.svc -Confirm:$false

(again, admin1e.online.lync.com works for me but might not for all tenants).

To check for a successful move, either type Get-CsUser -Identity alias@domainname.tld or look in the Lync Control Panel. Office 365 users will show the home pool as LyncOnline and when you click though to the details, Lync will flag that the user is homed in Office 365:

Configuring Lync hybrid (split domain): user homed in Office 365

Further reading

Other posts I found useful include MVP Paul Robichaux’s post on fixing the “Cannot find registrar pool” error for sipfed.online.lync.com (one of the issues I had, although my problems seemed to run deeper than Paul’s – I had to delete my hosting provider from the Lync Control Panel, then recreate it in PowerShell).

Viewing Active Directory object updates with RepAdmin

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of weeks back, I found myself having to investigate what had caused an Active Directory user account to be updated. We could see the last modified time on the Object tab for a user account in Active Directory Users and Computers (dsa.msc) and it’s also available using PowerShell.

What I really wanted to know though, was what attribute(s) on the object had changed.

It turns out that viewing Active Directory object updates is remarkably simple – even as a normal (non-admin) user. First of all you need to know the distinguished name (DN) for the object. If you don’t have access to any administrative tools then the following script might be useful (taken from the “Hey, Scripting Guy!” blog):

Set objSysInfo = CreateObject("ADSystemInfo")
strUserName = objSysInfo.UserName

Set objUser = GetObject("LDAP://" & strUserName)
strOUName = objUser.Parent

Set objOU = GetObject(strOUName)
Wscript.Echo objOU.distinguishedName

If you run this script, it will display something like:

OU=Users,OU=companyname,DC=domainname,DC=tld

I also needed to know the name of a domain controller – that’s easy as the %logonserver% environment variable will provide the information.

Armed with that information, I could then use the repadmin.exe command to find out some more information about the user object. I did need to install the Remote Server Administration Tools (RSAT) for Windows 8.1 to get repadmin on a client machine (there are similar RSAT packages for Windows 7 and Windows 10 too). Specifically, the command I used was repadmin.exe /showobjmeta servername "CN=Mark Wilson,OU=Users,OU=companyname,DC=domainname,DC=tld"

The resulting output contains all sorts of information, including which domain controller made the update for each attribute, at what date/time, to which version, and with which unique serial number (USN). So, for example, I can see the date when my password was last set (from unicodePwd, ntPwdHistory, and pwdLastSet) and that it was version 6.  There’s more information in Rick Bergman’s Ask Premier Field Engineering (PFE) post on how to track the who, what, when and where of Active Directory attribute changes.

Looping on the authentication prompt for the ECP virtual directory in Exchange 2013

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I had an “interesting” problem on an Exchange server last week… I could access the Exchange Control Panel using https://localhost/ecp but it I tried to use its externally-accessible namespace (which I needed to in order to run the Exchange Hybrid Configuration Wizard), it kept looping on the authentication prompt. The password was correct but it just came straight back to a prompt again…

It turned out to be an issue with HTTP redirection in IIS and, following the MSExchangeGuru post on HTTP redirection issues with the ECP virtual directory I set up HTTP redirection on the Default Website but turned it off for OWA, ECP and the various other virtual directories. I also checked that SSL was not required for the PowerShell virtual directory.

Bipin Giri’s post on configuring URL redirection in Exchange 2013 suggests I need to repeat the same steps for the Exchange Backend Server website too but I didn’t find that necessary (and I’m sure I’ve also read to leave that alone!).

There’s a useful table in the MSExchangeGuru post that summarises the need for an HTTP redirect and whether SSL should be enabled for the website and for each virtual directory but it’s also worth knowing that Morten Nielsen has listed the default virtual directory settings for Exchange 2013 in great detail.

