Thursday, January 26, 2017

A few notes on running Exchange in Microsoft Azure

Earlier this week Microsoft published a very interesting article: Exchange 2016 dev/test environment in Azure. I’m not a big fan of the how-to format of articles when the topic is around deployment because the guidance and specifics tend to change with later updates. There’s the risk of your article becoming obsolete sooner than planned.

The article contains an excellent real-world example of how to deploy a few virtual machines on Azure. I like how the author used PowerShell to configure the VM TCP/IP configuration and Install-ADDSForest to promote the server to domain controller.

image

Cool, let’s do this in production!

Although the article clearly states that the goal is the deploy Exchange for test and development, this article may spark new interest for people who would like to run Exchange in production too. The good news is that running Exchange in Azure is supported, but similar to running Exchange on other virtualization platforms some additional requirements must be met. The most significant requirement is actually mentioned in the article, in the section where storage is assigned for the Exchange VM:

image

This information can be found in the article Exchange 2016 virtualization as well:

Deployment of Exchange 2016 on Infrastructure-as-a-Service (IaaS) providers is supported if all supportability requirements are met. In the case of providers who are provisioning virtual machines, these requirements include ensuring that the hypervisor being used for Exchange virtual machines is fully supported, and that the infrastructure to be utilized by Exchange meets the performance requirements that were determined during the sizing process. Deployment on Microsoft Azure virtual machines is supported if all storage volumes used for Exchange databases and database transaction logs (including transport databases) are configured for Azure Premium Storage.

Running a single VM with the proper resources for Exchange 2016 24/7 in Azure is probably more expensive than you would think, with prices starting around € 500,- per month for the VM, two small premium storage disks and a Windows license.

While this falls outside of the scope of the article we’re discussing here, I would like to mention the requirement to use a smart host for outbound email delivery if you choose to run Exchange in Azure.

Make sure you do the math and understand the requirements before using this article as an alternative deployment plan for your next Exchange server. At this moment I am not aware of any organization running Exchange servers in Azure for production. If you are doing this, please reply in the comments.

But wait, there’s more

As I mentioned in my introduction Exchange installation how-to articles often contain wrong or obsolete information. Unfortunately that applies to this article too.

image

The latest version of Exchange, that’s actually great advice. Unfortunately the url https://go.microsoft.com/fwlink/p/?LinkId=747753 links to the download page for Exchange 2016 CU1. Not only is this version much older than the latest version, currently CU4, more importantly this version of Exchange is not even supported to run on Windows Server 2016. It was Exchange 2016 CU3 that introduced support for Windows Server 2016, although CU4 is recommended because a compatibility issue in Server 2016.

Exchange 2016 not supported for virtualization?

And while making some screenshots for this article I found another gem. On the page with the requirements for virtualization is this weird segment:

image

This is actually a left-over from the Exchange 2007 era, where this modernized virtualization policy was introduced. The requirement on that page was that Exchange 2007 SP1 was required and list of supported guest operating systems indicated that running a VM with Windows Server 2003 x64 was not supported.

With every new edition (2010, 2013, 2016) this page was copied without much changes. Instead of remove this no longer relevant section, the writers updated the section whit what they thought made sense. That’s what a VM running Exchange requires that it’s running Exchange 2010.

But I digress, back to Exchange 2016 now. The current version of this page does not include Windows Server 2016 as a supported operating system for running an Exchange 2016 VM. While this is obviously a mistake, technically speaking a virtualized Exchange 2016 server installed on Windows Server 2016 is currently not supported.

I found a doc error too, what should I do?

Shoot an email to Ex2013HelpFeedback@microsoft.com and make sure to include the url of the page, a quote and/or screenshot of the text you’re referring to and an explanation of why you think it’s in error. The team behind this alias is awesome and almost every time you will receive a response from an actual person.

Friday, January 20, 2017

Windows Management Framework (WMF) 5.1 Released, do not install on Exchange

Today the PowerShell team announced the release of version 5.1 of the Windows Management Framework, for most people better known as PowerShell 5.1. While Windows Server 2016 already contained WMF 5.1 when the product was released, the download released today allows administrator to install WMF 5.1 on older operating systems such as Windows Server 2008 R2, 2012 and 2012 R2.

