Exchange federation trust – part 2.

Finally here is the continuation of previous article about Exchange federation trust. So we have established the trust between Microsoft Federation Gateway and our organizations. Next step is to configure inter-organizational behavior. It is a mesh-like net, where 1:1 organization relationship is established.

Prerequisites

• Autodiscover service must be accessible to at least one CAS server from the internet
• EWS should be accessible to at least one server and External URL should match the name accessible from  internet and 3rd party certificate SN or SAN name

Organization Relationship

Once we have configured our organizations to trust MS Federation Gateway, we can use it to create organization relationship. We will use

command Get-FederationInformation about opposite organization and pipe it to create new organization relastionship. Access level on both side of relationship should be the same.

In our organization:

Get-FederationInformation -DomainName metrosys.cz | New-OrganizationRelationship -Name "Metrosys" -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel -LimitedDetails

Or directly:

New-OrganizationRelationship -Name <foreignorganizationname>  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -
Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr https://email.foreigndomain.cz/autodiscover/autodiscover.svc/wssecurity -
DomainNames .cz -TargetApplicationURI http://fydibohf25spdlt.foreigndomain.cz/ -TargetSharingEpr 
https://email.foreigndomain.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!
Result of creation test:

Test-OrganizationRelationship -identity <ForeignOrganizationname> -UserIdentity primarysmtpaddress@salonovi.cz -Verbose

In foreign organization:

Get-FederationInformation -DomainName salonovi.cz | New-OrganizationRelationship -Name "Salonovi" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails

Or directly:

New-OrganizationRelationship -Name  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -Enabled $true -PhotosEnabled 
$true -TargetAutodiscoverEpr https://mail.salonovi.cz/autodiscover/autodiscover.svc/wssecurity -DomainNames salonovi.cz -TargetApplicationURI 
http://fydibohf25spdlt.salonovi.cz/ -TargetSharingEpr https://mail.salonovi.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!

Finally result of proper configuration is, that you can see Free/Busy limited details of users in foreign organization

Errors you might face

Index error is cause by Case sensitive domain name inserted (in my case Metrosys.cz instead of metrosys.cz or wrong URLs for EWS or Autodiscover.

Errors from the following picture are caused by wrongly or misspelled URLs (Self explaining)

Usually autodiscover URL is created in format https://autodisvocer.domianname.cz/autodiscover/autodiscover.xml, however Federation trust use autodiscover service, which is created as URL: https://autodisvocer.domianname.cz/autodiscover/autodiscover.svc/WSSecurity where WSSecurity is authentication used by federeation trust:

Links:

• Configuring Federation Trust http://technet.microsoft.com/en-us/library/jj657462(v=exchg.150).aspx
• Configure OrganizationRelationship http://technet.microsoft.com/en-us/library/jj657451(v=exchg.150).aspx

ADFS / Office 365 / Exchange 2010 – How to force synchronization – Event ID:0, Event ID:1, Event ID:3, Event ID:4, Event ID:6126, Event ID:6127

I have created new admin account to manage Exchange 2010 SP3 / Office 365 hybrid deployment using ADFS (advanced SSO config). By default it takes up to 3 hours to sync newly created / added accounts to Office 365. To force synchronization perform:

1. Logon to DirSync server
2. Open Powershell module: Microsoft Online Services Module for Windows PowerShell
3. Or you can use remote powershell if WinRM has been konfigured by running:

   Invoke-Command -ScriptBlock {Add-PSSnapin Coexistence-Configuration;Start-onlinecoexistencesync} –ComputerName <DIRSYNC server name>

4. Run command for immediate AD synchronization:

   Start-OnlineCoexistenceSync

After running command you can check Event log if all is OK.

