Setting Office 365 UsageLocation value using the Country attribute value

Hi,

Since Office 365 projects started, setting users` licenses with scripts has been somewhat of an issue.

There are great scripts out there to automate assigning licenses to users, but the prerequisite of assigning an Office 365 license to a user is to choose the Usage Location for that user. When dealing with several dozens or hundreds of users that might be fine, but for large scaled deployments this becomes also an issue. and I’ve decided to script it and share this in case anyone will need this as much as I did.

This script is has a really simple logic, trace down the Country attribute value for each user, match that with the two letter country code (required for the PowerShell Set-MsolUser command) and set that value for the user.

I’ve worked up to match the list from https://www.iso.org/obp/ui to the countries available for selection within the Office 365 portal.

Keep in mind that the script will not handle any spelling errors, so be sure to maintain the country value BEFORE you run this script. If you are using Directory Synchronization this should be more productive as your Active Directory will also benefit from this move…

The script will try to find an exact match of the country value, although – case Insensitive.

grab it here: http://gallery.technet.microsoft.com/office/Setting-Office-365-Usage-4d685175

Please share your comments if you have any, I would love hearing this script is being used.

ilantz

Posted in Office 365, PowerShell | 2 Comments

Exchange Hybrid Configuration failed with error Subtask Configure execution failed

Hi Again,

While setting up the Hybrid Configuration Wizard on an Exchange 2010 server for Office 365, I’ve encountered this error:

[2/4/2014 13:36:8] INFO:Running command: Get-FederationInformation -DomainName 'contoso.mail.onmicrosoft.com' -BypassAdditionalDomainValidation 'True'
[2/4/2014 13:36:8] INFO:Cmdlet: Get-FederationInformation --Start Time: 2/4/2014 3:36:08 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --End Time: 2/4/2014 3:36:16 PM.
[2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --Processing Time: 7690.8.
[2/4/2014 13:36:16] INFO:Disconnected from On-Premises session
[2/4/2014 13:36:17] INFO:Disconnected from Tenant session
[2/4/2014 13:36:17] ERROR:Updating hybrid configuration failed with error 'Subtask Configure execution failed: Creating Organization Relationships.


Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.


Operation is not valid due to the current state of the object.
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
'.


Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_4_2014_13_35_39_635271177398297855.log.

Looking at the application log in the Exchange server showed an Event ID 403 with source MSExchange Common:
The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

The Certificate named xxxxxxx in the Federation Trust 'Microsoft Federation Gateway' is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server.

After checking of course, the Federation certificate was just created… and is indeed valid…..

All that was required was a quick “restart” to the application pools on the server, I usually just restart the MSExchangeServiceHost and MSExchangeProtectedServiceHost services. after that the wizard completed successfully :)

Hope this helped anyone,

ilantz

Posted in Exchange 2010, Office 365, Uncategorized | 2 Comments

Manually adding a secondary SMTP proxy address for hybrid Exchange Online and Office 365

Hi again,

I’ve been busy with more Office 365 and Hybrid Exchange Online deployments and came up with a script I hope will help some of you out there.

While deploying an Hybrid Exchange Online setup, one of the steps the Hybrid Configuration Wizard is doing is modifying the email address policy and adding “alias@tenant.mail.onmicrosoft.com” to the relevant EAP policies. This is great although there’s a good chance you have some mailboxes that are set with EmailAddressPolicyEnabled:$false

I’ve written a function that will help you add the additional secondary SMTP proxy address to those mailboxes easily :)

Once loaded, run the Add-OnMicrosoftSMTP cmdlet:

Add-OnMicrosoftSMTP -Tenant:ilantz

The cmdlet will accept input or prompt for your “Tenant” name, for example – if your Office 365 tenant is ilantz.onmicrosoft.com, enter ilantz as the tenant name. Once entered it will find all mailboxes with the property EmailAddressPolicyEnabled:$false and will try to add the routing SMTP address – alias@tenant.mail.onmicrosoft.com (following the default Exchange Hybrid Configuration Wizard settings). If that SMTP proxy address is already taken, the function will add a random 5 digit number to the alias – alias12345@tenant.mail.onmicrosoft.com.

The function will catch and display any exceptions that may occur during the process.

