Exchange Hybrid Mailbox Migrations slow when using TMG

Posted on April 23, 2013 by Sean O'Farrell

When using Exchange online in Hybrid mode , if you want to have a unified global address list with exchange online users and onpremise users then you need to create on premise blank mailboxes for the users that you want to use exchange online and then create ‘remote move requests‘ to move the onpremise mailboxes to exchange online.

During the move request , if you open the log you may see ‘Relinquishing job because the mailbox is locked‘

So in order to fix this and really speed up the remote move requests we need to go to the intrusion prevention section of TMG and then the Behavioral Detection\Configure Flood Mitifgation Settings as per the image below.

We click on the link for Configure Flood Mitigation Settings and then click on ‘IP Exceptions‘ and create a new computer set. In the image below I called it ‘Exchange Online Protection‘ and add a computer set with the exchange online protection range as per the image below

All of the Exchange Online Protection IP ranges can be found at this SITE

You can susbscribe via RSS feed HERE to the Microsoft Online IP Ranges

So now Remote move requests will migrate a lot quicker 🙂

Migrating Lotus Notes users into an Exchange Hybrid

Posted on April 20, 2013 by Sean O'Farrell

In this post I just wanted to highlight what active directory attributes need to change on a user account when you have an existing Exchange Hybrid and want to migrate Lotus Domino users into exchange online.

Primary Email Address: Sean@contoso.com
Hybrid email Domain: contoso.mail.microsoft.com

The existing users that have exchange mailboxes will already have exchange active directory attributes. So lets take a look at what happens when you migrate an on premise exchange mailbox to exchange online.

When you run dirsync , a proxy hybrid domain is created in the example above it is contoso.mail.microsoft.com. So when you initiate a ‘new remote move request‘ and move an onprem user to the cloud the user becomes a mail contact and their routing email address becomes

So how do we populate the active directory users that have came into our active directory from Lotus notes with the right attributes so that when they sync with dirsync to exchange online they will have the correct PRIMARY email address and be able to co-exist with the onpremise users.

We use my good friend ADMODIFY to modify some key attributes

So in this example the default email address policy is firstname.secondname@contoso.com

So we connect to our active directory via admodify and select all the users or organisational units we want to modify and add them to the list we then enter ‘%’givenname’%.%’sn’%@contoso.com‘ on the email address tab

So now that we have modified this attribute the user’s primary email address will be ‘firstname.secondname@contoso.com‘ when synced with dirsync.

We need to make sure the users have the correct UPN and this can be done by viewing one of my previous blogs HERE

We need to modify one more attribute as these users will be in exchange online and will need to co-exist with the exchange on premise users.So as per the image below we enter the following syntax ‘SMTP:%’givenname’%.%’sn’%@contoso.mail.microsoft.com‘ in the ‘targetAddress‘ attribute.

So the beauty of ADMODIFY is that you can modify thousands of users attributes in a couple of minutes and if something goes wrong it writes the config changes to an xml file. So you can quickly undo the changes you made if there were problems.
SO KEEP THE ADMODIFY CONFIGURATION XML FILES SAFE!

Lets say you don’t want some users to sync to exchange online , you can filter them by what organisational unit gets synced or you can use admodify again to modify a custom attribute by entering ‘nooffice365‘ as per the image below in the ‘extensionAttribute10‘ attribute

Ok so now we have users in exchange online and we have no dirsync error notification emails. How do we mass activate them. Well we run two powershell commands.

We set the user’s location , in this example the country is US
Get-MsolUser -UnlicensedUsersOnly |Set-MsolUser -UsageLocation US
Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses “Contoso.com”:EXCHANGESTANDARD

Now we have populated our Active Directory with all the correct attributes that will enable co-existence and mass activated those users via powershell.

So now its over to my choice of software for Lotus Notes migration.

Quest Notes Migrator for Exchange

I will post a step by step blog on setting up quest nme next month. This post was to show people how to prep ad and exchange online for mass migration to exchange online where an existing hybrid was in place.

