Been awhile!
In this post I want to talk about Exchange Online and OWA redirection for user who have a mailbox still on premise.
When you set up your hybrid environemt the wizard will automatically set your on premise TargetOwaURL to https://outlook.com/owa/domainname. You can see this by doing a get-organizationrelationship | FL in the shell.
This is the link that a user who has been moved from on premise Exchange into Exchange Online sees when they try to access their mailbox through the on premise OWA url.
This may not be set by default in your tenant. If you do a
get-organizationrelationship | FL
in Exchange Online you may see a blank value. This is where you can add your onprem OWA url if you see fit so users who are onprem and try to access the cloud OWA will be redirected.
There is a catch though. If the on prem user IS NOT licensed for exchange online in the cloud then this redirect URL will not show up, they will only receive the " :-( Something Went Wrong" screen. See below for examples.
VS
So even if you have a few fully onprem users and wish to use this feature you are still going to have to pay the piper for a license.
Sunday, September 4, 2016
Friday, August 5, 2016
Sites and Microsoft Exchange Active Directory Topology Service
Ran into a weird issue today. The services on my labs Exchange server stopped working. When you try to restart them they error out with the following.
Now checking the dependencies shows that most Microsoft Exchange Services rely on the Microsoft Exchange Active Directory Service. No problem I think so I go to start that service and then I get this error.
Now checking the dependencies shows that most Microsoft Exchange Services rely on the Microsoft Exchange Active Directory Service. No problem I think so I go to start that service and then I get this error.
After searching for a while and not finding a solution that fixed my issue I began to retrace my steps of what I did in my environment from when Exchange was working and when it went down. One of the things I was doing was deploying an empty test site on my DC.
Now I dont know why an empty test site that was not linked to anything broke my service, but it did. Once I deleted this test site and the test link I was able to start the Microsoft Exchange Active Directoy Topology Service.
Who knew ¯\_(ツ)_/¯.
Monday, July 4, 2016
Deleting an old AAD Connect Service account
Just a little tidbit that had me confused for a second. You can not delete an AAD Connect service account from the tenant portal, you have to do it from within Azure AD. Im sure there is also a method to do this from the shell as well.
A normal AAD Connect service account will look like this
You can tell which one is the new one because the account is always made with the server name after the Sync_ in this case this account is tied to DC01 from within my org.
You also can no longer disable AAD Connect from the new portal from within the GUI. The new portal requires you to connect via Powershell and run
Set-MsolDirSyncEnabled –EnableDirSync $false
A normal AAD Connect service account will look like this
You can tell which one is the new one because the account is always made with the server name after the Sync_ in this case this account is tied to DC01 from within my org.
You also can no longer disable AAD Connect from the new portal from within the GUI. The new portal requires you to connect via Powershell and run
Set-MsolDirSyncEnabled –EnableDirSync $false
Tuesday, June 21, 2016
Decommision Exchange 2010 and Arbitration Mailboxes
Arbitration mailboxes are where messages awaiting moderator approval are stored, the OAB is generated, and various other administrative tasks. You can not uninstall 2010 while these are still on the database.
When you try to remove the first DB in Exchange 2010, there are a few arbitration mailboxes that will prevent database deletion. You have the choice of moving, removing, or mail-disable these mailboxes. Since you cannot see these in the Exchange Management Console, you need to launch Exchange Management Shell (EMS)
Get-Mailbox -Arbitration
This will list the arbitration mailboxes. To narrow it down to a specific database, you can edit this to:
Get-Mailbox -Arbitration -Database DB1
Once you have your get- command returning the correct list of mailboxes, it's time to move, disable or remove them. Disabling the last arbitration mailbox is not allowed, so I recommend moving them as the first preference here.
Move: Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2
Disable: Get-Mailbox -Arbitration -Database db1 | Disable-Mailbox -Arbitration
Remove: Get-Mailbox -Arbitration -Database db1 | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed
Once you have these taken care of you should be good to go. if something breaks when you remove these Exchange will recreate them automatically if you rerun
setup.exe /preparead
from the installation media.
