Script to run and collect all Exchange performance counters from your environment to server running the tool

Script runs the remote PowerShell session against all Exchange servers, copies the Experfwiz utility to each one and runs performance counters for the time defined by administrator and exports results to the folder, from which it was run.

1. Copy ExPerfWiz.ps1 from: https://experfwiz.codeplex.com/ to some server running Exchange Management Shell to c:\ExchangeHealthCheck
2. Run the script
3. Enter Organization Admin Credentials
4. will be asked to confirm to run perfmon on each server

perfwiz

#Author: Zbynek Salon

#Description: This is small script to collect performace counters from All servrers in your environment to single folder on the server running perfwiz.

#Variables experfwiz

$date = get-date

$UserCredential = Get-Credential

$experfwizstart = $date.AddHours(1)

$experfwizduration = "04:00:00"

$experfwizinterval = 5

$experfwizserver = hostname

$experfwizfilepath = "\\$($experfwizserver)\c$\ExchangeHealthCheck" # zmeneno z c:...

$experfwizmaxsize = 512

###################################################################################################################################################################################################

#Performance counters

$localhost = hostname

$script = get-content "\\$($localhost)\c$\ExchangeHealthCheck\experfwiz.ps1"

$exservers = get-exchangeserver

 foreach ($exsvr in $exservers){

 Write-Host "Processing Exchange server $($exsvr.fqdn) ...."

 Invoke-Command -computername $exsvr.fqdn -ScriptBlock {

 #copying script to EXBIN

 Write-Host "Copying PerfWiz to $($args[1])."

 Test-Path $args[1]

 $exinstall = $args[1]

 $x = $args[0] 

 $x | out-file "$($exinstall)Scripts\experfwiz.ps1"

 Start-Sleep 1

 Write-Host "Importing Exchange PS Session." 

 $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "http://$($args[8])/PowerShell/" -Authentication Kerberos -Credential $args[9] -AllowRedirection

 Import-PSSession $Session

 cd "$($exinstall)Scripts"

 Set-ExecutionPolicy Unrestricted -Confirm:$false

 .\experfwiz.ps1 -delete #-FilePath $args[5] -Server $args[6] -MaxSize $args[7]

 .\experfwiz.ps1 -Duration "$($args[3])" -interval "$($args[4])" -FilePath "$($args[5])" #-Server "$($args[6])" #-MaxSize $args[7]

 #running perfmon

 } -ArgumentList $script, $exinstall, $experfwizstart, $experfwizduration, $experfwizinterval, $experfwizfilepath, $experfwizserver, $experfwizmaxsize, $exsvr.fqdn, $usercredential

}

##################################################################################################################################################################################################

The script can be downloaded from my OneDrive:
OneDrive

Outlook 2013 shows only Online Archive while connected to Office 365

This is just a quick heads up. It started to happen in some environments after last Office 2013 patch in mid January 2015. When Outlook 2013 is restarted after patching, it shows only Online Archive, no primary mailbox and user is unable to send e-mails.

Root cause:

It has not yet been defined, however fix is to disable MAPI over HTTPS on affected client, so I suppose it will be network device, which does not understand MAPI over HTTPS protocol.

Temporary fix:

When changing the below registry key (disable MAPI/HTTP and re-enable RPC/HTTP), the problem disappears:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\MapiHttpDisabled = 1 DWORD

 Permanent fix:

Install Exchange 2013 CU7.

Office 365 – Multi Factor Authentication support part 2. – Enable MFA from user point of view

In previous article I have enabled MFA for user alsajid@salonovi.cz and now I will test its behavior, while MFA Enabled and Enforced

User setup

When I log on for the first time with new user or try to access https://portal.onmicrosoft.com with user with just enabled MFA, Login window will look different and after typing my password it will require to set up MFA.

TEST-setup1

Office 365 talks to you in your prefered language, you can choose mobile application or mobile phone or normal phone to contact and pick up whether to be contacted by SMS or phone call.