1. Open application Event log and check for the following events:
2. Event ID: 0 – Connecting to MS Online and starting Synchronization
3. Event ID: 6127 – The management agent “SourceAD” completed run profile “Delta Import Delta Sync” with a delta import or delta synchronization step type. The rules configuration has changed since the last full synchronization
4. Event OS: 6126 – The management agent “TargetWebService” completed run profile “Delta Confirming Import” with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.
5. Event ID: 1 – Import to Dirsync started
6. Event ID: 2 – Import to Dirsync completed
7. Event ID: 3 – Export to Office 365 started
8. Event ID: 4 – Export to Office 365 completed

Example:

Default Sync interval can be changed here:

C:\program files\Microsoft Online Directory Sync\Microsoft.Online.DirSync.Scheduler.exe.Config

To run online coexistence sync for new versions of DirSync run:

Powershell.exe
Import-Module DirSync
Start-OnlineCoexistenceSync

Default path: C:\Program Files\Windows Azure Active Directory Sync\dirsync

Exchange 2013 / 2010 / 2007 – How to configure OAB for offline Thumbnail photo

One of our customers wanted to have Thumbnail photo attribute configured for offline access.

Process:

• Enhance AD schema of AD attribute ThumbnailPhoto (Done by default for Exchange 2010 SP2+)
• Upload pictures via Powershell or Sharepoint
  Enable ThumbnailPhoto attribute in OAB (Done by default in Exchange 2010 SP2, but only indicator to fetch data from AD online)
• Configure ThumbnailPhoto to true Offline access (change attribute Thumbnailphoto,indicator to ThumbnailPhoto,value)

The rough process is simple, but in my case there was a problem, because customer has coexistence scenario Exchange 2007 / Exchange 2010 in single AD site. In this scenario OAB has been first created in Exchange 2003 -> Then Exchange 2003 has been replaced by Exchange 2007 and after that Exchange 2007 left for business purpose (several mailboxes ) and it was extended by Exchange 2010 (Currently SP3). In this scenario OAB is missing ConfiguredAttributes (It is empty) So the process is as follows:

1. Get info about OAB

Command lists OAB and its empty attribute.

Get-OfflineAddressBook "Default Offline Address List" | fl

2. Create new OAB to see configured attributes

To be sure users will not be disrupted by the change I have created new OAB on Exchange 2010.

New-OfflineAddressBook -Name 'Default Offline Address Book + offline photo' -Server 'PF1' -AddressLists '\Default Global Address List' -PublicFolderDistributionEnabled $false -VirtualDirectories 'CH1\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH1\OAB (Default Web Site)'

3. List configured attributes

To display all attributes configured we need to use the following cmdlets:

$FormatEnumerationLimit = -1
Get-OfflineAddressBook "Default Offline Address Book*" | select name, Configuredattributes | fl

4. Change attributes

To change attributes I first read attributes to variable and adjusted ThumbnailPhoto,Indicator to ThumbnailPhoto,Value. It will phycically store ThumbnailPhoto data to OAB. Caution. This might increase network load, since OAB will increase its size based on user counts.

$attr = (Get-OfflineAddressBook "Default Offline Address Book*").configuredattributes
$attr.remove("ThumbnailPhoto,Indicator")
$attr.Add("ThumbnailPhoto,Value")

Result:

$attr

5. Import to OAB

To import modified set of attributes to OAB use:

Set-OfflineAddressBook "Default Offline Address Book*" -ConfiguredAttributes $attr

6. Update OAB and Check OAB

To generate new OAB and distribute it accross WEB distribution points use:

Get-OfflineAddressBook "Default Offline Address Book*" | Update-OfflineAddressBook

Restart Microsoft Exchange File Distribution service on each previously configured distribution points

7. Set generation time

Set-OfflineAddressBook -Schedule 'Sun.5:00 AM-Sun.6:00 AM, Mon.5:00 AM-Mon.6:00 AM,Tue.5:00 AM-Tue.6:00 AM, Wed.5:00 AM-Wed.6:00 AM, Thu.5:00 AM-Thu.6:00 AM, Fri.5:00 AM-Fri.6:00 AM, Sat.5:00 AM-Sat.6:00 AM' -Identity '\Default Offline Address Book + offline photo'

8. Assign OAB to mailboxes

Before:

I selected a method to assign OAB for each mailbox database. Each mailbox inside database, which doesnt have explicitly defined OfflineAddressBook parameter will get the one from database. Exchange Information Store is using cache so changes will be visible after up to 2 hours of actual setting of database. To perform changes immediately you shoud dismount / mount database, where change must be visible immediately. Command:

Get-DailboxDatabase MDB* | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book + offline photo"

9. Download new OAB to mailbox via Outlook

You should check autodiscover record if OAB URL changed from old one to new one.