This is a reminder that currently no version of Exchange Server supports a newer version of WMF than the version that was released with the operating system. As always when it comes to supportability questions, the Exchange Server Supportability Matrix is a valuable resource.

image

Strictly speaking the same limitation applies to a remote management computer too, but I am not aware of any issues with running a newer version of Remote PowerShell against Exchange on an operating system with an older version of WMF. But be aware of the supportability limitations around WMF and PowerShell.

Thanks Niklas, for pointing out that Server 2016 was released with WMF 5.1, not 5.0 as I wrote initially.

Monday, January 16, 2017

Microsoft about to release new Skype for Business IP Phone firmware for Polycom VVX devices

LCS/OCS/Lync/Skype has a long history when it comes to management of IP phone firmware updates. OCS 2007 R2 introduced the Device Update Service and greatly simplified the process and the required infrastructure. In the Lync 2010 timeframe the 3rd party IP phone (3PIP) certification added support for non-Microsoft firmware such as Polycom UC Software.

image

In Lync Server 2010 for instance, an admin uses the Import-CsDeviceUpdate cmdlet to import a .cab file and approves the update in the LSCP. The client device will periodically query the Device Update Web service and download and install the new firmware.

The same principle applies to Skype for Business Online with Cloud PBX today. Technically speaking the title of this article is incorrect, Microsoft is not releasing the software but merely distributing the Polycom firmware through it’s infrastructure.

Enabling or disabling this feature is a tenant-wide setting and can be done by modifying the CsIPPhonePolicy. By default EnableDeviceUpdate is True.

image

For more information about this feature, read Jeff Schertz’s post about this topic: Device Updates with Skype for Business Online.

The major difference with Skype for Business on-premises is that customers cannot upload a firmware version. Microsoft has an internal process to certify 3rd party firmware updates. At the moment of writing the only version that has been approved is Polycom UCS for the VVX line of devices, version 5.4.1.17653. Specifically the following devices are supported:

  • VVX 201
  • VVX 3xx
  • VVX 44xx
  • VVX 5xx
  • VVX 6xx

The issue is that the most recent version of Polycom UCS is currently 5.5.1. That doesn’t sound much newer than 5.4.1 but in reality Polycom has released many interim versions and each version added important new features and fixes. That’s why it’s good to know that Microsoft is currently qualifying UCS version 5.5.1.11344.

If you consider using Skype for Business Online device updates, be aware that the capabilities currently are extremely limited. The device update feature cannot be enabled for a specific set of users or devices and the other management features are limited as well:

image

(note: EnableBetterTogetherOverEthernet by default is False)

Most of the configuration items are pretty self-explanatory but if you want to know more, the help page of  Set-CsIPPhonePolicy is very informative.

Microsoft did not communicate a release date for 5.5.1.11344 but my sources say that it shouldn’t take long. For more information, read: New features in the firmware update for Polycom VVX IP phones.

Note

I’m working with Polycom and Microsoft to investigate an issue where Polycom VVX devices receive a ‘400 bad request’ when they query the Skype for Business Online Update Service. If you’re encountering the same, let me know in the comments.

Wednesday, January 11, 2017

New Exchange PowerShell module with Modern Authentication support now available in Office 365 Portal

Many organizations are enabling multi-factor authentication (MFA) for all their accounts, or a subset such as for instance user accounts with an admin role. Especially with how easy this is with Office 365, even with the basic MFA feature that’s included with the license. Unfortunately enabling MFA on an admin account breaks the ability to use PowerShell to administer Exchange Online, Skype for Business Online or SharePoint.

A few months ago a new version of the Exchange PowerShell module was ‘leaked’ to the internet. It was a click-to-run executable without any documentation, but it introduced support for Modern Authentication which is a requirement for MFA.

And while there’s still no public announcement on the various Microsoft Exchange or Office blogs, not even a mention in the Office 365 Roadmap, there have been some recent updates. For starters the new PowerShell console is now available for download in the Hybrid section of the Exchange Admin Center.

image

The second is that some documentation has been published. The process was pretty self-explanatory but some official guidance is always better. The short version is this: install the application, then use Connect-EXOPSSession to create a remote session.

image

Read more in this article on the TechNet Exchange Technical Library.