MFA setup2

I choose Mobile phone and SMS, next and I am required to verify my device

setup 3

I have received SMS code

setup4

Verification went OK and in next step I am warned, that my password will be working only in browser (1) and for other aplications named in (2) I need to generate App Passwords (3) or agree, that these applications will not be used for my account (4)

setup5

APP Passwords (support for thick clients)

To generate App Passwords I was redirected to Windows Azure Active Directory logon screen, where I have been MFAuthenticated via SMS ūüôā

appp1

Now I can create App Passwords

appp2

Next is name of application and then the password is generated and displayed once. You must copy it to clipboard

apppol1 apppol2

Now use the password as you have used your password for Office 365 previously. So basically you use your App Password instead of your Office 365 password.

Described here. This is most important link for support persons on MFA enabled customer¬īs helpdesk:

http://technet.microsoft.com/library/en-us/dn270518.aspx#apppasswordchange

User¬īs output¬†with MFA defined and registration process completed in Azure Active Directory (in my case default one way SMS)

PS C:\Windows\system32> get-msoluser -UserPrincipalName testuser@zbycha.onmicrosoft.com | select *au* | select strongaut
henticationmethods -expandproperty strongauthenticationmethods

StrongAuthenticationMethods   ExtensionData                                     IsDefault MethodType
---------------------------   -------------                                     --------- ----------
{Microsoft.Online.Administ... System.Runtime.Serializati...                          True OneWaySMS
{Microsoft.Online.Administ... System.Runtime.Serializati...                         False TwoWayVoiceMobile

 
PS C:\Windows\system32> get-msoluser -UserPrincipalName testuser@zbycha.onmicrosoft.com | select *au* | select strongaut
henticationrequirements -expandproperty strongauthenticationrequirements |fl
StrongAuthenticationRequirements : {Microsoft.Online.Administration.StrongAuthenticationRequirement}
ExtensionData                    : System.Runtime.Serialization.ExtensionDataObject
RelyingParty                     : *
State                            : Enforced

Well so far so good but now , what I finally don¬īt like. Lets say, that App Passwords are need for not MFA ready apps..ok, you can define as much App Passwords as you want, you can name those, but you can use all of them to all aplications. That is a bit strange. I have generated two App Passwords and I was able to use both for LYNC client.

Office 365 – Multi Factor Authentication support part 1. – Enable MFA in tenant from admin point of view

As you probably know, Microsoft recently updated their information about MFA in Office 365, so here is overview what it can, cannot do, its support and how to set it up.

Description

What do you need to know is http://technet.microsoft.com/en-us/library/dn383636.aspx , but I will place it here as well:

Multi-Factor Authentication for Office 365 is:

  • powered by Azure Multi-Factor Authentication
  • free for Microsoft Office 365 applications
  • works exclusively for Office 365 applications
  • managed from the Office 365 portal

Multi-Factor Authentication for Office 365 offers the following subset of Azure Multi-Factor Authentication capabilities. Each will be described later on or in the next part:

  • Ability to enable and enforce multi-factor authentication for end users
  • Use of a mobile app (online and one-time password [OTP]) as a second authentication factor
  • Use of a phone call as a second authentication factor
  • Use of an SMS message as a second authentication factor
  • Application passwords for non-browser clients (for example, Microsoft Outlook messaging and collaboration client and Microsoft Lync communications software)
  • Default Microsoft greetings during authentication phone calls

Options for MFA

You can use 2 options.

