SuperTekBoy

Practical Help for Exchange & Office 365

Exchange Solutions

Access is Denied when enabling Group Writeback

By 3 Comments

36 Shares
Share
Tweet
Share
Reddit
Email

Group Writeback is a feature in Azure AD Connect that allows for Office 365 Groups to be written back to your on-premises Active Directory as a universal distribution group. This allows your on-premises users in a hybrid environment to send email to the Office 365 Group.

When configuring group writeback you specify which organizational unit (OU) you want these objects to be written. Each of these Office 365 groups is then represented by a separate universal distribution group that starts with the name of “Group_” followed by a unique identifier.

In the screenshot below I have two Office 365 groups that are being written back to my local AD.

Group Writeback Azure AD Connect

The problem – Access is Denied

When I first tried to get these groups written back to this organizational unit was where I ran into problems. I was following this Microsoft document verbatim. The document specifies to open Active Directory Users and Computers and locate the account that started with “AAD_”. Which I found.

The document later uses this account to run a script. When running the script everything completed as expected. No errors.

Group Writeback Script Azure AD Connect

When I checked the permissions on the organizational unit I could see that the script had added the AAD_ account with a bunch of permissions. Everything looked good.

However, I quickly started generating errors in Azure AD Connect. When I opened the Synchronization Manager I received the following error on the export of my Office 365 group. “Permission Issue – Access is denied”

Group Writeback Access is Denied Synchronization Manager
[Read more…] about Access is Denied when enabling Group Writeback

Hybrid mail flow: TLS negotiation failed with error NoCredentials

By 21 Comments

58 Shares
Share
Tweet
Share
Reddit
Email

Ran into a strange problem recently where an Exchange 2016 server could not send mail to Office 365 via hybrid mail flow. What made this situation particularly strange is that other Exchange servers in the environment had no problem sending messages over the hybrid connection. On the problem server, messages would get stuck in the queue and eventually time out.

The queues were filled with retries such as these.

451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or deliver failed to all alternate hosts.

This message tells us that the server was unable to connect to Office 365. Unfortunately, it does not give us much detail beyond that. For that level of detail, we need to enable logging on the SMTP send connector used to send mail to Office 365.

Turn up logging on the SMTP Send Connector

To enable logging on a send connector, log into the Exchange Admin Center (EAC) and select the Mail Flow tab and Send Connectors sub-tab. Double click the send connector named Outbound to Office 365 and select Verbose under the General tab. Click Save.

Configure verbose logging on Exchange 2016 send connector

To perform this same action through the Exchange Management Shell (EMS) type the following command.

 C:\> Set-SendConnector -Identity "Outbound to Office 365" -ProtocolLoggingLevel Verbose

Note: Protocol logging can take some time before it starts creating log files. You can jump-start this process by restarting the Microsoft Exchange Transport service. Keep in mind this will disrupt mail flow on that server while the service restarts. The default location for SMTP send logs in Exchange 2016 is  %ExchangeInstallPath%TransportRoles\Logs\Hub\ProtocolLog\SmtpSend.

While we waited for logging to generate some entries we also confirmed that we could successfully make a connection from the problem server to Office 365. For this task, we confirmed that we could telnet over port 25 to Office 365 and send an email message. This confirmed two things. First that this server was not being blocked on outbound port 25. Second that this server could resolve and reach Office 365 servers.

[Read more…] about Hybrid mail flow: TLS negotiation failed with error NoCredentials

An error occurred while testing the Mail Store (Mailbox logon returned ecLoginFailure -2147221231)

By 1 Comment

33 Shares
Share
Tweet
Share
Reddit
Email

Ran into a strange issue recently when a client upgraded from Exchange 2010 to Exchange 2016. The client had already decommissioned Exchange 2010 so coexistence was not a factor. Their configuration was a single-server running Exchange 2016. All mailboxes were located on a single database.

