SuperTekBoy

Practical Help for Exchange & Office 365

Exchange does not have Audit Security Privilege on the domain controller

By Leave a Comment

24 Shares
Share
Tweet
+1
Share
Reddit

While reviewing the event logs on your Exchange server you could encounter the following error.

Log Name: Application
Source: MSExchange ADAccess
Event ID: 2112
Task Category: Topology

Description:
 Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2700). 
 The Exchange computer dc03.supertekboy.com does not have Audit Security 
 Privilege on the domain controller dc03.supertekboy.com. This domain 
 controller will not be used by Exchange Active Directory Provider.

We ran into this recently at a customer. This was an odd error because the description specified the name of one of our domain controllers as an “Exchange Computer”. That aside, my customer was receiving this error for two of their three domain controllers (dc02 & dc03). The error was also repeated across all their Exchange servers.

To make matters worse if the customer shut down the only domain controller not reported in these errors (dc01) Exchange would become completely unavailable. As the error stated, dc02 and dc03 were definitely not being used by the Exchange Active Directory Provider.

Further analysis of the event logs also revealed informational alert MSExchange ADAccess 2080. In this alert we could see our three domain controllers with one striking difference.

Log Name: Application
Source: MSExchange ADAccess
Event ID: 2080
Task Category: Topology

Description:
 Exchange Active Directory Provider has discovered the following servers with
 the following characteristics:

 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable |
 PDC |  SACL right  | Critical Data | Netlogon | OS Version)
 In-site:
 dc01.supertekboy.com CDG 1 7 7 1 0  1  1 7 1
 dc02.supertekboy.com CDG 1 7 7 1 0  0  1 7 1
 dc03.supertekboy.com CDG 1 7 7 1 0  0  1 7 1

In the eighth column (highlighted), dc01 was reporting a 1 whereas dc02 and dc03 were reporting a 0. All other column data was identical between the three servers. The words in parenthesis are actually the column headers. They don’t line up very well in event viewer but if we count to the eighth word we see the column is titled “SACL right”. What this means is that the Exchange servers are missing the SACL right on the domain controllers marked with a zero.  Or more specifically, Exchange is missing the right to manage the security and audit logs of those two domain controllers. [Read more…] about Exchange does not have Audit Security Privilege on the domain controller

Change which organizational units (OUs) are synced to Office 365

By 1 Comment

55 Shares
Share
Tweet
+1
Share
Reddit

In this article we are going to take a look at changing which objects get synced to Office 365 through organizational unit (OU) filtering. By default Azure AD Connect is configured to sync all objects in all OUs. Filtering allows us exclude OUs, and the objects they contain, so they are not synchronized to Office 365. An example of this may be to exclude an OU that contains service accounts for on-premises applications.

In our example, we are going to narrow our sync scope to just a few select organizational units in the domain skaro.local. We will be working with the latest version of Azure AD Connect and a single forest environment.

Let’s get started!

Selecting which OUs to synchronize

First, log onto the server where you have Azure AD Connect installed and open the Synchronization Service program.

Synchronization Service Azure AD Connect

This opens the Synchronization Service Manager. From here select the Connectors tab. Under the Connectors section double-click the name of your local Active Directory. In my example, this is SKARO.LOCAL. This will bring up the Properties screen for that connector.

Azure AD Connect - Connectors tab - Local AD Properties

[Read more…] about Change which organizational units (OUs) are synced to Office 365

Error ‘Cannot stop tmlisten service’ when installing Exchange updates

By 2 Comments

21 Shares
Share
Tweet
+1
Share
Reddit

When installing an Exchange update you may run into the following error.

Error:
The following error was generated when "$error.Clear(); 
 & $RoleBinPath\ServiceControl.ps1 -Operation:DisableServices -Roles:($RoleRoles.Replace('Role','').Split(',')) -SetupScriptsDirectory:$RoleBinPath;
 & $RoleBinPath\ServiceControl.ps1 Stop $RoleRoles.Replace('Role','').Split(',')
 " was run: "Microsoft.Exchange.Configuration.Tasks.ServiceStopFailureException: 
 Service 'tmlisten' failed to stop due to error:'Cannot stop tmlisten service on computer 
---> System.InvalidOperationException:  Cannot stop tmlisten service on computer 
---> System.ComponentModel.Win32Exception: The requested control is not valid for this service

The tmlisten service is associated with the Trend Micro antivirus product and specifically the Trend Micro Listener service. This service requires a password to stop and can not be disabled via either the services snap-in or command line.

