Test Layout

A key part of most Office 365 deployments is directory synchronization with on-premises Active Directory (AD). To maintain a link between individual object in AD and Office 365, one attribute in AD is defined as the source anchor. The source anchor acts as a unique identifier for each object so that you can change properties like UPN and have them replicate to the proper matching object in Office 365. Older versions of Azure AD Connect used the objectGUID attribute as the source anchor. In many cases, this is a good choice because it is an attribute that doesn't change. However, in complex configurations with multiple AD forests, this can cause an issue during migrations. When a user account is moved from one AD forest to another, it gets a new objectGUID in the new forest. Due to the new objectGUID , Azure AD Connect treats the user as a new user instead of an existing user. To avoid this issue, we need to use an attribute for source anchor that can be moved between forests. Micro...

I ran into an issue today where I needed to remove a proxy address from a cloud-based administrative user in Office 365 that was unlicensed. This user had a proxy address that was conflicting with a proxy address that was being synced with Azure AD Connect for another user account. The cloud user was originally created as byron@OnPremDomain.com and renamed to be byron@CloudDom.onmicrosoft.com. When this was done, the original address (byron@OnPremDomain.com) was kept as a proxy address. You could view both addresses when using Get-MsolUser. This address caused a synchronization error for an on-premises user named byron@OnPremDomain.com. To resolve this error, I need to remove byron@OnPremDomain.com from the list of proxy addresses. However, you can't do this with Set-MsolUser. The mechanism for managing proxy addresses in Office 365 is Set-Mailbox. But, without a license, there is no mailbox for the user account. The solution is to add a license temporarily: Add a license for byron...

When you migrate to Office 365, the preferred configuration is to have user email addresses and UPNs the same. Having a single identity makes it easier for users to understand. If you are implementing Skype for Business in Office 365, it will take the UPN of the user as the Skype address. Again, keeping a single identity is good. However, if you have an on-premises implementation of Skype for Business, then the Skype identity is configured in the attribute msRTCSIP-PrimaryUserAddress .  This attribute contains a SIP (session initiation protocol) address that looks like an email address but with “sip:” at the start. For example: “sip: user @contoso.com”. The SIP addresses defined in your on-premises Skype for Business may or may not match the email addresses of the users. You need to verify whether the addresses match. If the SIP address does not match the email address, it is easy to change. On the Skype Server run the following PowerShell command: Set-CsUser -Identity userUPN -Si...

Today while moving a mailbox from on-premises to Office 365 in a hybrid environment, I got the following error: Transient error SourceMailboxAlreadyBeingMovedTransientException has occurred. The system will retry (5/620). This error occurs when a previous move attempt did not get cleaned up properly. From a bit of reading, this should timeout and fix itself after about 2 hours. However, since I didn't want to wait that long, I did the following that got it going again. IISReset.exe to restart the web services Restart the Microsoft Exchange Mailbox Replication service It is possible that only one of those two items was required, but I was more concerned about getting the move going than recording exact details.

Microsoft is having a certificate trust issue today for Firefox when accessing Office 365 services. I haven't bothered digging into the details, but it's something to do with trust checking by using OCSP (Online Certificate Status Protocol). The error you see is "SEC_ERROR_OCSP_INVALID_SIGNING_CERT" and looks like this: Other browsers are not affected. So, you work around this by using Chrome, IE, or Edge. If you prefer to continue using Firefox, you can modify the setting for certificate verification with the following steps: In the address bar, type about:config and press Enter. Click the I accept the risk button. Scroll down to security.ssl.enable_ocsp_stapling and double-click it to set the value to false . Given that other browsers don't use this type of security, it's fairly safe to disable.

Many organizations have configured a dynamic distribution group that includes all users with mailboxes. This Everyone group is used for sending out company notifications and the like. Because this group is dynamic, it's automatically updated as new mailboxes are added and removed. When you implement hybrid mode with Office 365, the dynamic group will include on-premises mailboxes but not cloud mailboxes. This is because cloud mailboxes are a different recipient type that is not included. Cloud mailboxes are MailUser recipients (an AD user with an email address but no mailbox). One way to fix this is to modify the dynamic distribution group to include MailUser recipients. The screenshot below has enabled Users with external e-mail addresses. This will include users with cloud mailboxes. This is the recipient filter for the dynamic distribution group: ((((RecipientType -eq 'UserMailbox') -or (RecipientType -eq 'MailUser'))) -and (-not(Name -like 'SystemMailbox{*...

The title for this post is a bit incomplete because there wasn't enough space for a full explanation. Here is the scenario I had... Before setting up hybrid mode for an Exchange 2010 organization, a user account was created in Office 365 with the same UPN as a user account in on-premises. The on-premises domain had been added to Office 365, but directory synchronization was not yet in place.  As part of testing, the user account had been give an Office 365 license, which then created an online Exchange mailbox. When directory synchronization was configured, the on-premises AD account was matched with the existing cloud user. However, the on-premises user has an on-premises mailbox and the cloud user has a cloud mailbox. When viewing the cloud user in Office 365, you could see the mailbox in the cloud. Because there was an existing cloud mailbox I couldn't move the on-premises mailbox up to Office 365. There was also no way to remove the cloud mailbox to allow the on-premises ma...

When you configure hybrid mode, calendar sharing is automatically configured between on-premises and cloud users. You don't need to configure anything. However, in some cases, you may need to perform an IISreset. On a recent project implementing implementing hybrid mode for an Exchange 2010 organization, we enabled hybrid mode and tested connectivity. Everything looked good for mail flow and mailbox moves. However, free/busy lookups failed from the cloud users to on-premises. When we tried to view the on-premises users' calendars the status was "No Information". When you're not sure what's going on, it's always a good idea to use the Remote Connectivity Analyzer to test things out. There is an Office 365 tab which includes a Free/Busy test. When I ran this test, it was successful, as shown in the figure below. However it still wasn't working. It's been a while since I've implemented Hybrid for Exchange 2010. With a quick search, I found this b...