Hope this helps someone!
When you try to remove the first DB in Exchange 2010, there are a few arbitration mailboxes that will prevent database deletion. You have the choice of moving, removing, or mail-disable these mailboxes. Since you cannot see these in the Exchange Management Console, you need to launch Exchange Management Shell (EMS)
Get-Mailbox -Arbitration
This will list the arbitration mailboxes. To narrow it down to a specific database, you can edit this to:
Get-Mailbox -Arbitration -Database DB1
Once you have your get- command returning the correct list of mailboxes, it's time to move, disable or remove them. Disabling the last arbitration mailbox is not allowed, so I recommend moving them as the first preference here.
Move: Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2
Disable: Get-Mailbox -Arbitration -Database db1 | Disable-Mailbox -Arbitration
Remove: Get-Mailbox -Arbitration -Database db1 | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed
Once you have these taken care of you should be good to go. if something breaks when you remove these Exchange will recreate them automatically if you rerun
setup.exe /preparead
from the installation media.
Hope this helps someone!
Wednesday, June 15, 2016
Removing a Server 2003 DC
In preparation for Exchange 2016 I had to remove a 2003 DC from my environment because Exchange 2016 requires a forest functional level of 2008.
There are guides available on how to decommission a Domain Controller so I won't go into that. I just want to touch on a small little error I received and how to fix it.
During my dcpromo portion of the decom I ran into a NETLOGON error. This is due to the machine you're trying to decom is still pointing to itself for DNS. To fix this simply go into your NIC settings and change the DNS to point to the new DC.
Sometimes things are easy I guess!
There are guides available on how to decommission a Domain Controller so I won't go into that. I just want to touch on a small little error I received and how to fix it.
During my dcpromo portion of the decom I ran into a NETLOGON error. This is due to the machine you're trying to decom is still pointing to itself for DNS. To fix this simply go into your NIC settings and change the DNS to point to the new DC.
Sometimes things are easy I guess!
Thursday, June 9, 2016
This One is a Little Embarrassing
I recently migrated my public folders from 2007 then to 2010 and just now to 2013. There are some good guides out there on how to do this so I am not going to get into it.
http://exchangeserverpro.com/exchange-server-2010-2013-migration-moving-public-folders/
https://technet.microsoft.com/EN-US/library/dn912663(v=exchg.150).aspx#Scripts
What I will talk about is more of a lesson you should learn than anything technical. That lesson is be aware of the experience you are building for your end users.
As SMEs (not me, you guys) we can sometimes forget all the little pitfalls that can trap end users. Well just now I played the part of Pitfall Harry.
The issue was public folders were not showing up in Outlook but could be accessed from OWA.
I spent hours going over my configs trying to figure out what the problem was. Some of you are already laughing at me. I can hear it across space/time. The issue turned out to be user error. Because I was not familiar enough with the Outlook client itself I never realized that there was a button to view public folders. I thought they would just show up automagically.
Once you actually choose to view public folders they will actually show up
Moral of the story, stop and think about what you're doing an think about the end user experience. Also don't be a moron like me.
http://exchangeserverpro.com/exchange-server-2010-2013-migration-moving-public-folders/
https://technet.microsoft.com/EN-US/library/dn912663(v=exchg.150).aspx#Scripts
What I will talk about is more of a lesson you should learn than anything technical. That lesson is be aware of the experience you are building for your end users.
As SMEs (not me, you guys) we can sometimes forget all the little pitfalls that can trap end users. Well just now I played the part of Pitfall Harry.
The issue was public folders were not showing up in Outlook but could be accessed from OWA.
I spent hours going over my configs trying to figure out what the problem was. Some of you are already laughing at me. I can hear it across space/time. The issue turned out to be user error. Because I was not familiar enough with the Outlook client itself I never realized that there was a button to view public folders. I thought they would just show up automagically.