Windows 10 licence activation – make sure you use the correct installation media

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Yesterday, I wrote about the SSD upgrade I carried out for my family’s PC. The PC was originally supplied with a Windows 8 OEM licence, upgraded to 8.1, then to 10 and was correctly licenced and activated. Everything I’d read suggested that, as the machine signature was registered with Microsoft, changing the hard drive shouldn’t affect the licensing situation and it should activate after a clean install (skipping the opportunity to enter a product key during installation). For that reason, I was a little alarmed when it didn’t work.

Windows 10 was installed, but activation failed, and it seemed the only option was to go to the Store and pay almost two-hundred pounds for a copy of Windows 10 Pro. That got me thinking… “Pro” – but this was a Windows 8.1 PC (not 8.1 Pro)…

I then downloaded the correct media (Windows 10 Home), reinstalled, and it activated automatically with no problems at all. So, the moral of that little story is to make sure that you install Windows using the correct media, in order for Windows 10 licence activation to work.

Just to be clear, you can only install Windows 10 cleanly from media if the PC has previously been upgraded from a qualifying operating system (or if you purchased a Windows 10 licence). The version you will get is covered in Microsoft’s Windows 10 FAQ:

SSD PC upgrade

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Some time ago, I noticed that our family PC was running really slowly. It only has 4GB of RAM and sometimes the boys leave their flash-based websites open when they switch users (which can be a resource hog), but it was more than that (4GB should have been enough really).  I dug a little deeper and found that the disk was running at a constant 100% – clearly that was the bottleneck!

I adjusted the virtual disk settings (away from the Windows defaults, which were pitifully small, to something I found recommended on the ‘net) and, whilst it helped with the system responsiveness, the disk queue was still sitting a little higher than I expected (in Resource Monitor) and Task Manager still said the disk was running at 100%.

Fast forward a few weeks and I’d been busy, the machine had been upgraded to Windows 10 and it seemed to be behaving itself. That was until, one Saturday morning, when I was just rushing out of the door to take the kids to football, I spotted the PC sitting on the kitchen counter with a boot error, followed by a failed attempt to boot from the network. “That’s great!”, I thought (actually it was some rather more grumpy words than that), “another job to fit into an already-packed weekend…”.

As it happened, I’d already been considering a solid state disk (SSD) upgrade after a customer had told me about the unit he had bought, the performance difference it had made, and how low the prices were. Our hard disk drive (HDD) failure just forced the point and I bought a 120GB Samsung EVO 850 SSD for only marginally more than the cost of a replacement 500GB Seagate Momentum Thin HDD (we don’t really need that much space anyway).

Why the EVO 850? Well, my customer had already done his homework, but the 256GB version was recently rated as a best budget SSD buy on Tom’s Hardware – and that was enough for me to buy its baby cousin.

I didn’t have time to fit the drive this week, but I set to work this afternoon, following the advice in the video below to take our laptop apart and swap the drive:

I’ll come back to the activation issue in a future post, but the SSD is awesome. Incredibly fast! And disk queues are a thing of the past (as is OEM-supplied crapware as I now have a clean PC build).

As for the old HDD, it still works… sort of. At least, I may be able to get some data off it if the spinning rust stays spinning for long enough. I bought an Anker USB 3.0 2.5″ HDD/SSD external enclosure and am very impressed. It’s so easy to use that my son fitted the old disk in seconds (no screws, just the SATA connection and slide the cover on) – perfect if you are going to clone from one disk to another (I didn’t, because I didn’t have a bootable system).

Further reading

How to upgrade your laptop hard disk to an SSD.

Samsung 850 EVO SSD review.

Manually removing servers from an Exchange organization

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’m starting this blog post with a caveat: the process I’m going to describe here is not a good idea, goes against the advice of my colleagues (who have battle scars from when it’s been attempted in a live environment and not gone so well) and is certainly not recommended. In addition, I can’t be held responsible for any unintended consequences of following these steps.

Notwithstanding the above, I found myself trying to configure the Exchange Hybrid Configuration Wizard (HCW) in a customer environment, where the wizard failed because it was looking for servers that don’t exist any more.

I had two choices:

  1. Recover the missing Exchange servers with setup.exe /m:RecoverServer, then uninstall Exchange gracefully (for 12 servers!).
  2. Manually remove the servers using ADSI Edit.

