Tuesday, February 7, 2017

New 100 GB mailbox limit currently being rolled-out to your tenant

In early December (2016) Microsoft announced that the default mailbox limits in Exchange Online would be raised to 100 GB, a massive increase from the 5 GB that we considered to be huge in the BPOS era. Who needs such a large mailbox? Well, we do now apparently.

image

While discussing this with my peers last week we noticed that most of us did not saw the change reflected in their tenants. Today I checked it again and saw that the new limits were applied to my mailboxes.

image

Note that the limits only change for mailboxes where the default limits were not updated. If you have set one of the three values to a non-default value, no changes were made automatically. Admins are able to change the values manually up to 100 GB.

Another thing to be aware of is that the new limits only apply to Exchange Online licenses that are purchased as part of an E3 or E5 subscription. If you’re purchasing Exchange Online as a separate SKU the old limit of 50 GB remains unchanged, the same applies for shared and resource mailboxes. For more information, see the Mailbox storage limits section in the Exchange Online Limits document on TechNet.

Monday, February 6, 2017

Fix for the Skype for Business hangs

The latest update for Office 2016 in Current Channel contains a fix for Skype for Business issue where the interface stops responding when the user has multiple IM windows open.

image

The build number is 7668.2074, my Office 365 ProPlus was still on a slightly older build so I had to start the update process manually.

image

For more information about the latest updates for Current, Deferred and First Release for Deferred, see Office 365 client update channel releases.

Thursday, January 26, 2017

A few notes on running Exchange in Microsoft Azure

Earlier this week Microsoft published a very interesting article: Exchange 2016 dev/test environment in Azure. I’m not a big fan of the how-to format of articles when the topic is around deployment because the guidance and specifics tend to change with later updates. There’s the risk of your article becoming obsolete sooner than planned.

The article contains an excellent real-world example of how to deploy a few virtual machines on Azure. I like how the author used PowerShell to configure the VM TCP/IP configuration and Install-ADDSForest to promote the server to domain controller.

image

Cool, let’s do this in production!

Although the article clearly states that the goal is the deploy Exchange for test and development, this article may spark new interest for people who would like to run Exchange in production too. The good news is that running Exchange in Azure is supported, but similar to running Exchange on other virtualization platforms some additional requirements must be met. The most significant requirement is actually mentioned in the article, in the section where storage is assigned for the Exchange VM:

image

This information can be found in the article Exchange 2016 virtualization as well:

Deployment of Exchange 2016 on Infrastructure-as-a-Service (IaaS) providers is supported if all supportability requirements are met. In the case of providers who are provisioning virtual machines, these requirements include ensuring that the hypervisor being used for Exchange virtual machines is fully supported, and that the infrastructure to be utilized by Exchange meets the performance requirements that were determined during the sizing process. Deployment on Microsoft Azure virtual machines is supported if all storage volumes used for Exchange databases and database transaction logs (including transport databases) are configured for Azure Premium Storage.

Running a single VM with the proper resources for Exchange 2016 24/7 in Azure is probably more expensive than you would think, with prices starting around € 500,- per month for the VM, two small premium storage disks and a Windows license.

While this falls outside of the scope of the article we’re discussing here, I would like to mention the requirement to use a smart host for outbound email delivery if you choose to run Exchange in Azure.

Make sure you do the math and understand the requirements before using this article as an alternative deployment plan for your next Exchange server. At this moment I am not aware of any organization running Exchange servers in Azure for production. If you are doing this, please reply in the comments.

But wait, there’s more

As I mentioned in my introduction Exchange installation how-to articles often contain wrong or obsolete information. Unfortunately that applies to this article too.

image

The latest version of Exchange, that’s actually great advice. Unfortunately the url https://go.microsoft.com/fwlink/p/?LinkId=747753 links to the download page for Exchange 2016 CU1. Not only is this version much older than the latest version, currently CU4, more importantly this version of Exchange is not even supported to run on Windows Server 2016. It was Exchange 2016 CU3 that introduced support for Windows Server 2016, although CU4 is recommended because a compatibility issue in Server 2016.

Exchange 2016 not supported for virtualization?

And while making some screenshots for this article I found another gem. On the page with the requirements for virtualization is this weird segment:

image

This is actually a left-over from the Exchange 2007 era, where this modernized virtualization policy was introduced. The requirement on that page was that Exchange 2007 SP1 was required and list of supported guest operating systems indicated that running a VM with Windows Server 2003 x64 was not supported.

With every new edition (2010, 2013, 2016) this page was copied without much changes. Instead of remove this no longer relevant section, the writers updated the section whit what they thought made sense. That’s what a VM running Exchange requires that it’s running Exchange 2010.

