Friday, March 24, 2017

Let’s not run Exchange 2016 Edge Transport on Windows Server 2016…

Another example where old technology meets new technology. Old is in this case the Content Filtering agent on an Edge Transport server, new being Windows Server 2016. In short, the SmartScreen technology that is used in the Content Filtering agent conflicts with SmartScreen implementation in Windows Server 2016 operating system.

At this point this is known to prevent a proper uninstall of Exchange and can cause crashing transport services, this applies to an Exchange 2016 Mailbox server where the admin installed the anti-spam agents too.

From today Microsoft no longer recommends to install the Exchange 2016 Edge Transport role on Windows Server 2016, the same goes for installing the anti-spam agents on the Mailbox role when installed on Windows Server 2016.

What do you need to know about Exchange 2016 on Windows Server 2016:

An interesting note is that the author of the post on the Exchange Team Blog consistently uses the term ‘Edge role’ instead of Edge Transport. This could be one more change in the branding but more likely just a mistake.

Thursday, March 16, 2017

New Exchange Online PowerShell module with MFA support no longer in Preview

In a previous article I wrote about the new PowerShell module with support for Modern Authentication and Multi-factor Authentication. The Preview status was a reason for many organizations to hesitate to take the new module into production.

Yesterday Microsoft released an updated version of the Hybrid Configuration Wizard with MFA support, the HCW now requires installation of the new PS module to support MFA. Microsoft’s ‘hybrid’ PM Timothy Heeney confirmed in the comments section that this also marks the official RTM of the new PowerShell module, the module is no longer in Preview. Good news!

Tuesday, March 7, 2017

Surface Hub devices and the Skype for Business Trust Model

I’m sure that most Lync or Skype for Business admins, users as well, are familiar with the Trust Model. The Trust Model is responsible for the ‘Skype for Business cannot verify that the server is trusted for your sign-in address’ warning. This warning is thrown when the clients tries to create a secure TLS connection with a server and the domain suffix of the server is different from the user’s SIP address, the server can be either a Skype for Business or Exchange server. This warning is very common in organizations that use more than one SIP domain and is often suppressed on managed computers with the TrustModelData registry value.

With a Surface Hub device the issue is a bit more complicated to determine, but very easy to work around. In this article I will explain how.

Let’s consider the following scenario. Contoso is an enterprise organization that uses many different SMTP and SIP domains across their divisions. The AD domain name is and this is also the DNS domain suffix for most servers. Skype for Business is hosted with a 3rd party named Fabrikam, their servers have a fqdn with the suffix.


The Northwind Traders division of Contoso has purchased a Microsoft Surface Hub device and created a device account with a SMTP, UPN and SIP address with a suffix.

The issue

An admin was able to configure the Surface Hub with this computer account, however users are not able to start a meeting.

It’s important to understand that although the device boots successfully, the built-in Skype for Business client is not immediately connecting to Skype for Business (Online) but starting a meeting does trigger this process.

The investigation

Surface Hub devices run on Windows 10 Team edition which does not offer a regular interface that allows to access the file system to collect log files. Instead we need to boot the device, let it run for 5 minutes, then reproduce the issue and tell the Surface Hub to collect the log files.

To do this, connect a USB disk to the device and open the Settings app. Then navigate to Update and Security, Recovery, Collect logs. The log files are now written to the USB disk.

When analyzing the log files, be aware that the Surface Hub’s Skype for Business client is very similar to the Lync 2010 Windows Store app and behaves as a mobile client.

2757 TL_WARN() [2]10B0.1394::02/28/2017-12:38:54.103.00000a8c (NONE,NModel::CTrustModelManager::LookupTrustModel:CTrustModelManager_cpp124)<O_TRC><ADR>0x00000243A9F16EB0</ADR>Trust model for server not found. hr=0x80ee0058</O_TRC>
2758 TL_WARN() [2]10B0.1394::02/28/2017-12:38:54.103.00000a8d (NONE,NModel::CTrustModelManager::QueryTrustModel:CTrustModelManager_cpp171)<O_TRC><ADR>0x00000243A9F16EB0</ADR>Server: cert=0000000000000000, blockAndWait=0</O_TRC>
2759 TL_INFO() [2]10B0.1394::02/28/2017-12:38:54.103.00000a8e (NONE,NModel::CTrustModelManager::QueryTrustModel:CTrustModelManager_cpp230)<O_TRC><ADR>0x00000243A9F16EB0</ADR>Not able to get SAN from cert. Continue query TrustModel.</O_TRC>

Here we clearly see the issue. The DNS domain suffix of the reverse proxy server is and the user’s SIP address suffix is This triggers the Trust Model warning and because the Surface Hub interface does not present the familiar warning, it simply prevents the device from connecting with Skype for Business.

The solution

As I mentioned earlier, this is a very common issue for most organizations. The Surface Hub device offers an interface to add domains to the Trusted Domain list. Open the Settings app and navigate to This device, Calling. Here click the Configure domain name and enter a comma separated list of the additional domain names that exist on your Skype for Business and Exchange servers.


In this scenario we would need to enter the DNS suffix of the reverse proxy, but that’s not sufficient. While this will allow us to connect to the reverse proxy this will throw another warning in the logs because the DNS suffix of the front-end server is different from the user’s SIP address suffix too. In this example we would need to enter the following:,

A reboot of the device is required to activate the new settings. If you’re still not able to connect, export and analyze the logs again. There may be additional issues that prevent the device from connecting to Skype for Business.


Instead of showing a warning popup the Surface Hub simply does not allow to connect when the domain name of a servers is different from the SIP domain. If you know that this scenario applies in your organizations, add the additional domains in the Settings app.

For more information please see:

Monday, March 6, 2017

Skype for Business PSTN Calling in Preview for The Netherlands and Ireland

PSTN calling is an add-on telephone service that, when combined with Skype for Business Cloud PBX, can become your phone system. This is currently available for users in the United Kingdom, United States, Puerto Rico, France and Spain.

Microsoft now introduced this feature in Preview for The Netherlands and Ireland. To nominate your organization, make sure you’re prepared to deploy PSTN Calling to at least 50 users and are available to give feedback on the experience.


Based on what we’ve seen with France and Spain I expect general availability in two or three months. More information on