Note:
Quest NME will not populate the GAL as the source directory will be Lotus Notes and target directory Exchange Online.So to populate the gal after you have made all the attribute changes above run this command in the exchange management shell Enable-RemoteMailbox sean@contoso.com -RemoteRoutingAddress sean@contoso.mail.onmicrosoft.com

Microsoft Office Configuration Analyzer Tool 1.0

Posted on April 17, 2013 by Sean O'Farrell

I previously blogged HERE about the Microsoft Outlook Connectivity Analyzer 2.0 which has now been replaced by the Microsoft Office Configuration Analyzer Tool 1.0 which you can download HERE

This tool can be really useful when troubleshooting connectivity issues like firewalls and proxies blocking access to Office365.

Bulk activation of Office365 Users

Posted on April 4, 2013 by Sean O'Farrell

When using DirSync and ADFS it can take a long time to activate thousands of users. So here is a really quick way of doing it.

Firstly HERE is a great article on msexchangeguru.com on dirsync filtering. So there are plenty of organisational units in Active Directory that do not need to be syncronised to Office365.

So I always filter the OU’s that are synchronized to Office365.

Within the organisation section of the Office365 portal make your external domain which has been verified the default domain.

Ensure all user’s have the correct User Principal Names as per one of my previous BLOGS

So once all the user’s have been synced to Office365 , they need a license assigned to them.

So connect to Office365 via the Windows Active Directory Module for Windows Powershell and do the following.

connect-msolservice # and enter an Office365 Global Administrator’s credentials.

Get-MsolAccountSku # this will tell you what office365 skus are available. For this example it will be EXCHANGESTANDARD

As all of the users are currently unlicensed , we will set a location for the users as per the command below and the location will be us.

Get-MsolUser -UnlicensedUsersOnly |Set-MsolUser -UsageLocation US

Then we will add a mailbox for all the users that were synced and we can do so with the following command.

Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses “Contoso”:EXCHANGESTANDARD

Now all the users have a mailbox and can start using Exchange Online 🙂

Office365 ADFS 2.0 with full SQL Server

Posted on March 28, 2013 by Sean O'Farrell

As per my previous post about DirSync for Enterprise organisations , We also need to install ADFS farms into SQL clusters for high availability and scalability. So below are the steps to install ADFS 2.0 into a SQL Cluster.

In this example on how to set this up for the purposes of this demo , Please take note of the following items.

Domain:contoso
ADFS Server : adfs.contoso.local
SQL Cluster: sqlclus
ADFS Service Account: contoso\adfs
ADFS Service Name: signin.contoso.com

Download and install ADFS 2.0 RTW which you can download HERE The ADFS 2.0 installer installs the pre-requisites required for the software.
Do not open the ADFS configuration wizard after the install has complete, Download and install ADFS 2.0 Rollup 3 which you can download HERE
Now get your trusted ssl certificate for your adfs service name ‘signin.contoso.com‘ and bind it to the default site. I always remove any http bindings for the default website on your adfs lan server.
In certificate manager. Right Click on the trusted certificate ‘signin.contoso.com‘ and select all tasks\manage private keys and then add the contoso\adfs service account permissions ‘Full Control & Read’
From a command prompt with elevated privileges make this the current directory C:\Program Files\Active Directory Federation Services 2.0\
Now we are ready to create the ADFS farm and we do so with the following command
FSConfig.exe CreateSQLFarm /ServiceAccount “contoso\adfs” /ServiceAccountPassword “password” /SQLConnectionString “database=AdfsConfigurationServer;server=sqlclus;integrated security=SSPI” /port 443 /FederationServiceName “signin.contoso.com” /CleanConfig /AutoCertRolloverEnabled