But I digress, back to Exchange 2016 now. The current version of this page does not include Windows Server 2016 as a supported operating system for running an Exchange 2016 VM. While this is obviously a mistake, technically speaking a virtualized Exchange 2016 server installed on Windows Server 2016 is currently not supported.

I found a doc error too, what should I do?

Shoot an email to Ex2013HelpFeedback@microsoft.com and make sure to include the url of the page, a quote and/or screenshot of the text you’re referring to and an explanation of why you think it’s in error. The team behind this alias is awesome and almost every time you will receive a response from an actual person.

Friday, January 20, 2017

Windows Management Framework (WMF) 5.1 Released, do not install on Exchange

Today the PowerShell team announced the release of version 5.1 of the Windows Management Framework, for most people better known as PowerShell 5.1. While Windows Server 2016 already contained WMF 5.1 when the product was released, the download released today allows administrator to install WMF 5.1 on older operating systems such as Windows Server 2008 R2, 2012 and 2012 R2.

This is a reminder that currently no version of Exchange Server supports a newer version of WMF than the version that was released with the operating system. As always when it comes to supportability questions, the Exchange Server Supportability Matrix is a valuable resource.

image

Strictly speaking the same limitation applies to a remote management computer too, but I am not aware of any issues with running a newer version of Remote PowerShell against Exchange on an operating system with an older version of WMF. But be aware of the supportability limitations around WMF and PowerShell.

Thanks Niklas, for pointing out that Server 2016 was released with WMF 5.1, not 5.0 as I wrote initially.

Monday, January 16, 2017

Microsoft about to release new Skype for Business IP Phone firmware for Polycom VVX devices

LCS/OCS/Lync/Skype has a long history when it comes to management of IP phone firmware updates. OCS 2007 R2 introduced the Device Update Service and greatly simplified the process and the required infrastructure. In the Lync 2010 timeframe the 3rd party IP phone (3PIP) certification added support for non-Microsoft firmware such as Polycom UC Software.

image

In Lync Server 2010 for instance, an admin uses the Import-CsDeviceUpdate cmdlet to import a .cab file and approves the update in the LSCP. The client device will periodically query the Device Update Web service and download and install the new firmware.

The same principle applies to Skype for Business Online with Cloud PBX today. Technically speaking the title of this article is incorrect, Microsoft is not releasing the software but merely distributing the Polycom firmware through it’s infrastructure.

Enabling or disabling this feature is a tenant-wide setting and can be done by modifying the CsIPPhonePolicy. By default EnableDeviceUpdate is True.

image

For more information about this feature, read Jeff Schertz’s post about this topic: Device Updates with Skype for Business Online.

The major difference with Skype for Business on-premises is that customers cannot upload a firmware version. Microsoft has an internal process to certify 3rd party firmware updates. At the moment of writing the only version that has been approved is Polycom UCS for the VVX line of devices, version 5.4.1.17653. Specifically the following devices are supported:

  • VVX 201
  • VVX 3xx
  • VVX 44xx
  • VVX 5xx
  • VVX 6xx

The issue is that the most recent version of Polycom UCS is currently 5.5.1. That doesn’t sound much newer than 5.4.1 but in reality Polycom has released many interim versions and each version added important new features and fixes. That’s why it’s good to know that Microsoft is currently qualifying UCS version 5.5.1.11344.

If you consider using Skype for Business Online device updates, be aware that the capabilities currently are extremely limited. The device update feature cannot be enabled for a specific set of users or devices and the other management features are limited as well:

image

(note: EnableBetterTogetherOverEthernet by default is False)

Most of the configuration items are pretty self-explanatory but if you want to know more, the help page of  Set-CsIPPhonePolicy is very informative.

Microsoft did not communicate a release date for 5.5.1.11344 but my sources say that it shouldn’t take long. For more information, read: New features in the firmware update for Polycom VVX IP phones.

Note

I’m working with Polycom and Microsoft to investigate an issue where Polycom VVX devices receive a ‘400 bad request’ when they query the Skype for Business Online Update Service. If you’re encountering the same, let me know in the comments.

Wednesday, January 11, 2017

New Exchange PowerShell module with Modern Authentication support now available in Office 365 Portal

Many organizations are enabling multi-factor authentication (MFA) for all their accounts, or a subset such as for instance user accounts with an admin role. Especially with how easy this is with Office 365, even with the basic MFA feature that’s included with the license. Unfortunately enabling MFA on an admin account breaks the ability to use PowerShell to administer Exchange Online, Skype for Business Online or SharePoint.

A few months ago a new version of the Exchange PowerShell module was ‘leaked’ to the internet. It was a click-to-run executable without any documentation, but it introduced support for Modern Authentication which is a requirement for MFA.

