Thursday, December 13, 2012

The target mail user doesn't have an SMTP ddress that matches the target delivery domain

I recently came across the error in the image above when trying to move mailboxes from an on-premise hybrid server to Office365.

Why would this happen? 

Configure your hybrid servers before you configure dirsync. During the hybrid configuration wizard , the wizard creates a sub domain  '' 

Now that the target delivery domain has been created by the Hybrid Wizard, We can run the DirSync configuration wizard. Select enable 'hybrid configuration'  so once the wizard can see the target delivery domain it will add the to the proxyaddress attribute in Active Directory for each user account.

So now when you try to run a remote move request, it will complete without issue.

Tuesday, November 27, 2012

ADFS Farm Highly Available between geographical sites

I am working on a project now moving 700 users to Exchange Online. I am implementing single sign on via an ADFS Farm and DirSync.

Not every organisation has load balancers or the even the ability to load balance external DNS.

A very important factor that needs to be taken into consideration is this. If the Microsoft Online Services federation gateway cannot communicate with a customers on premise active directory then users are not getting their email , lync or sharepoint. 

Email will still flow, but the users will think the service is down. So because of this it is always a good idea to have some high availability with the ADFS farm.

So I came across a company called Cloudfloor DNS .Cloudfloor provide the ability to loadbalance the traffic via round robin or active passive to my adfs proxy servers.It is quite a simple service but a lifesaver in the event of one site going down and all users not being able to use their Microsoft online services.

Cloudfloor can also do geographical dns based rules. This could be very useful in a gloabl lync or exchange deployment. Australian traffic goes to australian exchange servers and lync servers etc.... etc...

To set it up takes 5 minutes and works perfectly when tested. 

Friday, November 23, 2012

Publish CRM2011 IFD via TMG 2010

I recently had to publish Microsoft Dynamics CRM2011 with claims based authentication and internet facing domains.

So to set this up within the lan , HERE is an excellent blog on how to setup the configurations on CRM 2011 and ADFS within your LAN. So the purpose of this blog posting is to show people how to securely publish CRM 2011 via TMG.

In terms of best practice , it is never a good idea to punch a hole through a corporate firewall to a service running on a server on a LAN. I am surprised Microsoft are discontinuing their Forefront TMG Servers on December 15th. Microsoft will continue to support TMG but wont be selling it anymore from December 15th 2012.

TMG 2010 needs to be patched in a certain order.

So the image below describes the required topology for CRM 2011 IFD via TMG and I will outline the steps needed to implement this and get it working as there are quite a few things left out of the official Microsoft documentation.

Create WebListener

So as per the image above we would need to add the IP's & to the external nic on the tmg server.During the creation of the web listener when the external network is created we click the radio button and add the dmz ips we added earlier on as per the image below.

The next section in the web listener creation is very important. Select the SSL Certificate for each of the DMZ ips we added in the previous component of the web listener creation.
Ok so we have the web listener created , now is time to get all the rest of the dependencies in place before we can quickly create the web publishing rules.

Disable ADFS Server Loopback Check

1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.

DMZ to LAN & LAN to DMZ Routing

The next thing to take into account is the routes from the TMG Server to the LAN and from the LAN to the DMZ. In the diagram above it is a very basic small network. But most companies can have multiple subnets.

So lets say the the internal adfs server is , To enable TMG to route traffic to this server we would need to add a network routing rule as per the image below.

We will also need to add the extra subnet to the internal network as per the image below

Nearly done! We may also need to add a static persistent route to the ADFS & CRM Server so it can then get back to the TMG Server.

External / Internal DNS Records  points to adfs server points to crm server points to crm server points to crm server

Creating Web Publishing Rules

Ok so now we will create one rule for the crm server first.

Publish a Website
Enter the IP address of the CRM Server

Leave the defaults and click next
Enter the public name
Select the web listener
Leave at defaults and click next
Leave at defaults and click next

So when the rule is created, You need to right click on the rule and select "configure http"

And then untick  "Verify normalization" & " Block high bit characters"

Remaining Rules

There are 2 more rules for CRM. So we simply copy and paste the rule we just created and edit the 'to' tab and 'public name' tab and add in and

We copy and paste the rule again for adfs except as well as editing the to & public name tab we will also edit the computer ip and change it to so that traffic for this rule is directed to the adfs server.