  • First is full featured Azure MFA, which is paid (I don¬īt have Azure subscription nor want to pay for it, so I will use second option.
  • Second option is to use it for free for Office 365 application which means to enable it in Office 365 portal

How to enable MFA in Office 365 (Admin point of view)

Prerequisites are obvious. You must have working tenant, licenses, test users and so on. After all prerequisites are fulfilled, use the following:

  • Log on to tenant
  • In Office 365 admin¬†center page ¬†go to Users -> Active Users and Set Up in Set Multi Factor Authentication requirements

MFAenableMFAEnable 2 - bulk

  • Process consists of two steps. In first step you enable MFA for user. This allows user to start registration proces in which user select methods of additional verification. supported clients and browsers.

enable2

  • After MFA is enabled, provide user with a link to manage his¬†MFA options. User can visit the link and manage his profile after successful sign in to Office 365

enable3

  • Enforce option is second step to¬†force user, to use MFA after successful¬†registration. Create APP Passwords for not supported clients such as Outlook as a second authentication factor besides username and password is described in part 2.

enforce2

Enforce option is not enabled for admins for security reasons so do not use enforce options for admins, because it will force admins to use browsers only

enforce

While MFA is enabled, you can force user to re-create App Passwords by deleting old ones, provide contact info again and restore MFA for devices, which were previously suspended from MFA, because those devices were registered and user selected to skip MFA for known devices.

Powershell management

To gather if MFA is enabled for user

Get-MSOLUser -UserPrincipalName <UPN> | select strong*

and output (red without MFA, green with enabled MFA)enabledpshaout

To enable MFA

Enable:

#Create the StrongAuthenticationRequirement object + required settings
$mfa= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mfa.RelyingParty = "*"
$omfa = @($mfa)
#Enable MFA for a user
Set-MsolUser -UserPrincipalName alsajid@salonovi.cz -StrongAuthenticationRequirements $omfa

Thanks to: http://365lab.net/2014/02/15/office-365-enable-multi-factor-authentication-with-powershell/

Next part describes MFA¬īs¬†user point of view.

 

 

ADFS migration – part 1. – intro

It is a Cloud age and as a Microsoft fan I use and work with Office 365 and Azure (slightly), so I wanted to post a guide about the key stone of the cloud and on-premise authentication – ADFS. As you probably know, Microsoft has so far relased several versions of ADFS and upgrade is not so easy, especially if there is Office 365 involved.

Versions released:

  • ADFS 1.0 (Windows Server 2003)
  • ADFS 1.1 (Windows Server 2008)
  • ADFS 2.0 (Windows Server 2008 R2)
  • ADFS 2.1 (Windows Server 2012)
  • ADFS 3.0 (Windows Server 2012 R2)

I will write articles about upgrade from ADFS 2.0 -> 2.1 -> 3.0

Prerequisites:

  • 3rd party trusted certificate with host name of ADFS service published in external DNS (in my case *.salonovi.cz by Comodo)
  • Office 365 tenant with verified domains (I use tenant zbycha.onmicrosoft.com with verified domain salonovi.cz)
  • ADFS servers and AADSync to synchronize identities from on-premise to cloud.

As this is the intro part of the series, let me use it, to show, how to connect to multiple Office 365 customers. It is easy, and if you need more security,do not fill passwords but use (get-credential) instead.

function Open-Office365Session (){
$customers = @()
$customers +=( ,("0","Cust1","admin@cust1.onmicrosoft.com","Passwordstring"))
$customers +=( ,("1","Cust2","admin@cust2.onmicrosoft.com","Passwordstring"))
$customers +=( ,("2","Cust3","admin@cust3.onmicrosoft.com","Passwordstring"))
Write-host "Configured customers:"  -ForegroundColor DarkYellow
foreach($cust in $customers){Write-host "$($cust[0]) - $($cust[1])"}
Write-host "Select customer to connect:" -ForegroundColor Green
$selection = Read-Host
$usr = "$($customers[$selection][2])"
$pass = "$($customers[$selection][3])"

                $psw = ConvertTo-SecureString -Force -AsPlainText -String "$($pass)"
                $cred = New-Object System.Management.Automation.PSCredential ($usr, $psw)
                $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $cred -Authentication Basic -AllowRedirection
                import-pssession $s
                import-module msonline
                connect-MsolService -credential $cred
}

Save it to your profile PS1 file: C:\Users\<username>\Documents\WindowsPowershell\Microsoft.PowerShell_profile.ps1

To run function just open new powershell session everytime, you want to connect to Office 365, type: Open-Office365Session and from menu type number you want.