Outlook clients would work fine internally. Externally Outlook would never connect. The status bar would simply report ‘Trying to connect’. Outlook on the Web and all ActiveSync clients were working fine. In addition, the Autodiscover test on the Microsoft Remote Connectivity website was passing.

In contrast, the Outlook Connectivity test from the same site was failing. The following error was reported.

Testing the MAPI Mail Store endpoint on the Exchange server.
  An error occurred while testing the Mail Store.

Additional Details

Elapsed Time: 919 ms.

Test Steps

Attempting to log on to the Mailbox.
  An error occurred while logging on to the Mailbox.

Additional Details

Mailbox logon returned ecLoginFailure -2147221231. Possible causes are:

1. The user doesn't have any access to a private mailbox or public folder messaging data.

2. There are no private mailboxes or public folders on the server.

3. The server is exiting or is about to exit.

StatusCode: -2147221231

The possible causes identified by the error were equally vague. We confirmed these user credentials were working fine with Outlook on the Web and internally for the user. In addition, this was the only server hosting all the mailboxes and we could access them just fine with Outlook internally. As part of our troubleshooting, we disabled MAPI over HTTP in favor of the older RPC over HTTP connection method. Unfortunately, this provided the exact same result.

Fixing logon returned ecLoginFailure -2147221231

The remedy for us was to move all users to a new database. We tested this first by creating a new database and moving a single user over. When that user passed the Outlook connectivity test (and Outlook also connected externally) we moved all other users and system mailboxes to this database.

It is uncertain what was wrong with the original database. It was barely a week old and was the default database installed by Exchange. In any case, the fix was quite simple and it was easier to move the users than to continue troubleshooting for a root cause.

Twitter

Have you run into this error? What was your solution? Drop a comment below or join the conversation on Twitter @SuperTekBoy.

Unexpected result from Windows Live. 1007 Access Denied – Federation Trust

By Leave a Comment

29 Shares
Share
Tweet
Share
Reddit
Email

Recently while trying to remove a domain from the federation trust I received the following error.

The URI couldn't be released. An unexpected results was received from Windows Live 1007 Access Denied
The URI "supertekboy.com" for domain "supertekboy.com" on application identifier "000000004804735E" couldn't be released. Detailed information: "An unexpected result was received from Windows Live. Detailed information: "1007 AccessDenied: Access Denied.".".

Despite the almost cryptic error, this one is actually quite simple to fix. In this particular case, the time in my domain was 5 minutes behind the rest of the world. Or more importantly, 5 minutes offset from the Microsoft Federation Gateway. As soon as I brought my time forward I was able to immediately release the shared domain from the federation trust.

Error 1007 can occur while making other configuration changes to the federation trust. It is not just linked to releasing a domain. So if you see this error while performing any task with the federation trust, check the time on your Exchange boxes.

Twitter

Have you run into this error? What was your solution? Drop a comment below or join the conversation on Twitter @SuperTekBoy.

The delegation token is NULL – Hybrid Free/Busy

By 1 Comment

72 Shares
Share
Tweet
Share
Reddit
Email

Ran into a strange issue recently where on-premises users could not see the free/busy information for test users I had migrated to Exchange Online. Exchange Online, on the other hand, had no problem seeing the free/busy of the on-premises users. I had just run the hybrid configuration wizard and it completed without incident. The environment had not been previously enabled for the Microsoft Federation Gateway so I let the wizard take care of that step as well.

When we tested the trust with the federation gateway we received the following error on Step 5 of 6: Requesting delegation token.

 C:\> Test-FederationTrust -UserIdentity rsong@exchangeservergeek.com

<...edited...>

RunspaceId : e4e42cab-62f4-4d70-be15-69143b273823
Id : TokenRequest
Type : Error
Message : Failed to request delegation token.

Error. Attempted to get delegation token, but token came back as null.

The token coming back as null seemed to be the key here. Unfortunately, the web seemed to lack any real way to fix the existing trust. We resolved to delete and recreate the trust with the federation gateway.