And while there’s still no public announcement on the various Microsoft Exchange or Office blogs, not even a mention in the Office 365 Roadmap, there have been some recent updates. For starters the new PowerShell console is now available for download in the Hybrid section of the Exchange Admin Center.

image

The second is that some documentation has been published. The process was pretty self-explanatory but some official guidance is always better. The short version is this: install the application, then use Connect-EXOPSSession to create a remote session.

image

Read more in this article on the TechNet Exchange Technical Library.

Friday, December 23, 2016

Error 0xE0000100 when installing Server 2016 in a virtual machine

Today I ran into an issue while creating a new VM on a Windows Server 2016 Hyper-V host. The VM will run Server 2016 as well but throws an error message when Windows Setup loads:

image

Windows installation encountered an unexpected error. Verify that the installation sources are accessible, and restart the installation.
Error code: 0xE0000100"

I downloaded a fresh copy of the ISO, deleted and recreated the VM, rebooted but was not able to get rid of this error message. While researching I stumbled on this article: Windows Server 2012 R2 setup may fail on a virtual machine that is configured to use the minimum required memory

This article explains that this error message indicates insufficient memory. Although I assigned 1024 MB and not 512 MB I decided to add some more memory to the VM configuration.

image

To no avail, the same error occurred when I retried. Knowing now that this error indicates a low memory condition I decided to set the amount of RAM back to 1024 and disabled Dynamic Memory.  Started the VM and to my surprise, Windows Setup started and allowed me to install Windows Server 2016 on this VM. image

At this moment I’m not sure why this happened. The Hyper-V documentation for Server 2012 R2 states that in this situation, a cold boot without an OS installed, the VM should have the Startup RAM amount available. This was initially 1024 and later 1500 MB, more than the 512 MB that Windows Setup requires.

When installing or upgrading the operating system of a virtual machine, the amount of memory that is available to the virtual machine during the installation and upgrade process is the value specified as Startup RAM. Even if Dynamic Memory has been configured for the virtual machine, the virtual machine only uses the amount of memory as configured in the Startup RAM setting. Ensure the Startup-RAM value meets the minimum memory requirements of the operating system during the install or upgrade procedure.

However, in my Dynamic Memory enabled VM I had little bit less than 512 MB available.

image

Hint: Pressing shift-F10 during Windows Setup opens a command prompt, allowing you access to tools such as diskpart, chkdsk and copy. Or in this case, allowed me to query WMI.

Now in this specific situation all memory of the VM host was assigned to running VMs. Because a restarting VM requires more than the minimum configured amount of memory during boot the Hyper-V hosts uses a disk-based paging feature called Smart Paging. However, Smart Paging does not work in a cold boot situation where the VM was powered off before booting the VM.

So when these requirements are met:

  • VM with Dynamic Memory enabled
  • All host memory assigned to running VMs
  • Cold VM boot to install an operating system

The Hyper-V host is not able to make the Startup RAM amount of memory available and the VM sees the Minimum RAM amount. In this case this was 512 MB which triggered the low memory condition described in the KB article I mentioned earlier.

After freeing up some resources from this host the VM was booted again, now it showed the expected 1024 MB of memory available.

image

Server 2012 R2 or 2016?

Note that the KB article applies to Server 2012 R2 and I used the Server 2012 R2 Hyper-V documentation to learn more about memory management. From my reading there is no difference in behavior between Server 2012 R2 and Server 2016.

For reference, read:

Friday, November 4, 2016

Friendly reminder: /RecoverServer to an older OS version is not supported

In case you missed it, it’s currently not recommended to deploy Exchange 2016 on Windows Server 2016. The Windows Server team added a section dedicated to Exchange in their Windows Server 2016 Release Notes:

If you attempt to run Microsoft Exchange 2016 CU3 on Windows Server 2016, you will experience errors in the IIS host process W3WP.exe. There is no workaround at this time. You should postpone deployment of Exchange 2016 CU3 on Windows Server 2016 until a supported fix is available.

image

It’s expected that a blog post with a similar message will appear soon on the Exchange Team Blog. The difference with the first post is that this post has to include recommendations to customers that deployed Exchange 2016 on Windows Server 2016, which is supported since CU3. As the Windows Server team already stated, there is no fix or workaround available today.

To make matters worse, it looks like this issue only applies to Server 2016 servers that have been added to a DAG. Good news for customers with stand-alone Exchange 2016 on Windows Server 2016 servers but it makes recovery a tad bit more complicated.