ADFSp1-1

Thats it. I have prepared Office 365 tenant, I have ADFS servers, 3rd party trusted certificate and I can start working on identity sync between On-Premise and Office 365 using AADSync. Latest AAD Sync can be dowloaded from the following link:

http://www.microsoft.com/en-us/download/details.aspx?id=44225

 

Exchange 2013 CU5 – Organization preparation failure – An Active Directory error 0x51 occurred when trying to check the suitability of server DC1.domainexample.com

When you run setup to upgrade Exchange server 2013, it checks prerequisites and one of its actions is to contact Active Directory to check schema version for possible need to update. In my case the problem was, that error 0x51 occured. I was checking what is happening. The first thing was to run netdom query fsmo command to gather which FSMO roles were placed on failing DC1. As it was during Schema version check, I was mostly iterested if Schema master role is present there…. and it was, No I was wondering what is the problem. I went to OU=Domain controllers in ADUC and checked DCs. I realised that Schema master role is running on non GC domain controller.

Solution: To run setup successfully seize FSMO Schema master role on DC with GC in the same AD site as Exchange server.

Windows Server 2012+ and net-framework-core package installation error (unable to locate source files)

I have faced a problem with net-Framework-core package installation. As you probably know, this package is deprecated, but still available, when you specify source. It can be installed by command

Add-WindowsFeature net-Framework-core -Sources <path to Windows Server 2012 installation media>\Sources\SxS

If that doesnt work, you should check several things:

  • Is the installation media from the same build as current OS (should be)
  • Isnt it corrupted
  • Sometimes it is helpful to map installation media on another server and use UNC path instead of local
  • In my case problem was in Windows Update Services setting. The registry key stated, no automatic update is possible and WUS is used for updates.

Solution: Locate registry key below, change value to “0” and install net Framework core feature. After done, change back to “1” – if still no go, change value to 0 and reboot server prior to install.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

“UseWUServer”=dword:00000001

“NoAutoUpdate”=dword:00000001

 

The counter list and portability (read I/O operations)

An¬†ExRAAP scanning detected this issue “The read I/O operations latency is greater than expected for an Exchange database” with an advice I started to monitor related performance counters according to post Analysing Exchange Server 2010 Jetstress BLG Files By Hand which contains also the following table:

7- 8- 2014 12-15-22Time to time I needed to check read I/O operations without a Data Collector Set, but I did not want to have the counter list/settings dependent on particular server (i.e. the server below hosts mailbox database MDB01 or MDB05 but not MDB02 and I want to have counters for all of them and I do not mind that some counter will not work).

7- 8- 2014 12-03-147- 8- 2014 12-44-28Well, I saved the settings from the server into HTML file and modify its content for 18 databases.

  • Changing value: <PARAM NAME=”CounterCount” VALUE=”18″/>
  • Adding parameters for missing databases (be careful you have to always use unique PARAM NAME):7- 8- 2014 12-59-42After that I could check the¬†latency by pasting the same counter list on any server.

7- 8- 2014 13-12-18

 

Exchange Cmdlet Statistics

You can use administrator audit logging in Microsoft¬†Exchange Server to record actions taken by a user or administrator that make changes in your organization. By keeping a log of the changes, you can trace a change to the person who made it. You can also augment your change logs with detailed records of the change as it was implemented, use the records to comply with regulatory requirements and requests for discovery, and so on…. [source].