10. Test offline access

After OAB is successfuly downloaded turn on Offline access and test if OAB can be opened and if Thumbnail photo is visible.

Before change:

After change:

Notes

Exchange blog article

http://blogs.technet.com/b/exchange/archive/2010/03/10/3409495.aspx

Works for Exchange 2013 as well.

Exchange – IIS problems after upgrade (Event IDs: 10010, 3, 1016)

One of our customers has Exchange 2010 (currently SP3). When I was installing latest build (SP3 from SP4 RU 5v2), I experienced problems that server was unaccessible, Exchange web services were not able to serve clients, Powershell was not working and Forefront was crashing taking down MS Exchange Transport service. I spent several hours troubleshooting and here is the overview and solution.
Description:

Configuration:

Lets say that my server was in Windows NLB cluster having:

LB IP: 192.168.1.120 /24
 Production IP:192.168.1.100 /24
 Production IP2 192.168.1.99 /24

From the start server has been installed and configured with the following  IP´s:

LB IP: 192.168.1.120 /24
Production IP:192.168.1.100 /24

and second Production IP address has been added later as requirement for one business Exchange Web Services-related application.

From IIS point of view:

From the begining there was only one application pool with all virtual directories as shown in the following picture (NOTE binding settings).

Site bindings for Default application web site application pool:

After business application has been added new application pool has been added too(NOTE binding settings).

Site Bindings for business application Application pool

Process of upgrade:

The process of upgrade was normal and well known from MS Technet, however after reboot of server I lost connectivity to Powershell and to EWS on the server. Therefore I expected problems in IIS, but how to find it?

Errors in IIS:

Errors in Event log:

Solution:

I checked IIS:

• Application pools up and running
• IIS up and running
• Server giving error 404 page cannot be displayed if I tried https://localhost/OWA url
• I checked virtual directory paths and all needed files were in place
• I checked bindings and voila! Bidning of localhost has been moved from Default Web Site to Application Web Site

Binding on Bussiness application web site has now localhost:

Bindings on Default Web Site is missing localhost record:

Move Localhost binding to correct place and restart IIS!

Explanation:

There is a logic how IP addresses are set in IIS. One basic logic says, that WEB server can have as many IP addresses as needed, BUT the default one must be the one with lowest number. For example if I

have 3 IP addresses:

192.168.10.10
192.168.10.11
192.168.10.12

IP address with highest priority is 192.168.10.10 and in some circumstances localhost binding can be moved under application pool, which is listening under IP address with highest priority without notice. This is quite logical, that Powershell and OWA virtual directories stopped to work against localhost binding, because there was no virtual path inside newly created application pool for bussiness application.

Conclusion:

Plan the possibility to extend server with some more application pools and listeners already in design phase and reserve some IP addresses with higher numbers for future needs.

Exchange 2013 – Set Page file size via PS

The page file size minimum and maximum must be set to physical RAM plus 10 MB regarding Exchange 2013.

The recommended page file size also accounts for the memory that’s needed to collect information if the operating system stops unexpectedly. On 64-bit operating systems, memory can be written as a dump file to the paging file. This file must reside on the boot volume of the server (source: Exchange 2013 System Requirements)

You can use the following cmdlets to ensure required size:

$PageFileSize = [math]::truncate(((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory+10MB)/1MB)

Set-CimInstance -Query "Select * from win32_computersystem" -Property @{automaticmanagedpagefile="False"}

Set-CimInstance -Query "Select * from win32_PageFileSetting" -Property @{InitialSize=$PageFileSize;MaximumSize=$PageFileSize}

Exchange 2013 – Server Roles Calculator released!

Microsoft has released Exchange Server 2013 Server Roles Requirements calculator! Enjoy!

Blog link:

http://blogs.technet.com/b/exchange/archive/2013/05/14/released-exchange-2013-server-role-requirements-calculator.aspx

Download link:

http://gallery.technet.microsoft.com/Exchange-2013-Server-Role-f8a61780

 

Comodo Antispam Gateway

I was looking for free Antispam GW for my lab and I came accross Comodo Antispam Gateway. It is free for 1 domain and 10 users.