Once you actually choose to view public folders they will actually show up
Moral of the story, stop and think about what you're doing an think about the end user experience. Also don't be a moron like me.
Wednesday, June 8, 2016
Exchange 2013 and Hybrid Connection Wizard
Using the Hybrid Connection Wizard that is built into Exchange Online and migrating mailboxes to the cloud has been a pretty painless experience so far in my non production lab environments.
I did run into a little piece of info today though that helped me understand how the hybrid setup works a little better.
Exchange Online uses what is called the MRS Proxy Endpoint that resides in the EWS virtual directory. You need to make sure that this has the correct internal and external URL (You should really make sure every virtual directory has the correct internal/external url before trying to migrate a mailbox), and make sure that Enable MRS Proxy endpoint is checked.
It also will query autodiscover to find the value of your outlook anywhere URL and use that to locate the server that has the MRS Proxy Endpoint.
Make sure you can walk before you try to run or you might meet these issues at full speed.
I did run into a little piece of info today though that helped me understand how the hybrid setup works a little better.
Exchange Online uses what is called the MRS Proxy Endpoint that resides in the EWS virtual directory. You need to make sure that this has the correct internal and external URL (You should really make sure every virtual directory has the correct internal/external url before trying to migrate a mailbox), and make sure that Enable MRS Proxy endpoint is checked.
It also will query autodiscover to find the value of your outlook anywhere URL and use that to locate the server that has the MRS Proxy Endpoint.
Make sure you can walk before you try to run or you might meet these issues at full speed.
Thursday, June 2, 2016
Exchange 2003, 2007, and 2010 coexistence
Friday, May 27, 2016
Exchange 2007 and 2003 Coexistence
Moving on to bigger and greater things! Exchange 2007!
Exchange 2007 introduced new server roles (or at least renamed them), Hub Transport Server, CAS server, and Mailbox Server. It also came with other server roles like Edge and Unified but we won't get into those for now...cause I dont know squat about them.
Exchange 2007 also introduced the new name for the default OWA virtual directory /OWA. No more /Exchange from here on out.
This brings me to the point of this post. Normally given the right configuration your 2007 server should be able to process a request of mail.domain.com/exchange and if a 2003 user logs in it will proxy that connection back to the 2003 server.
Except sometimes it doesn't. In one very specific case redirection will fail. If your 2007 server has the Mailbox role installed onto the same server as the CAS role then you are out of luck, better go buy another server.
The worst part about all of this is that I only found this documented in one tiny spot buried in a Technet article. I felt like an archeologist discovering the struggles of an ancient civilization.
Article in question
Next time you have a client that is upgrading from 2003 to 2007 in the year 2016, watch out for this gotcha...
Exchange 2007 introduced new server roles (or at least renamed them), Hub Transport Server, CAS server, and Mailbox Server. It also came with other server roles like Edge and Unified but we won't get into those for now...cause I dont know squat about them.
Exchange 2007 also introduced the new name for the default OWA virtual directory /OWA. No more /Exchange from here on out.
This brings me to the point of this post. Normally given the right configuration your 2007 server should be able to process a request of mail.domain.com/exchange and if a 2003 user logs in it will proxy that connection back to the 2003 server.
Except sometimes it doesn't. In one very specific case redirection will fail. If your 2007 server has the Mailbox role installed onto the same server as the CAS role then you are out of luck, better go buy another server.
The worst part about all of this is that I only found this documented in one tiny spot buried in a Technet article. I felt like an archeologist discovering the struggles of an ancient civilization.
Article in question
Next time you have a client that is upgrading from 2003 to 2007 in the year 2016, watch out for this gotcha...
Wednesday, May 25, 2016
AAD Connect and Password Syncs
AADConnect is great isn't it? It syncs all your info to the fluffy cloud.
Almost all of it.