ADFS Login Page

Here is a great blog post on how to customise the ADFS login page to include a corporate logo. 

My thanks to Paul Mc Guinness who helped me get this working :) 

Thursday, October 25, 2012

Exchange 2013 Storage, High Availability and Site Resilience

Here is an excellent slide on Exchange 2013 Storage, High Availability and Site Resilience.

Some of the key features are as follows.

Passive copy DB on 2013 consumes 50% of the iops of the iops required for an active copy.

Autoreseed - Can use spare disks. Periodically scan for failed and suspended copies, check pre-requisites,allocate remap a spare, start the seed, verify health, alert admin about failed disk.

Data Center Failover can be automated.

Office 365 Support for Windows Server 2012

I recently installed an ADFS Server farm on Windows Server 2012 but when I tried to federate to Office365 via the Microsoft Onlien Services Powershell Module it would not work!

The reason for the error is that in ADFS 2012 the cmdlets are surfaced by a module instead of a snapin, and the MSOnline cmdlets are hardcoded to load the old snapin which was available in ADFS 2.0. You can work around this issue by creating your own reference in the registry to the ADFS module as a snapin.

To do so, copy and paste the items below into notepad and save them as a .reg file and then execute.

Windows Registry Editor Version 5.00

"AssemblyName"="Microsoft.IdentityServer.PowerShell, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
"Description"="This powershell snap-in contains cmdlets used to manage Microsoft Identity Server resources."

You can now use Windows Server 2012 for Single Sign on to Office365 :)

Please note :  This solution is not supported by Microsoft. It is my understanding that a new Microsoft online services powershell module will be available for download when the new Office365 is generally available in Q1 of next year.

Wednesday, October 10, 2012

Office365 MCITP Training Resource 70-321,70-323

To obtain and Office365 MCITP , You need to pass the following 2 exams.

Exam 70-321: Deploying Office365
Exam 70-323: Administrating Office365

There is plenty of documentation from Microsoft describing the different modular components of Office365 , I always keep them on my laptop or Skydrive as I can easily access them to refresh my memory on all the different components. When all of the documentation is together , it amounts to quite a lot and could be confusing as to where to start to studying for the Office365 MCITP.

So I thought I would post this blog with the most relevant resources to help people pass the exam and better understand Office365.
Office 365 PDF eBook: Microsoft Office 365: Connect and Collaborate Virtually Anywhere, Anytime

Office 365 for Enterprise : Service Description

70-321 /323 Jumpstart Videos 

Collection 10954: 70-323: Administering Office 365 (e learning course)

Office 365 for the IT Pro - Exchange Online Microsoft Virtual Academy

Office 365 for the IT Pro - Exchange Online Virtual Academy

Office 365 for the IT Pro - Lync Online, SharePoint Online & Deployment Virtual Academy

Office 365 for the IT Pro - Platform Virtual Academy

I have found the Jumpstart videos and the virtual academy to be the best. Also if you have an opportunity to setup an Exchange Hybrid in a lab it will really help.

Tuesday, September 25, 2012

Troubleshooting Outlook Connectivity


Microsoft have released an excellent utility called the Outlook Connectivity Analyzer which you can download HERE
The Outlook Configuration Analyzer Tool 2.0 provides a detailed report of your current Outlook profile and mailbox. This report includes many parameters about your profile, and it highlights any known problems that are found in your profile or mailbox. For any problems that are listed in the report, you are provided a link to a Microsoft Knowledge Base (KB) article that describes a possible fix for the problem. If you are a Help Desk professional, you can also export the report to a file. Then, the report can be viewed in the Outlook Configuration Analyzer Tool on another client computer where the tool is installed. The Outlook Configuration Analyzer Tool 2.0 also includes a command-line version that can be used to collect an OCAT scan without user intervention.
This tool can be used via command line without user intervention. Now this is really useful. Some users are too busy for the IT guy to run a report on their pc and use up their valuable time.
The tool can be used for mailboxes connected to Exchange on-premise or Office365.

A user can send you the xml file which was output from their own report which can then be viewed by importing into your own local copy of this tool.

A lot of the times Outlook Add-Ins can cause problems and for an engineer that is supporting Exchange on a regular basis it becomes easy to spot the culprit add in.

It also picks up hotfixes which are not available in Windows update , like this one KB2598374 which fixes quite a few issues.