• Licensing page

Sign up for free license is here:

• Free license signup

Why to use this GW?

• Easy configuration
• Access via Admin interface
• Quarantine, blocklist, whitelist  – all accessible with free license
• AD synchronization newly created also for free license!

Few screen shots:

Admin interface:

Quarantine settings: 

Incoming spam detection settings: 

 

Exchange 2013 – New features and coexistence (CZ)

I made 2 short  Powerpoint presentations about the new or enhanced features in Exchange 2013 for training purposes. You can download it in Czech. I used some test an some pictures from the following link:

http://www.zive.cz/clanky/exchange-server-2013-architektura-1-dil/sc-3-a-167070/default.aspx

Are you aware of the best Czech MVP in Exchange area? Please see http://www.kpcs.cz

Thank you! Martin Pavlis!

News in Exchange 2013:

• Architecture description
• Description of enhanced features

Coexistence:

• Just 2 slides about coexistence and implementation

Theory:

• Detailed description what to say for particular page of presentation

Files:

Exchange 2013 – teorie k prezentaci_CZ (docx)

Exchange 2013 – teorie_CZ (pptx)

Exchange 2013-coexistence2007_2010_EN (pptx)

Exchange 2013-koexistence2007_2010_CZ (pptx)

Exchange – Autodiscover service overview (EN,CZ)

I made short Powerpoint presentation about Autodiscover service for training purposes. It is just overview with basic description of how Autodiscover service serves client requests. You can download it in English and Czech language.

• —What is Autodiscover
• —How it works
• —How it works for client in domain
• —How it works for client outside domain and client using DNS
• —Autodiscover sequence

Exchange 2013-Autodiscover-overview_EN (pptx)

Exchange 2013-Autodiscover-prehled_CZ (pptx)

Event ID: 10033 – A folder is being scoped by a search which no longer exists

Hi everyone!

Thanks to Filip’s & Zbynek’s invitation I also have the privilege to be part of this excellent FICILITY.net blog. So here we go. This is my first post 🙂

If you happen to have an Application log on your Mailbox server full of eventIDs 10033, Source: “MSExchangeIS Mailbox Store” with the following information:

A folder is being scoped by a search which no longer exists. This may result in failures or errors when attempting to update the folder contents. If this message continues to persist for this mailbox, moving the mailbox to a different database may resolve the issue.

As instructed this issue can probably be resolved by moving the affected mailbox to a different mailbox database but I’ve found out that you can fix this issue by using cmdlet “New-MailboxRepairRequest” on affected mailbox.

New-MailboxRepairRequest -Mailbox [mailbox name] -CorruptionType SearchFolder,AggregateCounts,ProvisionedFolder,FolderView

After that you’ll see that mailbox-repair request was created. Also check Application log on mailbox server where mailbox is homed for event with ID 10047:

Mailbox level online integrity check for request 7cef315f-60d7-4b8d-995f-32c22c68f4de started:Database=OPEXDAG1-MB1

Mailbox=DF49FD31-D429-423A-BECB-3594C19255FE

Flags=Detect, Fix

Tasks=SearchFolder, View, AggregateCount, ProvisionedFid

After a while you should see EventID 10062 that corruptions were detected & fixed:

Corruptions detected during online integrity check for request 7cef315f-60d7-4b8d-995f-32c22c68f4de

Mailbox:DF49FD31-D429-423A-BECB-3594C19255FE (MAILBOX NAME)

Database:OPEXDAG1-MB1

Corruption        Is Fixed        FID        Property        Resolution

“Folder Backlinks”, Yes, “1-38645 (Synkronointiongelmia1)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-38649 (Ristiriidat)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-3864D (Paikallisia virheitä)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-38651 (Palvelinvirheitä)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

“Folder Backlinks”, Yes, “1-12829678 (Digium)”, 0x67870102, “Remove unfound folder(s) from the backlink list”

….

 And when Repair-request is completed you will find EventID 10048:

 Online integrity check for request 7cef315f-60d7-4b8d-995f-32c22c68f4de completed successfully.

 After that original EventID 10033 disappeared