When you run a sync, anytime after the initial sync, it does not sync on prem users passwords even if you have password sync enabled. I'm sure that there is a built in schedule to sync passwords but what if you have a user who logged into the tenant and was able to change their password and you need to sync it back to the on prem password right away? A full sync or delta sync or a kitchen sink is not going to help here.
Now you could have password write back enabled if you have Azure AD Premium but not everyone has the cash for that. What you can do though is reset that users password on prem. Doing this on prem will force a password sync to the tenant right then and there.
Ta-Da
Almost all of it.
When you run a sync, anytime after the initial sync, it does not sync on prem users passwords even if you have password sync enabled. I'm sure that there is a built in schedule to sync passwords but what if you have a user who logged into the tenant and was able to change their password and you need to sync it back to the on prem password right away? A full sync or delta sync or a kitchen sink is not going to help here.
Now you could have password write back enabled if you have Azure AD Premium but not everyone has the cash for that. What you can do though is reset that users password on prem. Doing this on prem will force a password sync to the tenant right then and there.
Ta-Da
Forest vs Domain Functional Level
This is another small issue that I spent more time on that I needed.
Noticing a trend yet?
What might not be apparent to some is that domain functional level and forest functional level are changed in two separate yet similar locations. I ran into this when trying to install a 2012 R2 DC into a 2003 environment.
To change the domain functional level you need to do it from AD Domains and Trusts under the domain named object
To make a change to the actual forest functional level you need to go up one area in the tree.
One small click for man, one giant difference for your environment...or something like that, I'm not an astronaut.
Noticing a trend yet?
What might not be apparent to some is that domain functional level and forest functional level are changed in two separate yet similar locations. I ran into this when trying to install a 2012 R2 DC into a 2003 environment.
To change the domain functional level you need to do it from AD Domains and Trusts under the domain named object
To make a change to the actual forest functional level you need to go up one area in the tree.
One small click for man, one giant difference for your environment...or something like that, I'm not an astronaut.
Monday, May 23, 2016
Labing out Exchange 2003 in 2016
Cutting my teeth on Exchange 2013 means I had it easy compared to the days of old. As a project I had to go back and stand up a brand new Exchange 2003 environment in my lab.
To be fair this was not as painful as I had imagined.
There were some leftover ideas from days gone by that immediately stood out to me such as having to change from disc 1 to disc 2 during the installation and schema update, the overall design of the interface, the lack of CLI tools, and good old /exchange.
My first true test, which I failed, came in the form of SSL and not knowing the way 2003 works. 2007 and up comes with a self signed certificate when using https, 2003 does not. I spent 2 days trying to figure out why https would not work on my /exchange directory until I realized that I either needed to stand up an internal CA or get a trusted 3rd party cert. Here is a link that shows my pleas to reddit for help (spoiler: not the first or last time this will happen)
https://www.reddit.com/r/exchangeserver/comments/4icdkr/exchange_2003_and_ssl_problem/
Lesson learned.
I ended up going with a 3rd party SAN cert with the names domain.com, mail.domain.com, autodiscover.domain.com, and legacy.domain.com in preparation for what is to come.
To be fair this was not as painful as I had imagined.
There were some leftover ideas from days gone by that immediately stood out to me such as having to change from disc 1 to disc 2 during the installation and schema update, the overall design of the interface, the lack of CLI tools, and good old /exchange.
My first true test, which I failed, came in the form of SSL and not knowing the way 2003 works. 2007 and up comes with a self signed certificate when using https, 2003 does not. I spent 2 days trying to figure out why https would not work on my /exchange directory until I realized that I either needed to stand up an internal CA or get a trusted 3rd party cert. Here is a link that shows my pleas to reddit for help (spoiler: not the first or last time this will happen)
https://www.reddit.com/r/exchangeserver/comments/4icdkr/exchange_2003_and_ssl_problem/
Lesson learned.
I ended up going with a 3rd party SAN cert with the names domain.com, mail.domain.com, autodiscover.domain.com, and legacy.domain.com in preparation for what is to come.
Subscribe to:
Posts (Atom)