Thursday, September 20, 2012

Enabling serialized hyper-v virtual machine backups in dpm

Here is an excellent blog posting by Matthew Hodgkins describing with screen shots on how to enable serialized hyper-v virtual machine backups in dpm.

So I would say follow Matthew's Blog article , However I would make one slight change.

Copy the text below and save is as a .bat file and schedule the task to run the .bat file.

powershell "& {set-executionpolicy -executionPolicy bypass -force}" 

powershell "& "C:\Datascripts\ListVMsOnClusterForDPM.ps1"

Enabling serialized backups will prevent the following DPM error occurring.

Failed to prepare a Cluster Shared Volume (CSV) for backup as another backup using the same CSV is in progress. (ID 32612 Details: Back up is in progress. Please wait for backup completion before trying this operation again (0x8007173D))

Tuesday, September 18, 2012

Scheduling DPM Reports fails

I  ran into a problem today where I could not schedule reports to be emailed to recipients even though all the  smtp server details were entered correctly and when I send a test message , it is received ok.

So the problem was happening when I enter an email recipient for a scheduled report I was getting the error message below.

So the fix is quite simple. Launch SQL Reporting Configuration Wizard and connect to the MSDPM2010 instance.

Then enter the email server settings as per the image below.

Now when you add an email recipient for a scheduled report, you will not receive an error message anymore.

Microsoft Online Services € Pricing

I can never remember the pricing on all the different products , So here they are as a point of reference. These prices are subject to change by Microsoft and can change based on user quantities.

Microsoft Online Services (Per User/Per Month) Qty Unit Cost
Microsoft Exchange Online P1 1 €3.57
Microsoft Exchange Online P2 1 €7.25
Microsoft Exchange Online Kiosk 1 €1.79
Microsoft Exchange Online Archiving 1 €2.68
Dynamics CRM Online 1 €40.25
Microsoft Lync Online P1 1 €1.79
Microsoft Lync Online P2 1 €5.00
Microsoft Sharepoint Online P1 1 €3.57
Microsoft Sharepoint Online P2 1 €7.25
Microsoft Office365 P1 1 €5.25
Microsoft Office365 E1 1 €7.25
Microsoft Office365 E2 1 €12.50
Microsoft Office365 E3 1 €19.00
Microsoft Office365 E4 1 €20.75

Thursday, September 13, 2012

Exchange Online for Enterprise

Office365 for small businesses is a great fit, it just makes sense. A small business doesn't have the budget for large amounts of storage and infrastructure refreshes. So for a small monthly fee which can go up or down ,small business can use Office365

I don't mean to sound like a Microsoft salesman here but recently when I was drawing some Visio diagrams for a customer proposal it dawned on me that it does make sense for enterprise customers and I will explain why.

One of the big stumbling blocks for enterprise customers , is the monthly recurring costs.

For example 2000 users on an Exchange P1 plan would cost €7140.00 per month or €85,680 per annum. So any financial controller looking at this will say no way!!!!!!!!!!!!

However nearly all enterprise customers have Microsoft Enterprise Agreements. I am increasingly surprised at how enterprise customers don't understand the benefits of an EA. There are many benefits but I am just going to list some relevant to Exchange Online.

  • Microsoft Planning Service Days: Microsoft can help transition to cloud services through and existing EA Agreement.
  • Exchange Core Cal: If you have an Exchange Core Cal , this covers you for an on premise exchange cal and exchange online cal
The image below shows a brief example diagram of a 2000 user company in different geographical locations and using on-premise exchange 2010.

So lets look at some of the costs associated with maintaining and running this on=premise solution.

Item  Cost
Wan Links  Possibly 60k per annum for the 3 sites
Storage How much would the storage cost for 25gb * 2000 users cost. Storage refresh after 3 years may cost 300k
Power Consumption Most likely the exchange server will be running on a virtualisation platform. A rough guess for all 3 sites 50k per annum.
Hardware Vendor Support On the Sans and virtualisation hosts , roughly 30k over 3 years
Mail Hygiene Potentially 50k per annum
Hardware Deprecation New hardware becomes old the minute it is delivered to site.
Exchange Admin Staff Cost Possibly 100k per annum
Exchange 2013 How much would it cost to upgrade this entire organisation to Exchange 2013…..
Backup Software  Possibly 10k per annum
Backup Hardware Hardware refresh after 3 years possibly 100k

So all of the above cost and infrastructure could become like the image below.