The supported approach would be something like this:

  1. Stand up new Windows Server 2012 R2 servers
  2. Install Exchange 2016 CU3 (or CU2 to prevent this from happening)
  3. Optional: Add both servers to a DAG (not the same one, 2012 R2 and 2016 servers can’t be members of the same DAG)
  4. Move the mailboxes to the new servers
  5. Uninstall Exchange 2016 from the impacted servers

The big question here is, will the admin be able to perform all these tasks with Exchange 2016 being in this state: Exchange Server 2016 & Windows Server 2016 Datacenter IIS AppPool's constantly crashing. ECP/Powershell inaccessible

A user in a community recommended this approach:

image

There is no fix at the moment. Therefore if you have put Exchange 2016 on to Windows 2016 then the only option is to shutdown the server, rebuild as Windows 2012 R2 then do a recover server install of Exchange 2016. That works and allows you to remove it cleanly.

Unfortunately this process is not supported (*) and never has been. This can be found in Recover an Exchange Server:

What do you need to know before you begin?
The server on which recovery is being performed must be running the same operating system as the lost server. For example, you can't recover a server that was running Exchange 2013 and Windows Server 2008 R2 on a server running Windows Server 2012, or vice versa. Likewise, you can’t recover a server that was running Exchange 2013 and Windows Server 2012 on a server running Windows Server 2012 R2, or vice versa.

So deploying a new server with Server 2012 R2 and then install Exchange 2016 with the /RecoverServer option is not supported.

Let’s see what the Exchange team will have to say on this.

(*) Not supported in this context means that Microsoft Support cannot support your environment if you do this. The exception is if Microsoft Support asks you to follow this process, in that case you will be supported.

Microsoft Teams, here’s the admin guidance

Yesterday Microsoft released a preview version of Microsoft Teams, the new product to compete with Slack. It will be very interesting to see Teams integrate in Office 365 as yet another collaboration product next to Skype for Business, Exchange, Yammer, SharePoint Newsfeed and Office 365 Groups.

Currently Microsoft Teams is not enabled by default, a tenant admin has to enable the application in the Office 365 Admin Center.

image

This will change in 2017 Q1 when Teams will be enabled by default. Or as Microsoft states in the Message Center (id MC84541):

We are rolling this preview out off-by-default, to give you a chance to explore the new capabilities. This experience will be turned on-by-default in the first quarter of 2017. At this time, you can control access to this experience, at the organization level. We are working on user-level controls for this feature, and will communicate again when available.

I know that many of my customers are still struggling how to handle Office 365 Groups creation and the lack of governance and control around this area. Microsoft is working hard to improve this, as they explained in this session at Ignite 2016: Manage Microsoft Office 365 Groups But with every new Microsoft Team there will be a corresponding Office 365 Group created.

This raises the question how admins can manage the Microsoft Teams roll-out in their organization. What are the firewall requirements? And how to estimate bandwidth for peer-to-peer calling?

The good news is, there is actual admin documentation. The bad news is that it’s no longer consolidated on a single place as we’re used to with TechNet. The currently available resources for admins can be found here:

Much to my surprise the most relevant information for admins was hidden in part 2 of the MVA video series. I highly recommend to download the Deploy_Microsoft_Teams.pdf document that can be found in the Resources section of this training.

image

There’s a ton of extremely valuable information in this document that helps you understand how to prepare for Microsoft Teams, at least from an infrastructure point-of-view.

image

image

image

Have fun!

Office 365 MFA is awesome! Unless you’re an administrator…

For some reason I have never worked with MFA with Office 365 until last year. And I must say, it is awesome! Even the free version of Azure MFA that’s included with the Office 365 subscription meets the requirements of most organizations. It’s very easy to setup and configure and the end-user experience is pretty good too, supporting text messages, phone call or the Azure Authenticator app.

image

Microsoft did a great job integrating the PhoneFactor acquisition (2012) in Azure AD and Office 365. So it’s not a surprise that a lot of organizations plan to enable MFA for all users, some users or the users with an admin role. And that’s where the issue is, Office 365 MFA currently does not support Remote PowerShell. Or I should say Remote PowerShell does not offer support for MFA because this would require support for Modern Authentication. This applies not only to Exchange management, but too PowerShell management of SharePoint, Skype for Business, EOP and Security & Compliance as well.

image

How about app passwords then? We can use app passwords for applications that do not support MFA right? Unfortunately app passwords are not working either.

When talking with Microsoft Premier Support they explained there’s currently no news to share. However, a Microsoft Most Valuable Professional explored the limits of his NDA on Facebook when he disclosed that Microsoft has made a preview version of Exchange PowerShell to beta testers at the moment. I’m very keen to learn more about this new version, because currently Remote PowerShell depends on the version of PowerShell that’s installed in the OS of the workstation. I’m assuming that MFA support requires the installation of additional software.

Ironically the new Office 365 Secure Score site (https://securescore.office.com/), a challenge were organizations receive points for increasing the security, awards 50 points for organizations that enable MFA for all their Tenant Admins. There’s no mention that this removes the ability to manage Office 365 with PowerShell.

image

Keep an eye on the Office 365 Roadmap and the Azure MFA Documentation for updates.