Recreating the Federation Trust

Warning: Before we get started with the process you will need access to external DNS zone. Recreating the trust voids the current TXT record that was used for domain validation.

To delete the federation trust navigate to the Organization > Sharing tabs in the Exchange Admin Center. Under the section titled Federation Trust click the Remove button. Click Yes to confirm.

Removing the trust with the Microsoft Federation Gateway
[Read more…] about The delegation token is NULL – Hybrid Free/Busy

McAfee VirusScan Enterprise blocks outbound SMTP on Exchange

By 2 Comments

62 Shares
Share
Tweet
Share
Reddit
Email

If you install McAfee VirusScan Enterprise on an Exchange Server you will find that your outbound mail is being blocked. By default McAfee only allows certain processes to send out on port 25. Exchange isn’t one of them.

The block is caused by the Access Protection component. Disabling this component entirely would allow your mail to flow again. However, disabling an entire protection component may not be ideal. Instead, we list a couple of options below to allow Exchange through without sacrificing security.

Tip: Microsoft documents all the mandatory Exchange exclusions here. In addition, McAfee also details Exchange exclusions in this article.

Option 1

Right-click on the McAfee taskbar icon and select VirusScan console from the context menu.

McAfee VirusScan Enterprise Exchange 2013 2016
[Read more…] about McAfee VirusScan Enterprise blocks outbound SMTP on Exchange

Internal 500 server error after fresh Exchange 2016 install

By 16 Comments

121 Shares
Share
Tweet
Share
Reddit
Email

Ran into a strange problem recently. I installed Exchange 2016 CU2 onto a brand new machine. This was the first Exchange 2016 server in the environment. Exchange 2010 SP3 RU14 was in coexistence. I could access the Exchange Control Panel fine. But when I accessed Outlook on the Web (formerly Outlook Web App) I received an Internal 500 server error. Not good. Especially on a brand new install.

Outlook Web App Internal 500 server error

Checking the application log revealed a ton of ASP.NET warnings. The warning had a source ASP.NET with Event ID 1310. Inside each warning was internal code 3008 with event message, A configuration error has occurred. The specifics are below.

ASP.NET Event ID 1310 Event Code 3008
Event code: 3008
Event message: A configuration error has occurred.
Event time: 9/1/2016 7:00:00 PM
Event time (UTC): 9/1/2016 11:00:00 PM
Event ID: 33cf7da9abe544e8b562fe0ab5437b57
Event sequence: 1
Event occurrence: 1
Event detail code: 0

We quickly found our answer in the exception message. In many instances the Microsoft.Exchange.Security assembly was missing. Other missing assemblies were referenced in separate warnings as well. I’ve highlighted the section below.

[Read more…] about Internal 500 server error after fresh Exchange 2016 install

Errors Migrating to Modern Public Folders

By Leave a Comment

13 Shares
Share
Tweet
Share
Reddit
Email

Recently while crafting an article to describe the migration process to Modern Public Folders I ran into some strange errors. They both occurred while the migration batch was attempting to copy data.

Here is the first.

Request was quarantined because of following error Nullable object must have a value
Error: MigrationPermanentException: Request was quarantined because of the following error: Nullable object must have a value.

Cryptic huh? Nothing much on the interwebs either.

When I attempted to resume the batch I then received this error.

Downlevel clients aren't supported.
Error: MigrationPermanentException: Downlevel clients aren't supported. --> Downlevel clients aren't supported.

This one got me thinking. I suddenly wondered if I had ever upgraded Exchange 2016 in my lab from preview to RTM. A quick check of the build numbers revealed I had not. D’oh!

If you get this error make sure you are not still on the preview of 2016. In addition, once you upgrade and reboot your 2016 lab server, you will need to delete and recreate the batch. Then you should be able to test the migration process successfully.

Twitter

Join the conversation on Twitter @SuperTekBoy.