Thursday, July 23, 2015

How to access the Exchange 2016 ECP/EAC with a mailbox on 2013 or 2010?

So you added the first Exchange 2016 Preview server to your lab and now you want to access the Exchange admin center to configure your server. When you try to access https://<Exchange2016MailboxServer>/ecp and you enter your credentials you may see a ‘500 Unexpected Error’ or end up with the 2010 or 2013 version of the ECP. This is because Exchange 2016 by default tries to present the version of ECP that corresponds with the version of Exchange where your mailbox is hosted on.

To access the Exchange 2016 admin center while your mailbox is on an older version, append the string ?ExchClientVer=15.1 to your url. For instance https://<Exchange2016MailboxServer>/ecp?ExchClientVer=15.1.

Sounds familiar? That’s because the same procedure applied to Exchange 2013. Please note that the major version number of Exchange 2016 is 15.1, not 16 as you may have guessed.

image

Wednesday, July 22, 2015

Exchange 2016 Preview released!

Earlier today I wrote about some Exchange 2016 content that appeared on TechNet and now it’s obvious why: Microsoft released the Preview version of Exchange 2016. For those of you who attended Ignite this year the announcement will bring not much new. The architecture has been simplified (CAS and Mailbox roles integrated), OWA supports in-line editing and viewing of Office attachments, search has improved (again) and the Hybrid Configuration Wizard now runs from Office 365.

image

A feature that was not shared earlier is the auto-expanding archive mailbox, after the first 100 GB Exchange will automatically add archive mailboxes in 50 GB increments. I guess this will be interesting for some on-premises users but this is obviously a feature targeted at Exchange Online.

A download link and more information can be found in the article at the Exchange Team Blog.

PowerShell one-liner: How to query certificates in the certificate store?

PowerShell uses providers and drives to provide a consistent way to work with items in the file system, Active Directory, the registry, in applications and even the certificate store.

image

Recently I started using PowerShell to find the thumbprint of an installed certificate, for instance when I need that value to enable a certificate for Exchange services. To do this we can use the Cert: drive, navigate to the Local Computer store and then query the items in My, this is the Personal container you’re probably familiar with from working with the Certificates MMC snap-in.

dir cert:\localmachine\my

Where dir is of course an alias for Get-ChildItem.

Microsoft publishes Exchange 2016 documentation in Technical Library

With the Exchange 2016 Preview scheduled for the summer of 2015 (now!) the first documentation has been published to the Exchange Technical Library on TechNet. Of course the available content is still limited and new content will be added towards RTM.

image

Check it out here: Exchange Server 2016

Friday, July 17, 2015

Exchange 2013 CU install fails because the certificate is expired

This issue was recently brought up in a community and today I ran into the same issue myself. An Exchange 2013 CU installation is in progress and after Setup removed the existing installation files, it fails while installing the Transport service of the Mailbox role:

image

Error:
The following error was generated when "$error.Clear();
          Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
          {
            Install-AuthCertificate -DomainController $RoleDomainController
          }
        " was run: "System.Security.Cryptography.CryptographicException: The certificate is expired…

Want happens here is quite easy to understand. As part of the CU installation Setup tries to enable the SSL certificate to the IIS service. This fails because the Valid To date on the certificate has passed, the certificate is no longer valid.

image

Easy, we simply replace the cert right? Well, remember that Exchange already removed the existing install? We have no access to the EMS at this point so we need Setup to finish the install before we can replace the certificate the proper way.

A silly but effective workaround to achieve this goal is to change the system time of the server to a date that falls in the range where the certificate was still valid.

Note: Make sure you (temporarily) disable the time synchronization feature of your hypervisor and the Windows Time service, or else it will change the time back in no time. :)

Now you can restart the CU installation, it will automatically detect the failed attempt and offers to continue the process.

image

When the CU installation has finished, enable the Windows Time service and/or the time sync feature of your hypervisor and observe the clock moving back to the correct time. Now would be a great time to fire up EMS and replace the SSL certificate with a new one. Reboot the box as best practice after installing a CU anyway and check the health of the server to verify if everything is working as it should.

So if your reading this you probably started your lab servers after a long time, just like I did. If you ran into this issue in a production environment, it's important to investigate why you ran with an expired certificate anyways. And if your certificate has expired, this article shows why you should replace it before you perform any maintenance on the server.

Thursday, July 16, 2015

Microsoft updates the Office 365 portal

Microsoft has done a lot of work in their Office 365 Portal over the past few years, anyone who remembers the BPOS experience will agree. The experience we see today is very consistent and you need to keep an eye on the address bar of your browser to notice that you actually switched to a different website. It’s all modern, clean and very white-blue.

An area for improvement is the end-user self-service portal, the section that can be accessed by clicking on the gear icon in the top right corner of the screen. Recently Microsoft started updating this section too. First thing the user will notice is the gradient bar on top of the page and the centered items, in the previous version of the portal the items were aligned to the left of the page.

image

When a user clicks on a section head the area expands and allows the user to make changes without leaving the page. For instance when the user clicks on Language, the option to select the language appears:

image

There are two exemptions to this principle, that's the Password and Software sections. I expect those sections to be revised too somewhere in the near future. Many admins are waiting for the option to remove the Password section from this portal, let's hope we see this added soon.

Friday, July 10, 2015

Is your free Exchange hybrid key really free?