Get the script here – http://gallery.technet.microsoft.com/Office-365-Add-Exchange-14c7f0c3

Enjoy !

ilantz

 

Posted in Exchange 2010, Exchange 2013, Office 365, PowerShell | Leave a comment

The Outlook Web App address is out of date – Office 365 Hybrid

Quick note from the field..

I’ve encountered an issue with an Exchange 2010 and Office 365 Hybrid configuration, users that were moved to Office 365 and tried to reach the original On-Premise OWA URL were receiving an error – The Outlook Web App address https://owa.domain.com/owa is out of date.

The Outlook Web App Address Is Out Of Date

What should have happen is that the OWA will offer the users to use the URL configured on the TargetOwaUrl parameter on the Organization Relationship to the Office 365 routing domain. After some digging I’ve realized that this hybrid setup was performed using the manual steps that were documented for Exchange 2010 SP1, so the Hybrid Configuration Wizard did not do it’s magic….

Anyhow, after comparing this setup with a working hybrid configuration including the OWA redirection, I’ve noticed that the TargetOwaUrl value did not had xxx/owa/xxxx in it’s URL.

So instead of http://outlook.com/owa/domain.mail.onmicrosoft.com – I’ve had http://outlook.com/domain.mail.onmicrosoft.com

So after running Set-OrganizationRelationship -TargetOwaURL “http://outlook.com/owa/domain.mail.onmicrosoft.com” the redirection worked as expected.

Hope this helps out anyone,

ilantz

See also: Simplify the OWA URL for Office 365 Hybrid

Posted in Exchange 2010, Office 365 | Leave a comment

Patch Alert – Vulnerability in Active Directory Federation Services – MS13-066

In case you’ve missed it, Microsoft has released a few security patches this week, among them a highly recommended patch that will safeguard your ADFS deployment from a possible DDoS attack -Microsoft Security Bulletin MS13-066

Make sure you visit the link above and patch your servers today !

Stay safe,

ilantz

Posted in ADFS | Leave a comment

Update your Windows 7 SP1 and Server 2008 R2 SP1

In case you’ve missed it, Microsoft released a roll-up update Hotfix for Windows 7 SP1 and Server 2008 R2 SP1 which includes 90 updates (!) post-SP1 – An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1

Here’s a quote from the KB:

This article describes a hotfix rollup for Windows 7 Service Pack 1 (SP1)-based and Windows Server 2008 R2 SP1-based computers. This hotfix rollup contains 90 hotfixes that were released after the release of SP1 for Windows 7 and Windows Server 2008 R2. These hotfixes improve the overall performance and system reliability of Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers. We recommend that you apply this hotfix rollup as part of your regular maintenance routine and build processes for Windows 7 and Windows Server 2008 R2 computers.
Note This hotfix rollup primarily addresses the issues that occur on domain-joined client computers and servers. Therefore, this hotfix rollup is available only from the Microsoft Update Catalog. You can also install this hotfix rollup on computers that are running Windows 7 SP1 in nonenterprise environments. After you install the hotfix rollup, the performance of the computers may be improved.

stay updated :)

ilantz

Posted in Server 2008 / R2, Vista / 7 | Leave a comment

Office 365 Migration Batch Error – Failed to overwrite the existing Migration Job Item found for “user@domain.com”

Hi Again,

During a simple migration (cutoff) to Office 365 Exchange Online, I’ve encountered a few errors that prevented the migration batch to complete successfully, and wanted to share in case anyone is struggling with them.

  • Active Directory operation failed on AMSPR01A001DC01.EURPR01A001.prod.outlook.com. The object ‘CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR01A001,DC=prod,DC=outlook,DC=com’ already exists.

This error states that the migration batch failed to create a new object because that specific name is already taken. sadly enough the value for the CN=xxxx is taken from the alias property of the user/contact/group being migrated from the on-premise server.. and alias is not unique within (most) Exchange deployments.

To Solve this, work with the “alias” property value on your local AD to locate the conflicting objects, work with the results of the migration job and cross-reference until you will eliminate all duplicates of the alias values.

  • Failed to overwrite the existing Migration Job Item found for “user@domain.com” [Mailbox]; the Job Item was created with different Recipient Type [Contact]. You may delete the newly created Mailbox and recreate the actual Contact for user@domain.com.