Tip: It’s best practice to temporarily shut down antivirus products during the Exchange install as they have been known to increase install times by several hours. Or, in this case, completely block updates.
[Read more…] about Error ‘Cannot stop tmlisten service’ when installing Exchange updates

No account settings were returned from the Autodiscover response

By 10 Comments

82 Shares
Share
Tweet
+1
Share
Reddit

While attempting to configure an Outlook client with an Exchange mailbox I ran into an issue where the account creation would not complete. Instead, Outlook would stop on “Search for server settings” and prompt me for a username and password. The credentials of my Exchange account did not work and kicked back the login prompt.

When I attempted to test Autodiscover using testconnectivity.microsoft.com I ran into an even stranger error. Autodiscover appeared to work. But I received the error “No account settings were returned from the Autodiscover response”.

No account settings were returned from the Autodiscover response

Examining the Autodiscover response I noticed that the test was successfully completing against the root of supertekboy.com. This was odd as supertekboy.com is redirected to the website www.supertekboy.com where no Autodiscover responses should be happening.

No account settings were returned from the Autodiscover response using root domain record

However, when attempting to plug the Autodiscover URL into a web browser I found that something was responding to Autodiscover requests. It was responding with an error of “Autodiscovery must be provided a valid email address”.

Autodiscovery must be provided a valid email address b

This isn’t an Exchange or Office 365 autodiscover response. Instead this was my web hosting provider responding to my Autodiscover request. Specifically, cPanel. cPanel has its own implementation of autodiscover, which allows Outlook and other email clients to automatically configure themselves for a cPanel mailbox. Unfortunately, this conflicts with autodiscover locating an Exchange or Office 365 mailbox. [Read more…] about No account settings were returned from the Autodiscover response

Exchange December 2017 Updates

By Leave a Comment

56 Shares
Share
Tweet
+1
Share
Reddit

Exchange 2016 Cumulative Update 8Last week was a big week for Exchange updates. Not only did we get Cumulative Update 8 for Exchange 2016, but we also got Cumulative Update 19 for Exchange 2013. Exchange 2010 also receives a critical security update in rollup 19.

As always, test these updates in a lab first! I recommend checking out this 7-part guide on configuring Exchange in your lab. It doesn’t take much to get one going.

The updates are as follows:

Exchange 2016 MiniExchange 2016 Cumulative Update 8 | KB4035145 | UM Language Pack

Exchange 2013 Cumulative Update 9Exchange 2013 Cumulative Update 19 | KB4037224 | UM Language Pack

Exchange 2010 MiniExchange 2010 SP3 Rollup 19 | KB4035162

Critical security update for Exchange 2010

Rollup 19 for Exchange 2010 fixes a massive security issue for EWS connections proxied from an Exchange 2016 server. To quote Microsoft Support.

In a Microsoft Exchange Server 2010 and Exchange Server 2016 coexistence environment, when EWS connections are proxied from Exchange Server 2016 to Exchange Server 2010, all mailboxes of Exchange Server 2010 can be accessed without any permission.Microsoft Support

That is a significant security hole. For those on Exchange 2010 I highly recommend testing and upgrading to this rollup as soon as possible.

[Read more…] about Exchange December 2017 Updates

Disabling TLS 1.0 may cause Outlook to crash

By 1 Comment

175 Shares
Share
Tweet
+1
Share
Reddit

Disabling TLS 1.0 may cause Outlook to crash for some of your clients.

I encountered this recently while upgrading a customer from Exchange 2010 to Exchange 2016. The customer had an existing Kemp Load Balancer they had been using for Exchange 2010. We upgraded the Kemp to the latest firmware and created a new Exchange 2016 VIP using the latest templates from Kemp. When we cut over our DNS to the new VIP some of our Outlook clients started to receive the errors below. Other Outlook clients continued to operate without incident.

For some Outlook clients we would receive errors when creating a brand new profile in Outlook. Errors such as,“Windows Shell Common DLL has stopped working”

Outlook 2016 - Windows Shell Common DLL has stopped working

Clicking “Close Program” would then be followed by an error reporting that “System resources are critically low”.

Outlook 2016 - System resources are critically low [Read more…] about Disabling TLS 1.0 may cause Outlook to crash

Error installing Exchange update – The certificate is expired

By 3 Comments

40 Shares
Share
Tweet
+1
Share
Reddit

While upgrading one my Exchange lab servers I was presented with the error, “The certificate is expired.”