And I'm not talking about Willy or Nelson Mandela, I mean free as in at 'at no additional cost'. There are numerous sources on the internet stating customers can obtain a free key for their hybrid server. What most articles forget to mention is that the license restrictions make this license free for just a very small subset of all customers.
And it's not just blog posts of independent writers, I heard Microsoft employees state the same while visiting customers and in presentations on tech conferences as MEC and TechEd. And even their new Exchange Hybrid Product Key Distribution wizard (http://aka.ms/hybridkey) does not mention all requirements.
image
In fact there are three major requirements to obtain the license key for free:
  • You have an existing, non-trial, Office 365 Enterprise subscription
  • You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key.
And the one I want to emphasize:
  • You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization
So if you're running licensed servers with Exchange 2010 in your environment, that Exchange 2013 server you want to deploy for hybrid is not free! In other words, the hybrid server license key is free if you're running Exchange 2007 or Exchange 2003 and have licenses for just those versions of Exchange.
In all other situations you will need to license your hybrid servers properly.
These license limitations can be found in the following KB article: How to obtain an Exchange Hybrid Edition product key for your on-premises Exchange 2007 or Exchange 2003 organization.

Thursday, July 9, 2015

Update: Office 365 migrations and the 'Delete‎()‎ is not supported on a read-only session' error

If you're performing a Staged or Cutover migration to Exchange Online you may run into the following error:

image

Error: MigrationPermanentException: An error occurred while running Get-MergeRequest -Identity : Delete‎()‎ is not supported on a read-only session. --> Delete‎()‎ is not supported on a read-only session.

Many customers reported this issue in the last couple of days. Moderators in the Office 365 Support Forums confirmed that Microsoft is aware of the issue in their backend and is still investigating. Unfortunately the Service Health dashboard does not make mention of this issue.

image

If you run into this issue you could try to stop and delete the migration batch, delete the created Office 365 users and restart the process. Some people reported their migration to succeed now. Others are still seeing the same issue in their migration batch.

To make sure that Microsoft has a good understanding of the scale of the issue, please open a Service Request if you're impacted too. And keep an eye on the discussion thread in the support forums to see if there's any progress made in resolving this issue.

Update July 14th 2015

Microsoft confirmed they implemented a fix in their environment, but it may take some time before it applies to all tenants. To find your tenant version, connect to Exchange Online with PowerShell first. Then query the version number:

Get-OrganizationConfig | ft AdminDisplayVersion

The fix has been implemented in version 15.1.234, so if your tenant is on that version or newer you can restart the migration batch and expect it to no longer fail. If your tenant is still on an older version I'm afraid you just have to wait a little more.

Monday, June 29, 2015

How to remove the Change Password link from the Office 365 portal

Microsoft did an amazing job with their online services. I remember the web based management in the BPOS days, not a pleasant experience for both end users and admins. The current Office 365 portal is much improved and receives new updates every couple of months. Unfortunately there's one thing bothering many Office 365 admins and confusing even more end users.

image

In the Office 365 settings page (url: https://portal.office.com/EditProfile15.aspx), where the users can change their personal settings, is a Password link. This works great for cloud users, user accounts that have not been synced from an on-premises Active Directory, but not so well for synced users with either Password Synchronization or Identity Federation (ADFS).

When those type of users click this link to update their password the will receive an error:

Sorry, you can't change your password here. Follow the steps recommended by your organization or ask your admin for help.

So can we could remove the link, at least for our synced users? The answer is no, you can't currently do that. Recently I made a request through the Office 365 Support channel and so did other customers, leading to a Design Change Request (DRC). Unfortunately this DCR was declined by the Product Group because this change is not feasible with the current version of the portal.

If you want to be sure that the need for this change is under Microsoft's attention, please submit your feedback with the form on this page.

image

Tuesday, June 23, 2015

Azure AD Sync doesn't warn if scheduled task is enabled on Server 2008/2008 R2

After running the Azure Active Directory Sync Services (AADSync) configuration wizard, a scheduled task is created to run a sync job every three hours. When an admin starts the wizard again to make changed to the configuration a warning is thrown to disable the scheduled task and forced to restart the wizard. This is to prevent configuration changes to be made while an actual sync could be in progress. This check does not work with Server 2008 and Server 2008 R2.

Under the hood AADSync uses the Get-ScheduledTask cmdlet to determine the status of the scheduled task. Unfortunately this cmdlet was introduced in Server 2012 and Windows 8, it's not available on Server 2008 and Server 2008 R2. Both older versions of Windows Server are on the list of supported operating systems.

So what happens if you have AADSync installed on Server 2008 or 2008 R2 and start the wizard again? It does not warn you to disable the scheduled task first and allows you to change the configuration while a sync could be in progress. While the chances of that happening are relatively small with the three hour interval, this obviously is not something we want to happen. The application log shows event id 906 from source AzureActiveDirectoryDirectorySyncTool:

image

IsSchedulerEnabled() failed, assuming FALSE: Details: System.Management.Automation.CommandNotFoundException: The term 'Get-ScheduledTask' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

The error message is self-explanatory, the IsScheduleEnabled function tries to use the Get-ScheduledTask cmdlet which is not available on this server. And the function assumes that the task is disabled, this is why we're no longer prevented from making configuration changes while the task is enabled. This behavior was noted with AADSync version 1.0.494.0501, the most recent version at this moment.

What does this mean for you if you're running AADSync on an older operating system? You should remember to verify that you disable the scheduled task before starting the configuration wizard, keep in mind that the wizard will not be able to check this and warn you if the task is still enabled.

Although Server 2008 and 2008 R2 are supported operating systems for AADSync I suspect Microsoft did not actually test the software on those operating systems. I brought the issue under their attention through Office 365 Support, an experience I wouldn't wish to my worst enemy. To be continued…