Today I made the mistake of downloading and attempting to run the Office 365 Hybrid Deployment Wizard by using Firefox. When you do, the app starts to launch and the fails. When you click on the Details button to open the log file, you see this under the error summary: Deployment and application do not have matching security zones. Download the app from within IE and no problems. Link to download the wizard: https://aka.ms/HybridWizard UPDATE: Also worth noting that a similar error with the wizard not running occurs if the .application file extension is not associated with Internet Explorer. https://paulrobichaux.com/2017/06/30/office-365-hybrid-configuration-wizard-wont-launch/ 

When planning an Office 365 implementation, it is best practice to start by assuming that UPN for signing in to Office 365 should match the user email address. If you don't configure it this way, then users have two separate items (their UPN for signing in and their email address) that look very similar. In many cases users are confused by the similarity. If you are synchronizing  your on-premises Active Directory with Office 365 (in most cases you do) then you need to set the UPN for the on-premises user accounts with the correct UPN. The UPN from on-premises user accounts is synchronized to Office 365 to create the ID for signing in. Most organizations are not using the UPN on user accounts for authentication on-premises. The option has been there since Windows 2000, but most organizations still use the domainname\username format for authentication. However, you need to verify if any user accounts are using the UPN for authentication before making this change. At minimum, you sho...

When managing email addresses and domains in Exchange Server, old email addresses are never removed automatically. This is good because it ensures that email addresses on a mailbox are never accidentally lost. However, you may want to clean up old domains or address formats that are no longer in use. Some common scenarios where you might want to remove an old domain: An SMB deployment of Exchange Server where a .local domain was added as the first domain for email addresses. Old GroupWise addresses are left in place from an older migration. Obsolete domain left over from a company merger many years ago I often find that obsolete domains are identified when I run IDFix as part of preparing to migrate to Office 365. To simplify the removal of obsolete domains, I have created the following script. A few things to note: You need to set $RemovePattern to identify the domain to be removed. Any email addresses matching this pattern will be removed from proxyAddresses attribute in Active Direc...

If you're just starting to look at Office 365 as a solution for your organization, the various plans can be overwhelming and confusing. I'm going to try and boil down all of the Office 365 plan information to just the essentials that allow you to make an informed decision. This is all based on research done March 2017 and the prices I include are Canadian dollars. You should verify that these features and prices are still correct for your scenario before making any decisions. I've includes some links at the bottom of this article to Microsoft documentation for you to verify. Microsoft should be keeping that content up to date. I'm going to focus on Office 365 plans for small business and enterprise. However, whether you are small business, non-profit, enterprise, or education, there are basically three generic Office 365 plans available: Office 365 desktop apps (Word, Excel, Outlook, etc) Cloud services (Exchange, Skype for Business, etc) Office 365 desktop apps and clo...

Just saw a notification in my Office 365 portal that site mailboxes are being removed from SharePoint online. Existing site mailboxes will continue to function for now, but after March 2017 you cannot create new site mailboxes. It is recommended that you use Office 365 groups for collaboration instead. An Office 365 group behaves like a combination of a distribution group and shared mailbox combined with storage in SharePoint. It's a more complete collaboration solution, but you can use just the features that you want. In September 2017, a process will begin to transition site mailboxes to Office 365 groups. Here is a link with more info about Office 365 groups: https://go.microsoft.com/fwlink/?linkid=831908

Microsoft is aggressively encouraging Office 365 customers to use Office 365 groups instead of traditional distribution groups. In the Exchange admin center, when you select to create a distribution group, you get a popup to create an Office 365 group instead, as shown below. There is one difference between this popup and if you actually selected an Office 365 group. This window has an option to create a distribution list. You can see it in the screenshot above by the red arrow. I'm pointing out that option because I didn't see it at first and was only made aware of it by Microsoft. I should also note that another work around is to create a distribution list in the Office 365 admin center. That option is still available and is the same as creating a distribution group in Exchange admin center.

As a technology professional, I dread calling tech support sometimes. Most of the time when you contact tech support (for any software), you get a front line person that is not terribly knowledgeable or useful. That first level person has access to a knowledgebase that is similar to what you could find by searching online. When that person can't help, they pass you up to a higher level of support that can likely fix your issue. The other problem with most tech support is timeliness. You are often kept on hold for an extended period of time or are forced to contact support via email or web form and hope that they get back to you within a few hours. It's almost never quick. My experience with Office 365 support today was amazing. I had a question on Sunday morning at about 11am and had an answer within 10 minutes. Here is what it looked like.... I'm working on some labs and find that in the Exchange admin center, when I attempt to create a distribution group it actually promp...

A large client is currently running Exchange 2010 and is evaluating moving to Office 365 vs upgrading to Exchange Server 2016. I talked with them about it and thought it would be useful to document it for future reference. If you are a very small organization, then Office 365 is a slam dunk. It's going to perform better and be more cost effective than your could ever implement on your own. This is even before we consider the cost of the the consultants to get your on-premises Exchange up and running. For mid-sized and large businesses there are more things to think about.... Cost Direct cost is the first thing everyone wants to evaluate when considering Office 365. Your exact costs are going to vary depending on how you want to implement Exchange and which Office 365 plans you think are appropriate. So, I'm going to let you figure out the exact costs, but here are the things you need to consider: On premises: Exchange Server licenses Exchange Server CALs (basic and enterprise i...