This error could be a result of your actions to fix duplicates issues, if for some reason the migration batch started with user@domain.com being a contact and that object has changed it will fail to “update/sync” and will continue to expect the original object type which was different in this example a contact.

To solve this Connect to Exchange Online Using Remote PowerShell and work with two commands – Get-MigrationUser and Remove-MigrationUser to remove the incorrect object from the migration batch and then resume it. This will make sure the new (correct) object will be synced successfully. Here’s an example of how to use these commands:

Get-MigrationUser -Identity User@Domain.com | FL

Notice the output here and make sure this is indeed the incorrect object that needs to be removed, and then pipe the output to remove that user from the Migration Batch:

Get-MigrationUser -Identity User@Domain.com | Remove-MigrationUser

Once removed, you can resume the migration again and it should now sync correctly your mailboxes.

Hope this helps !

ilantz

Posted in Office 365 | Leave a comment

Exchange 2013 Outlook Anywhere Considerations

Hi,

With Exchange 2013 deployments already in place, I’ve wanted to share with you all some “new” behaviors, tips and more to help you prevent headaches and issues :)

With regards to two previously posts – Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover and also Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere – this post is some sort of a follow-up.

With Exchange 2013, Outlook Anywhere (aka RPC over HTTP/s) is the default method for Outlook clients connections – that is no more direct RPC connections to the servers for Outlook clients. Exchange 2013 will essentially require you to utilize Autodiscover and Outlook Anywhere to actually get your Outlook client connected. This is the main reason for writing this post. This information will come useful if you are getting ready or already started to deploy Exchange 2013, I’ll try to keep it simple and write this down as a list of things to consider so this will be rather easy to all.

  1. If you followed my post about how to prevent Outlook Anywhere from being configured and removed the EXPR outlook provider, start with restoring it. Run the following powershell command to restore it:
    New-OutlookProvider -Name:EXPR
  2. If you’re using any additional methods to configure Outlook Clients or Outlook Anywhere like, static XML files, Registry settings or Group Policy settings make sure to revise or even remove them. See also http://support.microsoft.com/kb/2212902
  3. Pay attention to publishing guides for Exchange 2013 – see Publishing Exchange Server 2013 using TMG and also Exchange 2013 Client Access Server Configuration
  4. When enabling Outlook Anywhere on Exchange 2013 notice the following:
    1. Retain the current External authentication method (Basic,NTLM) your internal authentication method should always be NTLM.
      Get-OutlookAnywhere –Server (hostname) | Set-OutlookAnywhere -InternalHostname "mail.u-btech.com" -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true -ExternalHostname "mail.u-btech.com" -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl $true -IISAuthenticationMethods NTLM,Basic -ssloffloading:$false
    2. Enable NTLM on the IIS /rpc directory of your Exchange 2007/2010 servers
      Get-OutlookAnywhere | ?{ $_.AdminDisplayVersion -notlike "Version 15.*"} | Set-OutlookAnywhere -IISAuthenticationMethods NTLM,Basic
  5. Plan the CertPrincipalName value you will use, that is the certificate Subject Name that your clients will use to populate the msstd:server.domain.com value – both internally and externally (reminding you to see the note above). My personal best practice is to use the same Subject Name on the certificate you will use on your External TMG/UAG/Juniper/F5 reverse proxy and your internal server or servers.
    Once you are aware of this value you can configure your Outlook Provider accordingly (you can refer to this post for more information on the subject).
  6. If you installed a wildcard certificate on your Exchange 2013 server – you must perform the following:
    1. Update your EXPR setting – Set-OutlookProvider EXPR -CertPrincipalName msstd:mail.company.com
    2. Update your EXCH setting (yes!) – Set-OutlookProvider EXCH -CertPrincipalName msstd:mail.company.com
  7. Don’t freak out when you see Exchange 2013 “new” server name – it’s value is actually the Mailbox GUID value, and will be unique for all users. This means that – you must use the Autodiscover wizard to configure outlooks from now on, Email, password and click next.
    If you have full mailbox access to a different mailbox – that’s great- just type it’s email address and enter whatever you want for password. (will work only inside the LAN…)
  8. Don’t forget to update your Outlook clients – or else they will not connect to Exchange 2013 – see Exchange 2013 System Requirements for the exact information.