So now it starts to make sense, and enterprise customers are licensed to do this right now and probably don't even realise it!

Exchange Online Features & Pricing

Sunday, July 8, 2012

How to federate existing Office365 users

The most common scenario for federating users that are already using Office365 is when users have transitioned from BPOS to Office 365. The customer/company was waiting to use this excellent feature of Office365 and wanted to implement it once they had transitioned from BPOS to Office365

So in this scenario I will describe how it could be done for 200 users but the same steps apply for any amount of users.

So the first thing to do is to add in a new upn for users. If the customer had an internal domain of contoso.local we will need to add in a new upn of To add the new UPN in , you browse to Active Directory Domains and Trusts and right click on the Active Directory Domains and Trusts icon and select properties and add the new UPN as per the image below.

In this particular scenario , there was no no onpremise exchange , so no email address fields were populated. So we need to modify all user's UPN and add in their email addresses before we implement Directory Sync because DirSync matches the onpremise AD users with the existing Office365 users by their primary SMTP address. This is described in Microsoft KB 2641663

So we use ADMODIFY from Codeplex. You can download it HERE
Download ADMODIFY , Extract the package, Launch Admodify , Connect to AD and select a domain controller.

So firstly we will select all the users we need to modify..Then click add to list and select all and we can now easily modify all the users.

So firstly we will modify all users UPN. All existing users in Office365 have an email address policy of firstname.lastname. So when selecting the UPN tab I enter this variable switch in LegacyAccount tab %'givenname'%.%'sn'% as per the image below.

When we hit apply on the UPN Change , We will need to select all the users again and then go to the email tab we need to enter this string in the add smtp address as per the image below %'givenname'%.%'sn'

So by adding in this address , admodfy has placed the primary email address on the general tab and updated the required Active Directory proxyAddresses attribute as per the Microsoft KB 2641663 mentioned earlier.

So now we are ready for Dirsync, So when Dirsync runs it will match the active directory user objects with the existing Office365 user accounts and both the Office365 and Active Directory users will have the same immutable ids. To verify the Office365 user's immutable ID you can run the powershell command in the Microsoft Online Services Powershell module and output the query to a text file.

Get-MsolUser -all where {$_.isLicensed -eq $true} select-object userprincipalname,immutableid out-file c:\users.txt

The next step then is to federate the domain , this can be done using the Microsoft Online Services Powershell module on the primary adfs server

winrm quickconfig
Connect-MsolService –Credential $cred
Set-MsolAdfscontext -Computer adfsprimary.contoso.local

So what affect does this have on users?

All user's domain logins remain the same as when we were modifying UPN's we didnt alter the (pre-Windows 2000) value.

Outlook will prompt for a user name and password so the user will enter , their ad passord and remember credentials.

Smartphone user names will be the user's priamry email address followed by the users active directory password.

Within the domain via group policy the service name of the adfs farm will be published to each users internet explorer intranet zone which will allow single sign on to the Office 365 portal and Sharepoint.

Lync will auto sign in provided the sign in assistant is installed.

One last thing , dont forget to apply Rollup2 for ADFS 2.0

And also the Exchange Remote Connectivity Analyzer can also troubleshoot Single Sign On as well as ActiveSync and Auto Discover

Saturday, June 23, 2012

Exchange 2010 Management Shell will not open.

I recently had a problem on a customer site that had dag in another DR site.So the DR site had one cas/hub server and 2 mailbox servers.

Powershell is crucial for DAG as everything done in the exchange management console is essentially sending through powershell commands.So when I was opening up the exchange management shell i was getting this error.

"Connecting to remote server failed with the following error message: The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic."

So when i connected to exchange management shell the error message above would display and then the management shell would connect to the cas/hub server.So if I wanted to run any DAG related powershell commands I couldnt because the cas/hub servers didnt have the mailbox role. So i did a lot of research on the internet and tried everything like:

  • Running winrm quickconfig
  • Adding in the winrm iis listener feature
  • Checking iis bindings

I then came across a blog posting whereby adding and removing the wsman and kerbauth modules in the powershell site in iis.So when i clicked on add-module I got the error displayed in the image below.

So to fix it I copied the webconfig file from another mailbox server that had the exchange management shell working fine and replaced the webconfig file on the troublesome mailbox servers and the powershell worked fine.