Yes, yes, the auditing is very useful. But I wanted to show you how could look a cmdlet statistic for a month:

PS C:\> Search-AdminAuditLog -StartDate $(get-date).addMonths(-1) -ResultSize 100000 -IsSuccess $true|select CmdletName|
group CmdletName|sort count -Descending|ft count,name -a

Count Name
----- ----
12318 Set-MailboxFolderPermission
12307 Set-CalendarProcessing
 8752 Set-MailboxAutoReplyConfiguration
 5860 Set-Mailbox
  678 Add-MailboxFolderPermission
  645 Set-User
  174 Add-DistributionGroupMember
  163 Add-MailboxPermission
  126 Remove-DistributionGroupMember
   98 Remove-MailboxFolderPermission
   89 Add-ADPermission
   84 Remove-MailboxPermission
   71 Enable-Mailbox
   26 Set-InboxRule
   24 Set-DistributionGroup
   18 Clean-MailboxDatabase
   16 Remove-ADPermission
   16 Remove-Mailbox
   16 Set-CASMailbox
    8 New-MailContact
    6 Remove-ActiveSyncDevice
    6 Disable-Mailbox
    5 Remove-MailContact
    4 New-DistributionGroup
    3 New-InboxRule
    2 Remove-AcceptedDomain
    2 Enable-DistributionGroup
    2 Set-SendConnector
    1 Update-Recipient
    1 New-MoveRequest
    1 Update-MovedMailbox
    1 Add-PublicFolderClientPermission
    1 New-SendConnector
    1 Remove-DistributionGroup
    1 New-MailboxSearch
    1 Disable-InboxRule
    1 Remove-InboxRule

Note: Cmdlets that begin with the verb Test, Get and Search aren’t logged by default.

Connect-Mailbox and AllowLagacyDNMismatch

I have solved a one case where we wanted to connect (Use the Connect-Mailbox cmdlet to connect a disconnected mailbox to an Active Directory user object.) an archive mailbox to a linked mailbox in Exchange 2013.

Error from EMS:

25- 7- 2014 10-32-07

[PS] C:\>Connect-Mailbox -Identity "Personal Archive - Jan Novak" -Archive -User JanNovak2 -Database "EXDAG1-DB03"
WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance
 of an object.
Object reference not set to an instance of an object.
    + CategoryInfo          : NotSpecified: (:) [Connect-Mailbox], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.MapiTasks.ConnectMailbox
    + PSComputerName        : server1.contoso.com

Error from GUI:

The LegacyDN "/o=CONTOSO/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Jan Novak" of "cb67270a-ada2-472e-94cc-eb7140f3520f" is in use by the following user in Active Directory: "Pepa Novak (new)". The value for LegacyDN must be unique to each user.

Obviously, the LegacyDN attribute was not unique and defended to connect the mailbox.

[PS] C:\> # disconnected archive
[PS] C:\>(Get-mailboxdatabase|Get-Mailboxstatistics|?{$_.DisconnectReason -ne $null -and $_.DisplayName -like "*Jan*"}).LegacyDN
/o=CONTOSO /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Jan Novak

[PS] C:\># linked mailbox
[PS] C:\>(Get-mailbox JanNovak2).LegacyDN
/o=contoso/ou=exchange administrative group (fydibohf23spdlt)/cn=recipients/cn=Jan Novak

How to connect mailbox in case this case? According to Technet and Connect-Mailbox (Exchange 2013) there is available a switch:

25- 7- 2014 10-23-48Well, we have available the switch for similar scenario (i.e. AllowLagacyDNMismatch), but it is reserved only for MS use. I do not know why is it so (let me know if you a clue), but it worked for me without problem:

[PS] C:\> Connect-Mailbox -Identity "Personal Archive - Jan Novak" -Archive -User JanNovak2 -Database "EXDAG1-DB03" -AllowLegacyDNMismatch

[PS] C:\> Test-ArchiveConnectivity jan.novak@contoso.com

RunspaceId               : 7df20326-4fc0-4ca3-877f-5273aea0d5b7
Identity                 : jan.novak@contoso.com
PrimaryMRMConfiguration  :
PrimaryLastProcessedTime :
ArchiveDomain            :
ArchiveDatabase          : EXDAG1-DB03
ArchiveMRMConfiguration  :
ArchiveLastProcessedTime :
ComplianceConfiguration  : ElcV2
ItemMRMProperties        :
Result                   : Successfully logged on to the users Archive mailbox.
Error                    :
IsValid                  : True
ObjectState              : New