I explained the situation to my customer, who discussed it with his Exchange expert, and they directed me to go for option 2 – this was a test environment, not production, and they were prepared to accept the risk.

Fearing the worst, I made a backup of Active Directory, just in case. This involved:

  1. Installing the Windows Server Backup Command Line Tools feature on the domain controller.
  2. Running wbadmin start systemstatebackup -backuptarget:driveletter:
  3. Sitting back and waiting for the process to complete.

With a backup completed, I could then:

  1. Run ADSI Edit.
  2. Open the configuration naming context.
  3. Navigate to CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=organizationname,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domainname,DC=tld
  4. Delete the records for the servers that no longer exist.
  5. Restart each of the remaining Exchange servers in the organisation in turn.
  6. Check the server list in ECP.

(Incidentally, FYDIBOHF23SPDLT is “Caesar’s Cipher” for EXCHANGE12ROCKS).

Murat Yildirimoglu’s Windows IT Pro article entitled “How to Uninstall a Stubborn Exchange Server” goes into more detail, including completely removing an Exchange organisation from Active Directory, should that be required (Christopher Dargel covers that too).

The process seemed to work but the danger of manually removing servers from an Exchange organization like this is the potential side effects of “unknown unknowns” (which you can be sure won’t surface immediately). It did let me progress to the next stage of the HCW though. More on that in a future blog post…

“Delivery has failed to these recipients or groups” when running Exchange in an Azure VM

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Exchange didn’t used to be supported in Azure. It is now, subject to specific requirements; however there’s a big difference between “supported” and “works” and it was always theoretically possible.

My current customer has a test environment running on a number of Azure VMs. All was working well, until I started to test mail flow out of the organisation. My mailboxes (work and personal) are both on Office 365 and the reply came back as:

Delivery has failed to these recipients or groups:

Mark Wilson
Your message wasn’t delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.

The following organization rejected your message: DB3FFO11FD037.mail.protection.outlook.com.

Basically, Exchange Online Protection was bouncing the mail. The error continued with diagnostic information for administrators and I could see that the message was leaving the organisation, then returning to the Exchange Edge server.

I could also see in one of the messages that it said:

“Remote Server returned ‘<DB3FFO11FD037.mail.protection.outlook.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.123.123.123] blocked using FBLW15; To request removal from this list please forward this message to delist@messaging.microsoft.com>'”

So I emailed and asked to be removed, quickly receiving a very polite but understandably automated and non-committal response:

“Hello ,
Thank you for your delisting request SRX1234567890ID. Your ticket was received on (Aug 28 2015 12:26 AM UTC) and will be responded to within 24 hours.

Our team will investigate the address that you have requested to be removed from our blocklist. If for any reason we are not able to remove your address, one of our technical support representatives will respond to you with additional information.

Regards,
Technical Support”

Within 24 hours, Microsoft had responded to say that we had been delisted from their blocklists (presumably they checked that the IP address was one of theirs – which was also one reason why we couldn’t add a reverse DNS record, as one might expect with an SMTP server) and the mail had started to flow:

“Hello ,
Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1234567890, which was opened in regards to your delisting request for 123.123.123.123.

The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2 hour delay before this change propagates through our entire system.

We apologize for any inconvenience this may have caused you. As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network. However, should we detect an increase in spam-like activity, the IP address may be re-added to our block list.

Should you have any further questions or concerns, please feel free to respond to this email.

Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.”

I’m glad the experience was with a customer’s test environment, and not live email flow, but worth remembering for the future…

[Ticket numbers and IP addresses in this scenario have been changed]

Control OneDrive for Business syncing to prevent data copies on non-domain-joined PCs

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One of the recently announced changes to Office 365 is the ability to better control OneDrive for Business. Specifically, it’s now possible to control OneDrive for Business syncing to prevent data from being copied to non-domain-joined PCs, based on a list of approved domains, as well as to change the storage limit for users (perhaps 1TB is just too much data and something more restrained might reduce the impact on your network). There are also some changes around the “Shared with Everyone” folder, which used to be created by default but isn’t anymore.