And you will see the following output from the command prompt window

Ideally the lan adfs servers will be load balanced , If you need to use a sql cluster for your adfs deployment then there is a good chance the customer will have load balancers like F5, Netscaler or Kemp.My preference would be Kemp.So there will be a virtual ip for the ADFS Service name ‘signin.contoso.com‘
To enable kerberos authentication to Outlook Wep App and Sharepoint , place the https://signin.contoso.com into the intranet settings in Internet explorer for clients via group policy.
ADFS proxy servers will be in a DMZ or else TMG Servers can also act as adfs proxy servers and will point at the loadbalanced ‘signin.contoso.com‘ vip in the lan.
Cloudfloor DNS provide GEO dns routing. So for example they can direct traffic from iso country codes to a location of choice. For example us adfs requests can hit us adfs servers. Irish requests can hit Irish adfs servers etc… So a service like this can take care of the external load balancing.
So now we have all this done , time to federate the onpremise domain name ‘contoso.com‘ with our Office365 tenant.
Before we do this we need to ensure we have done the following.
A: Verify ownership of contoso.com
B:Activate Active Directory Synchronisation
C: Download and install the Microsoft Single Sign in Assistant HERE
D: Once the Single Signin Assistant has been installed , Download and install the Windows Azure Directory Module for Powershell HERE
Now we are ready to run the commands to federate ‘contoso.com‘ with Office365 and we will do so with the following command
$cred=Get-Credential

Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer adfs.contoso.local # then enter contoso\adfs credentials
Convert-MsolDomainToFederated –DomainName contoso.com -SupportMultipleDomain
You might have only one domain, But I always recommend using the -SupportMultipleDomain switch as it can future proof your adfs service. For example your customer could acquire a company.
Finally we want to brand our ADFS Proxy pages with company logos and here is a great blog posting by Laurent Bel on how to customise the ADFS 2.0 login page HERE
So now that we have created our first ADFS Server to connect to a SQL Cluster , How do we add more ADFS servers. We do so with the following command as per the original ADFS server setup.
FSConfig.exe joinSQLFarm /ServiceAccount ‘contoso\adfs‘ /ServiceAccountPassword ‘password‘ /SQLConnectionString “database=AdfsConfigurationServer;server=sqlclus;integrated security=SSPI”

The term “primary federation server” does not apply when the AD FS configuration database is stored in a SQL database instance because all federation servers can equally read and write to the AD FS configuration database that is using the same clustered SQL Server instance, as shown in the following illustration

I have not installed ADFS 2.1 on Windows Server 2012 into a SQL Cluster yet but I think it would be the exact same process. I will be doing this on a project coming up shortly and will create a new blog post for this.

I hope people find this blog posting useful as it took me quite a bit of time to get ADFS right when I first started working with ADFS.

Sean

Intsall DirSync into full SQL

Posted on March 28, 2013 by Sean O'Farrell

Installing Dirsync is a requirement for enterprise directory synchronisation’s. When I say enterprise i mean , directories with over 50,000 active directory objects or users. By using full sql server as apposed to the standard sql express , we can also make the database highly available via SQL clustering.

So to install it requires some small steps.

1. Open a command prompt with elevated privileges and make the directory where the dirsync.exe installation file is located the current directory. Then run this command ‘dirsync /fullsql’

2. This will install Dirsync without the standard SQL Express.

3. Next , browse to C:\program files\Microsoft Online Directory Sync\DirSyncInstallShell and follow the install syntax in this Microsoft Article

4. Make Sure you are installing into a minimum of Server 2008R2 SP1 ideally SP2

5. IDFIX is a great utility recently released from Microsoft to troubleshoot DirSync errors which you can download HERE

SMTP relay to Office365

Posted on March 25, 2013 by Sean O'Farrell

Microsoft have an article on how to setup smtp relay to Office365 KB2600912

An example of why would you would need this is whereby you need to continue to scan to email from your on-premise multi function printer.

Another way of doing this is by relaying through your isp’s smtp outbound mail server. For example UPC’s outgoing mail server is ‘smtp.upcmail.ie‘

But if you are using the new exchange online (tenant version 15) then it will get processed as spam.

So to fix this you simply need to create a rule, So below I will show some screenshots in whitelisting scanner@contoso.com

So you need to login to https://portal.microsoftonline.com and in the top right hand corner , select exchange management.