That’s it for now, while deployments continue I will update this topic with new “gotchas”.

Hope this helps anyone out there.
Ilantz

Posted in Exchange 2013 | 36 Comments

Missing Microsoft-Server-ActiveSync and OMA virtual directories in IIS and Active Directory with Exchange 2003

Hi Again,

I’ve encountered a situation today with an Exchange 2003 to 2010 migration, The Exchange 2003 Back-End server was missing the virtual directories in IIS, but this issue had an interesting twist … both vdirs were missing also in the Active Directory !

Missing or corrupt virtual directories with Exchange are common and can be easily solved with KB 883380 – How to reset the default virtual directories that are required to provide Outlook Web Access, Exchange ActiveSync, and Outlook Mobile Access services in Exchange Server 2003

Exchange Server setup creates each virtual directory in the AD forest configuration partition under services, microsoft Exchange, administrative groups, administration group name, server name, protocols, http, virtual server name (usually 1).

In this case, both ActiveSync and OMA virtual directories were missing from Active Directory and as a result were also missing from the System Manager MMC, so performing a Repair Setup or the Reset virtual directories method will render useless.. both will not write anything new to the AD.. we had to re-create the two virtual directories both in AD and the IIS, so using System Manager, we try to create a new virtual directory, but the ActiveSync and OMA is greyed out !

Microsoft-Server-ActiveSync and  OMA Missing From Active Directory

Creating New Virtual Directory With System Manager Grayed out

With some searching I’ve reached a solution that worked perfectly (dated back to 2007 from the Microsoft Exchange newsgroup), this will enable the options within the System Manager and allow us to re-create the virtual directories and restore order :)

1. Using ADSIEDIT locate the Exchange 2003 server container – services, microsoft Exchange, administrative groups, administration group name and right click the server name to open it’s properties.
2. Locate the Heuristics attribute and note the current value (just in-case…) our value in this case was 805310468.
4. Change the value to 270012416 , click apply and ok.
5. Refresh the Exchange System Manager or close and re-open it.
6. Now, locate the server name within the tree, expend it, expend protocols, expend HTTP, expend the virtual server name and right click to create a new Virtual Directory. You should now be able to recreate the Microsoft-Server-ActiveSync and OMA virtual directory.

Note - This will also reset your RPC over HTTP and other “server specific” settings that you configured on the server using the System Manager GUI. so make sure to note all configurations under the server properties page and re-enable any changes after setting the value.

Credits – http://microsoft.newsgroups.archived.at/public.exchange.setup/200702/07021815421.html

I hope this helps anyone struggling with this,

Ilantz

Posted in Exchange 2003, Exchange 2010 | Leave a comment

The action cannot be completed error using Outlook – Exchange 2010 or Office 365

Hi,

Quick note from the field, if you are moving to Exchange Online / Office 365 you should double check your current office group-policy settings and registry for Outlook.

You should make sure that you did not enable the Closest GC setting, or configured a specific global catalog server with the DS Server registry entries under HKEY_CURRENT_USER\Software\Microsoft\Exchange\Exchange Provider

Both registry values, errors and methods for resolution are located at:

http://support.microsoft.com/kb/2507626 – Error in Outlook: “The action cannot be completed. The Bookmark is not valid”

http://support.microsoft.com/kb/319206 – How to configure Outlook to a specific global catalog server or to the closest global catalog server

And if we are on the subject, it’s also a good practice to make sure the following when moving to Office 365:

  • You do not have Autodiscover related registry settings also – http://support.microsoft.com/kb/2212902 – Unexpected Autodiscover behavior when you have registry settings under the \Autodiscover key
  • Make sure that the “Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server” option under account settings of the Outlook Profile is indeed selected. Office 365 is restricting clients to encrypt MAPI traffic – see the following KB for additional information (originally written for Exchange 2010 RTM) - http://support.microsoft.com/kb/2006508

ilantz

Posted in Exchange 2010, Exchange 2013, Group Policy, Office 365, Outlook / MAPI | Leave a comment