Monday, April 29, 2013

Exchange Hybrid GAL not populating

As per one of my previous posts HERE on how to edit active directory attributes , When dirsync  is enabled it wont populate the GAL with exchange online and exchange on-premise.

Lets say my email address is 

You need to populate some ad attributes.

Proxy Address: &
Target Address:

So after those attributes have been synced via dirsync run this powershell command in the exchange management shell 

Enable-RemoteMailbox -RemoteRoutingAddress

So once this is done all you need to do is apply a license and usage location to

And then the GAL will be populated between Exchange On premise and Exchange online.

Friday, April 26, 2013

An encrypted connection to your mail server is not available

I have been working on a Hybrid Exchange project recently and when I was using my own laptop on my customer's  domain , I could connect to a test exchange online mailbox without any issues.

But any machine on their network could not connect via autodiscover to an exchange online mailbox.So a couple of points to note.

When running an exchange hybrid the '' will point at your hybrid servers and when the outlook client hits the hybrid server the client will be directed to the correct mailbox location by the hybrid server.

So our good friend the Exchange Remote Connectivity Analyzer can perform a test on both an on prem exchange mailbox and an office365 mailbox and when the outlook client hits the the outlook client gets routed to the correct mailbox. But in the case of an exchange online mailbox , http redirection occurs until it reaches the exchange online autodiscover.xml which for example could be

Another test we can do is by running the 'Test Email AutoConfiguration' tool in Outlook as per the image below. There are quite a few re-directs until outlook finds the correct exchange online mailbox.
So in my particular scenario my Outlook could connect fine but domain joined laptops could not and this was because of a group policy which is displayed below which was blocking the http redirects required to connect to the exchange online mailbox.

So how to fix this , well firstly remove the group policy and secondly you can edit 4 registry settings as follows and as per the image below in hkey_current_user\software\microsoft\office\14.0\outlook\autodiscover

ExcludeHttpRedirect 0
ExcludeHttpsAutoDiscoverDomain 0
ExcludeHttpsRootDomain 0
ExcludeSrvRecord 0

So now all your Outlook clients in Hybrid mode will be able to connect via autodiscover.

Tuesday, April 23, 2013

Exchange Hybrid Mailbox Migrations slow when using TMG

When using Exchange online in Hybrid mode , if you want to have a unified global address list with exchange online users and onpremise users then you need to create on premise blank mailboxes for the users that you want to use exchange online and then create 'remote move requests' to move the onpremise mailboxes to exchange online.

During the move request , if you open the log you may see 'Relinquishing job because the mailbox is locked'

So in order to fix this and really speed up the remote move requests we need to go to the intrusion prevention section of TMG and then the Behavioral Detection\Configure Flood Mitifgation Settings as per the image below.

We click on the link for Configure Flood Mitigation Settings and then click on 'IP Exceptions' and create a new computer set. In the image below I called it 'Exchange Online Protection' and add a computer set with the exchange online protection range as per the image below

All of the Exchange Online Protection IP ranges can be found at this SITE 

You can susbscribe via RSS feed HERE to the Microsoft Online IP Ranges 

So now Remote move requests will migrate a lot quicker :) 

Saturday, April 20, 2013

Migrating Lotus Notes users into an Exchange Hybrid

In this post I just wanted to highlight what active directory attributes need to change on a user account when you have an existing Exchange Hybrid and want to migrate Lotus Domino users into exchange online.

Primary Email Address:
Hybrid email Domain:

The existing users that have exchange mailboxes will already have exchange active directory attributes. So lets take a look at what happens when you migrate an on premise exchange mailbox to exchange online.

When you run dirsync , a proxy hybrid domain is created in the example above it is So when you initiate a 'new remote move request' and move an onprem user to the cloud the user becomes a mail contact and their routing email address becomes

So how do we populate the active directory users that have came into our active directory from Lotus notes with the right attributes so that when they sync with dirsync to exchange online they will have the correct PRIMARY email address and be able to co-exist with the onpremise users.

We use my good friend ADMODIFY to modify some key attributes

So in this example the default email address policy is

So we connect to our active directory via admodify and select all the users or organisational units we want to modify and add them to the list we then enter '%'givenname'%.%'sn'' on  the email address tab

So now that we have modified this attribute the user's primary email address will be '' when synced with dirsync.

We need to make sure the users have the correct UPN and this can be done by viewing one of my previous blogs HERE

We need to modify one more attribute as these users will be in exchange online and will need to co-exist with the exchange on premise users.So as per the image below  we enter the following syntax 'SMTP:%'givenname'%.%'sn'' in the 'targetAddress' attribute.

So the beauty of ADMODIFY is that you can modify thousands of users attributes in a couple of minutes and if something goes wrong it writes the config changes to an xml file. So you can quickly undo the changes you made if there were problems.

Lets say you don't want some users to sync to exchange online , you can filter them by what organisational unit gets synced or you can use admodify again to modify a custom attribute by entering 'nooffice365' as per the image below in the 'extensionAttribute10' attribute

Ok so now we have users in exchange online and we have no dirsync error notification emails. How do we mass activate them. Well we run two powershell commands.

  1. We set the user's location , in this example the country is US
    Get-MsolUser -UnlicensedUsersOnly |Set-MsolUser -UsageLocation US
  2. Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses “”:EXCHANGESTANDARD
Now we have populated our Active Directory with all the correct attributes that will enable co-existence and mass activated those users via powershell.

So now its over to my choice of software for Lotus Notes migration.

I will post a step by step blog on setting up quest nme next month. This post was to show people how to prep ad and exchange online for mass migration to exchange online where an existing hybrid was in place.

Quest NME will not populate the GAL as the source directory will be Lotus Notes and target directory Exchange Online.So to populate the gal after you have made all the attribute changes above run this command in the exchange management shell Enable-RemoteMailbox -RemoteRoutingAddress

Wednesday, April 17, 2013

Microsoft Office Configuration Analyzer Tool 1.0

I previously blogged HERE about the Microsoft Outlook Connectivity Analyzer 2.0 which has now been replaced by the Microsoft Office Configuration Analyzer Tool 1.0 which you can download HERE

This tool can be really useful when troubleshooting connectivity issues like firewalls and proxies blocking access to Office365.

Thursday, April 4, 2013

Bulk activation of Office365 Users

When using DirSync and ADFS it can take a long time to activate thousands of users. So here is a really quick way of doing it.

Firstly HERE is a great article on on dirsync filtering. So there are plenty of organisational units in Active Directory that do not need to be syncronised to Office365.

So I always filter the OU's that are synchronized to Office365.

Within the organisation section of the Office365 portal make your external domain which has been verified the default domain.

Ensure all user's have the correct User Principal Names as per one of my previous BLOGS 

So once all the user's have been synced to Office365 , they need a license assigned to them.

So connect to Office365 via the Windows Active Directory Module for Windows Powershell and do the following.

connect-msolservice # and enter an Office365 Global Administrator's credentials.

Get-MsolAccountSku  # this will tell you what office365 skus are available. For this example it will be EXCHANGESTANDARD

As all of the users are currently unlicensed , we will set a location for the users as per the command below and the location will be us.

Get-MsolUser -UnlicensedUsersOnly |Set-MsolUser -UsageLocation US

Then we will add a mailbox for all the users that were synced and we can do so with the following command.

Get-MsolUser -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses “Contoso”:EXCHANGESTANDARD

Now all the users have a mailbox and can start using Exchange Online :)