Then go to mail flow and add a new rule as per the image below, selecting the bypass spam filtering rule template.

Then specify the sender as ‘scanner@contoso.com’ with the default options.

Now you can receive your scan to email documents 🙂

Upgrading DPM2010RTM to SP1 Rollup 1

Posted on January 11, 2013 by Sean O'Farrell

The upgrade from DPM2012 to DPM2012 SP1 RU1 is quite simple or so I thought!

In order to install SP1 for dpm2012 rollup3 is a pre-requisite which you can download HERE
However I could not get Rollup 3 to install as it kept failing on execute sql strings section.
Open a command prompt with elevated privileges and make this the current directory “C:\Program Files\Microsoft System Center 2012\DPM\DPM\bin” and then run this command dpmbackup -db. This will place a backup of the dpm database in the following folder C:\Program Files\Microsoft System Center 2012\DPM\DPM\Volumes\ShadowCopy\Database Backups
So once we have done a backup , the trick is to set the options on the DPM database to single user mode as per the image below.So once this is done. You can install Rollup 3.

I would then still leave it in single user mode when installing DPM 2012 SP1
You may get an error with id:820 when DPM2012 begins the upgrade to SP1. HERE is a description on how to fix it. HERE is also a great post about WMI Service errors
You may also get an error 812 stating that reporting services cannot be configured. So to fix this there are a few steps.
Firstly run this command ‘netsh http show urlacl’ and copy all the http urls on port 80.
So in my case I deleted the following urls with the following cmmands

netsh http delete urlacl http://+:80/Temporary_Listen_Addresses/
netsh http delete urlacl http://+:80/ReportServer_MSDPM2012/
netsh http delete urlacl http://+:80/Reports_MSDPM2012/

Then open up SQL 2008R2 / Reporting Services Configuration Manager and connect to the dpm2012 instance. Within the web services url section click apply. Then you can re-run setup and no more error 812
Then after SP1 has been installed , you need to install ROLLUP1 for DPM 2012 SP1
Finally you can then re-enable multi-user mode on the database and login to DPM2012 SP1 RU1 🙂
Final version number will display as per the image below. Version 4.1.3322.0

The target mail user doesn’t have an SMTP ddress that matches the target delivery domain

Posted on December 13, 2012 by Sean O'Farrell

I recently came across the error in the image above when trying to move mailboxes from an on-premise hybrid server to Office365.

Why would this happen?

Configure your hybrid servers before you configure dirsync. During the hybrid configuration wizard , the wizard creates a sub domain ‘domain.mail.onmicrosoft.com’

Now that the target delivery domain has been created by the Hybrid Wizard, We can run the DirSync configuration wizard. Select enable ‘hybrid configuration’ so once the wizard can see the target delivery domain it will add the smtp:email@domain.mail.onmicrosoft.com to the proxyaddress attribute in Active Directory for each user account.

So now when you try to run a remote move request, it will complete without issue.

ADFS Farm Highly Available between geographical sites

Posted on November 27, 2012 by Sean O'Farrell

I am working on a project now moving 700 users to Exchange Online. I am implementing single sign on via an ADFS Farm and DirSync.

Not every organisation has load balancers or the even the ability to load balance external DNS.

A very important factor that needs to be taken into consideration is this. If the Microsoft Online Services federation gateway cannot communicate with a customers on premise active directory then users are not getting their email , lync or sharepoint.

Email will still flow, but the users will think the service is down. So because of this it is always a good idea to have some high availability with the ADFS farm.

So I came across a company called Cloudfloor DNS .Cloudfloor provide the ability to loadbalance the traffic via round robin or active passive to my adfs proxy servers.It is quite a simple service but a lifesaver in the event of one site going down and all users not being able to use their Microsoft online services.

Cloudfloor can also do geographical dns based rules. This could be very useful in a gloabl lync or exchange deployment. Australian traffic goes to australian exchange servers and lync servers etc…. etc…

To set it up takes 5 minutes and works perfectly when tested.

Cloud-Secure.ai

Boost your security posture with the power of ai