Upgrading Exchange 2016 - The certificate is expired

This error occurred while setup was installing the transport service and it was blocking the install from completing. Further investigation of the event logs indicated that the transport certificate had expired (Event ID 12015). This made sense why the setup was failing during that step.

MSExchangeTransportDelivery 12015 TransportService An internal transport certificate expired

The challenge here was the Exchange Admin Center would no longer load. Luckily, the Exchange Management Shell was still operational. Following are the steps to renew a certificate using the Exchange Management Shell. I have included instructions for renewing both a self-signed and third-party certificate. Once renewed setup will complete. [Read more…] about Error installing Exchange update – The certificate is expired

15 Microsoft Ignite sessions every Exchange admin should see (2017)

By 1 Comment

383 Shares
Share
Tweet
+1
Share
Reddit

Microsoft hosted its annual Ignite conference in Orlando this September. Ignite was massive at 1695 sessions. Almost 300 sessions more than last year. That is a lot of sessions! Many are posted at the Ignite channel on YouTube or through the Microsoft Ignite On Demand portal. Here are the top 15 sessions I think every Exchange admin should watch.

Tip: I have included notes for each session and the time each topic starts. You can expand the session notes under each video by clicking “Show more session notes”
Thrive as an enterprise organization in Microsoft Exchange Online Ignite 2017 (watch video)

Thrive as an enterprise organization in Microsoft Exchange Online
If you could only watch one session then it should be this one. In this session Jeff Kizner reveals a slew of announcements for Exchange Online. Announcements include; highly requested coexistence features for Exchange hybrid and, new advances in tenant to tenant migrations. Jeff demonstrates a mailbox move between two Office 365 tenants using MRS and PowerShell.

  • Mailbox Plans (4:06 mins)
    • Set-MailboxPlan can now assign a retention policy to a mailbox when the mailbox is provisioned.
    • Set-CASMailboxPlan (new cmdlet) can now configure whether ActiveSync, IMAP and POP are enabled on a mailbox when it is provisioned in Office 365.
  • Client Access Rules (6:52 mins)
    • Additional rule conditions for matching source IP, protocol, recipient filters, or, username
    • Great for only allowing certain protocols from certain locations (e.g. ActiveSync from satellite offices)
    • You can have up to 20 client access rules
    • Best practice to have an “Allow PowerShell” rule in priority 1 (don’t lock yourself out!)
  • Creating a custom app for message classification (16:00 mins)
    • Jeff demonstrates a custom app that uses the Outlook On Send feature to take action when a user click the send button in Outlook
    • On Send must be enabled in the OwaMailboxPolicy assigned to the user
    • Available since Exchange 2016 CU5
  • Hybrid delegation (26:40 mins)
    • Jeff discusses and demos advancements in hybrid delegation (full access, auto-map, send as, send on behalf)
  • On-premises policies will come over to Office 365 (46:06 mins)
    • Hybrid wizard will ask you which on-prem policies you want to copy into Office 365 (e.g. OWA, ActiveSync and Retention policies)
    • User’s mailbox when moved to Office 365 will retain their existing policy assignments
  • Hybrid publishing (50:52 mins)
  • Hybrid recipient management (54:16 mins)
    • Jeff’s team is working towards allowing admins to make changes to attributes in Office 365 and have those attributes sync back to on-prem. This will remove the need to keep Exchange on-prem for recipient management.
    • Jeff’s team is also looking at changing the source of authority on synchronized objects to Azure Active Directory.
  • Migrating data between tenants – mergers and acquisitions (59:33 mins)
    • Jeff demonstrates a mailbox move between two Office 365 tenants using MRS and PowerShell.
Show more session notes
Show less session notes
Scott Schnoll’s Exchange tips and tricks Ignite 2017 (watch video)

Scott Schnoll’s Exchange tips and tricks
Scott provides us with his top tips for Exchange. Topics include:

  • Server roles in Exchange 2016 (1:41 mins)
  • How Exchange is developed (2:41 mins)
  • Exchange 2016 Lifecycle (3:56 mins)
  • Changes in Exchange 2016 CU7 (4:51 mins)
    • Forest functional level is now 2008 R2 or higher
  • Announcing Exchange 2019 (8:48 mins)
    • Preview shipping mid 2018
    • General release second half of 2018
  • Bug in Windows Server 2016 that caused IIS to crash – KB3206632 (10:20 mins)
  • iOS11 issue with HTTP/2 (11:22 mins)
    • Microsoft turned off HTTP/2 across all Exchange Online servers
    • Microsoft recommends administrators disable HTTP/2 across all on-premises Exchange servers until Apple resolves this issue
    • Microsoft is working with Apple to help them resolve the issue
  • New calendar improvements across all Outlook clients (15:16 mins)
  • Administrator configured out of office replies (18:00 mins)
  • Message Latency in logs (19:47 mins)
  • Running antivirus on the operating system (21:00 mins)
  • Health mailboxes (23:22 mins)
    • Do not alter their AD account in any way
    • Do not alter their password or account lockout settings
    • Do not move or alter their mailboxes in any way
  • Stalled mailbox migrations to Office 365 (26:40 mins)
  • Protocol Agnostic Workflow (PAW) (30:24 mins)
    • New mailbox migration code in Office 365 that improves stability and throughput
    • Individual users can be removed from a batch
    • Batch completions can be scheduled
    • Better reporting
    • Microsoft will automatically enable this for your tenant but only if your tenant has no active or completed batches
  • OAuth (35:26 mins)
  • Hybrid license key and hybrid diagnostics wizard (39:20 mins)
  • When to decommission Exchange on-premises (42:00 mins)
  • PST elimination tools (44:27 mins)
  • Deprecation of RPC over HTTPS – Outlook Anywhere (46:32 mins)
  • Mailbox encryption coming soon to Office 365. You can encrypt with either:  (53:00 mins)
  • Using Azure VM for DAG witness (55:04 mins)
  • Changes to lagged copy behavior (56:15 mins)
  • Recovering an Exchange Server with newer CU (59:58 mins)
    • This is possible and supported
    • Admin version will still show old CU build until you go to a newer CU later on
  • New anti-phishing behavior in Office 365 (1:01:09 mins)
  • Connecting to Security & Compliance Center via PowerShell (1:07:29 mins)
  • Azure Information Protection – AIP (1:08:17 mins)
  • Advanced Find in Outlook deprecation and reinstatement (1:12:38 mins)
  • New TAP program for migrating public folders to Office 365 Groups (1:13:14 mins)
Show more session notes
Show less session notes
Modern authentication for Exchange Server on-premises (watch video)

Modern authentication for Exchange Server on-premises
Greg Taylor discusses two new modern authentication scenarios coming to Exchange on-premises. One scenario which will be available to Exchange 2013 and 2016. And a future scenario that will be available in Exchange 2019. No bunnies were harmed in the delivery of this session.

  • Importance of Modern Authentication (2:39 mins)
    • Allows Outlook to authenticate with a token
    • Easier route to enable Outlook for Multi-Factor Authentication (MFA)
    • Relies on strong network connectivity
  • Two implementations of modern authentication will ship (7:10 mins)
    • Exchange 2013 / 2016 implementation expected by December 2017
    • Exchange 2019 implementation will ship when new release ships second half 2018
  • Overview of how modern authentication works (10:00 mins)
    • Modern auth will only work with MAPI over HTTP.
    • No RPC over HTTP support.
    • Exchange will use modern auth for all client connections, regardless of whether they originate from inside or outside the network.
  • Example of modern auth during autodiscover (15:35 mins)
    • Authorization type of “Bearer” is Outlook instructing Exchange that it can do modern authentication
    • Exchange responds to client with STS authorization URL (for example AD FS)
  • Explanation of token exchange (17:46 mins)
    • Access token has a lifetime of 1 hour (default TTL)
    • When the Access token expires the client uses their Refresh token to request a new Access Token (re-authenticate)
    • Refresh token is valid for 14 days (default TTL)
    • Password change:
      • Immediately invalidates the Refresh token.
      • Access token remains valid for the remainder of its duration (up to 1 hour)
  • Deep dive into two versions of on-prem modern auth (23:30 mins)
    • Exchange 2019 will ship with an on-prem implementation of Modern Auth
      • AD FS 2016 required
      • Outlook 2016 / 2019 required
        • Outlook 2013 and older will not work
      • Exchange 2013 / 2016 can be in the organization (no Exchange 2010)
      • Device registration is required
    • Exchange 2013/2016 will ship with a hybrid implementation of Modern Auth
      • Will require hybrid connectivity with Office 365
      • AD FS not required (can just use Password Sync with Azure AD Connect)
      • Exchange HCW must be run to enable OAuth
      • On-prem SPNs registered with Azure AD (configuring this is shown at 39:05 mins)
      • Exchange 2010 is completely unsupported and must be removed from the environment – no coexistence
  • OAuth tokens rely on TLS for encryption (32:13 mins)
Show more session notes
Show less session notes

[Read more…] about 15 Microsoft Ignite sessions every Exchange admin should see (2017)