The full details are in an Office Mechanics video, linked from a Microsoft blog post but I recently had the chance to try them out for real.

Step 1 was to determine the ObjectGuid for each of the domains in my customer’s Active Directory Forest, using Active Directory PowerShell:

$domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -identity $d | Select ObjectGuid}

Step 2 is to connect to Office 365 using PowerShell:

$cred=Get-Credential
connect-sposervice –url https://tenantname-admin.sharepoint.com/ –credential $cred

Step 3 is to take the ObjectGuid from step 1 and use the Set-SPOTenantSyncClientRestriction cmdlet to restrict synchronisation:

Set-SPOTenantSyncClientRestriction -enable -DomainGuids "a0083dbb-e136-4f48-a048-2ec3a4c40cab"

It’s worth noting that, initially, this failed for me – SetSPOTenantSyncClientRestriction wasn’t a valid command in the version of the SharePoint Online Management Shell I had installed. I checked the version with Get-Module -ListAvailable | Format-List version, name and found I had version 15.0.4569.0 of Microsoft.Online.SharePoint.PowerShell. After updating to the latest version, I was at version 16.0.4316.0, which worked a treat:

TenantRestrictionEnabled AllowedDomainList

———————— —————–

True {a0083dbb-e136-4f48-a048-2ec3a4c40cab}

It’s important to understand how the restrictions are enforced though:

  • Not only will OneDrive for Business Sync client requests originating from a domain that is not on the safe recipients list be blocked but all OneDrive for Business Mac Sync client requests will be blocked. This also means that a sync relationship will not be established unless they are joined to an allowed domain.
  • However:
    • Mobile clients are not blocked (there are separate MDM controls for this) and any files that have been previously been synced to the computer will not be deleted.
    • New or existing files added to the client will still be uploaded to the server and will not be blocked.
    • OneDrive for Business sync client prior to version 15.0.4693.1000 will stop syncing existing libraries.

Controlling the storage quota was a little more tricky. I found that I could use Get-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com to view the properties of a users’ OneDrive for Business site, but attempting to set the quota on the same site presented an error:

Set-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com -StorageQuota 2048

Set-SPOSite : Cannot get site https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com.
At line:1 char:1
+ Set-SPOSite -Identity
https://tenantname-my.sharepoint.com/personal/firstname_lastname …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

I haven’t fixed that yet, so I’ll be returning to the topic again soon, no-doubt…

Post Script

There is a known issue with domain joined PCs failing to sync OneDrive for Business, even when added to a safe list, which is fixed by the 12 May 2015 update for OneDrive for Business (see Microsoft knowledge base article 2986244).

Office 365 command line administration (redux)

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Every now and again, I find myself looking up the same things for Office 365 command line administration (i.e. using PowerShell), so it’s probably worth me writing them down in one post…

Of course, a connection to Office 365 from PowerShell is a pre-requisite – although that’s a lot simpler now than it used to be as there’s no longer any need for the Microsoft Online Services Sign In Assistant (MOS SIA), just:

Import-Module MSOnline
$Credential = Get-Credential
Connect-MsolService -credential $Credential

If you’re doing this in a script, you might want to save the password as a secure string (as described in more detail by Kris Powell):

(Get-Credential).Password | ConvertFrom-SecureString | Out-File Password.txt

To use the secure string:

$User = "alias@domainname.tld"
$Pass = Get-Content "Password.txt" | ConvertTo-SecureString
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass

Then Connect-MsolService -credential $Credential as above.

Setting a user password (and making sure you don’t need to force a change – one reason to do it from PowerShell rather than the web portal) involves:

Set-MsolUserPassword -UserPrincipalName alias@domainname.tld -forcechangepassword $false -newpassword password

And, if it’s a service account, turn off password expiry?

Set-MsolUser -UserPrincipalName alias@domainname.tld -PasswordNeverExpires $true