Wednesday, June 19, 2013

Quest on Demand Email Migration to Office365

I do not mean to sound like a Quest Sales Man , But this product from Quest truly is a super product.

It allows you to migrate email from the following sources.

Microsoft Exchange 2000/2003/2007/2010
Lotus Notes
Microsoft Bpos
Microsoft Live@edu
Microsoft Office365
Novell Groupwise
Sun One / iPlanet
Windows Live Hotmail

You can then migrate to the following targets

Microsoft Exchange 2010/2013
Microsoft Live@edu

So why would you use this service?

A couple of reasons, It is hosted in Windows Azure and can allow for zero touch migrations.Exchange 2007 messaging platforms upwards give us the ability to implement hybrid environments which can then create a platform which will allow rich co-existence and migration.

Its a hell of a lot cheaper than the full email migration products from quest.

It can migrate from Lotus Notes!!!

I have worked on quite a few corporate companies that  acquire companies. Extracting email from a business first before an AD consolidation project makes the AD consolidation project a lot easier and a tool like this allows zero touch email extraction into a companies own on-premise exchange messaging environment or into my preferred platform Office365.

I have taken some screen shots of how easy the wizard is to begin a migration. In this example I   wanted to migrate from Exchange 2010 to Office365 wave15. So before I did that , I created an application impersonation role in the exchange 2010 on-premise environment and one in the Office365 environment.

After that we sign into the Quest On Demand Portal HERE

Then agree to the service's agreement and select your data center location.

Then create a Migration Plan. There are four simple steps.

  1. Connect to the email services
  2. Import Mailboxes
  3. Choose what to migrate
  4. Migrate
On the connections tab you connect to the source exchange 2010 messaging platform and enter the credentials of an account that has the application impersonation. There is a test connection tab to verify connectivity.

Then you connect to the target , in this case Office365. You will need to add an exchange license to the office365 account in order to make it a member of the application impersonation group. Microsoft throttle the amount of data that can be migrated into Office365. So you can add multiple accounts for the target to increase migration throughput.

In section 2 you specify the source and target mailbox which is populated by a simple text file.
You then select what to migrate.

Finally you begin migration.

And once all the mail has been extracted from the business and when the ad consolidation project has been complete , you can refer to one of my previous blogs HERE on how to convert existing Office365 users to federated users.

Monday, June 17, 2013

Error adding second adfs server with ucc cert

I recently tried to add a second adfs server to an adfs farm and got the error message above. I was using a ucc cert which had the adfs service name.

So to fix it you add the second server via the command line , a typical command would be as follows.

FsConfig.exe JoinFarm /PrimaryComputerName ADFS-SRV /ServiceAccount Contoso\adfsservice /ServiceAccountPassword password /CertThumbprint "ef 72 a6 78 c0 ab 4a bf 07 10 7e e4 86 f5 5e ba 2a 3c 99 6b"

And the output from the command will be as per the image below.


Sunday, June 2, 2013

Windows Azure Active Directory Sync Tool

The windows azure active directory sync tool , has a new feature. 'Password Synchronization'

This is a really neat feature and will meet the needs of most businesses that need to synchronize identities to office365. Setting up ADFS farms is often overkill for small businesses as to do it properly you need a minimum of 4 servers. Two adfs proxy servers and Two adfs lan servers each in a  different site for redundancy and high availability.

Now with password synchronization you only need one server or can install the dirsync service onto an existing server.So how do we configure password synchronization.

  1. Create a dirsync service account and add the account to the 'FIMSyncAdmins' group on the server where you plan installing the service.
  2. Create this shorcut on the desktop '"C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe"
  3. Then as per the image below , right click on 'Active directory Connector', 'Configure Directory Partitions' and then 'Containers' and select the OU's that you want to synchronize.

So that is how to set up password synchronization.You need an adfs farm if you want Single Sign on, But single sign on is only for web services like 


So if a customer is going with only exchange online then this can be setup very quickly and passwords will be synced.

Now one more thing , after you reboot the 'Forefront Identity Manager Synchronization Service'wont start! So how you get around this is as follows. 

  1. Create an OU and add the DirSync Server into that OU. 
  2. Add the DirSync Server to that OU.
  3. IN GPO Management , Block Inheritance on the OU.
  4. Create a group policy object as follows. Navigate to 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment'
  5. Located "Login as a Service" and add  the service account for the synchronization engine which could be typically 'AAD_95a9bb5e2ba4'
  6. Link the GPO to the OU prevously created and enforce the policy
  7. Logon to the DirSync server, GPUPDATE/FORCE
  8. Log off
  9. Log on 
  10. Start the service
  11. Or you could simply use gpedit.msc and edit the local policy on the machine.

At the time of writing this post , the version of windows azure directory sync tool was Forefront Identity manager 2010 R2 Version: 4.1.3451.0