It has always been my goal to provide your company with sthe best IT solutions and I will continue to do so as effectively as I can.
I am aware that the recent spread of COVID-19 may have you concerned. At LDLNET LLC, I take the safety and well-being of my present and future customers seriously.
What I Am Doing
To further prevent the spread of COVID-19, I am committed to enacting best practices laid out by the Center for Disease Control (CDC). To ensure the health and safety of your offices, I clean, sanitize and disinfect my equipment with EPA approved sanitizer and disinfectant between appointments. I can also provide 100% remote work to you company provided that I have secure access.
How I Can Help
With precautions taken, I will continue to stay open for business. I will continue to provide the best IT Solutions for your business that I can. Please feel free to contact me to set up an appointment for your next IT project!
I sincerely hope that you and your family are in good health. As our community works towards a solution, please take your own precautionary measures to reduce your own risk of illness. The simple act of washing your hands can act as an effective barrier against germs and bacteria. I want everyone in our community to stay safe.
If you want to schedule a time to talk, give me a call today at (704) 222-2366 to schedule an appointment or visit the website http://store.ldlnet.net for information.
This was a great article released by the Exchange Team Blog today, and as I have been dealing with MANY customers still having Exchange 2010, I wanted to have this available for quick review! It has great links and steps to consider when finally getting off Exchange 2010.
As many of you know from the previous post regarding Exchange On-Premises Best Practices for Migrations from 2010 to 2016 the end of support for Exchange 2010 is quickly approaching. We’ve created this post to cover the best practices for decommissioning an Exchange 2010 environment after the migration has completed.
Uninstalling Exchange 2010 is as easy as running Setup and selecting to remove the server roles, but there are prerequisites to removing the roles and legacy items left over, which should be removed.
This post is intended to provide best practices to plan for and complete the Exchange 2010 decommission. Please note that since there are many different types of deployments and configurations it is difficult to cover all scenarios, but many of the common steps are included here. Please plan the decommission process carefully.
As a general statement, here are some things that we want to caution against:
Do not reuse Exchange 2010 server names (until they have been fully decommissioned).
Do not reuse Exchange 2010 server IP addresses (until they have been fully decommissioned).
This post assumes that your organization is maintaining some Exchange presence on-premises, whether Exchange 2013 or 2016 (we do not mention Exchange 2019 in this post because it cannot coexist with Exchange 2010). If your organization has moved all mailboxes to Office 365 and is in a Hybrid environment, we are assuming you will maintain an Exchange footprint per Scenario 2 in How and when to decommission your on-premises Exchange servers in a hybrid deployment.
Preparing for Soft Shut Down
Once you’ve completed the migration from Exchange 2010 to, let’s say, Exchange 2016, you should prepare the 2010 environment prior to decommissioning the servers. The following steps to consider are separated into server roles when preparing for a soft shut down and preparing for the removal of server roles.
Client Access (CAS) Role
Check Server FQDNs
Review all namespaces (e.g. DNS records and load balanced virtual IP addresses) used for client connectivity and ensure they are routing to the 2016 environment. These are all the names that are published for Outlook Anywhere, AutoDiscover, and all Exchange Virtual Directories.
Tip: Verify that all clients such as ActiveSync, Outlook, EWS, OWA, OAB, POP3/IMAP, and Autodiscover are no longer connecting to the legacy Exchange servers. Verification of this can be done by reviewing the servers’ IIS Logs with Log Parser Studio (LPS). LPS is a GUI for Log Parser 2.2 and it greatly reduces the complexity of parsing logs. LPS can parse large sets of logs concurrently (we have tested with total log sizes of >60GB). Please refer to the following blog post with tips and information on using LPS.
If present, ensure that if the AutoDiscoverServiceInternalURI routes to an Exchange 2016 endpoint. You can also remove this value by setting the AutoDiscoverServiceInternalURI to $Null.
Follow the items below to review all mail flow connectors. We will not be removing connectors themselves, simply auditing to ensure that the server is ready to be decommissioned.
Review the Send Connectors
Review the send connectors and ensure that the legacy servers have been removed and Exchange 2016 servers have been added. Most organizations only permit outbound network traffic on port 25 to a small number of IP addresses, so you may also need to review the outbound network configuration.
Review the receive connectors on legacy servers and ensure they are recreated on your Exchange 2016 servers (e.g. SMTP relay; anonymous relay; partner, etc.). Review all namespaces (e.g. DNS records and load balanced virtual IP addresses) used for inbound mail routing and ensure they are terminating against the Exchange 2016 environment. If your legacy Exchange servers have any custom, third-party, or foreign connectors installed (for example, with fax services), ensure that they can be reinstalled on 2016 Exchange servers.
1
Get-ReceiveConnector-Server<ServerToDecommission>
Tip: Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names or IP addresses. To enable logging, review Configure Protocol Logging. Also, ensure we have “time coverage” for any apps relaying weekly/monthly emails that may not be caught in a small sample size of SMTP Protocol logs. There is a great script available here that can help find any applications that may be relaying off your legacy environment.
In general, the decommissioning process is a great time to audit your mail flow configuration to ensure that all the connectors are properly configured and secured. Maybe it’s time to get rid of any of those Anonymous Relay connectors that may be in use in your environment. Or, if Hybrid, possibly relay against Office 365.
Transport Rules
Exchange 2010 base transport rules are held in a different AD container than Exchange 2013 and newer rules. When installing Exchange 2016 in your environment it will import those Exchange 2010 based rules. However, any changes to Exchange 2010 rules after a later version of Exchange is installed must also be applied to your Exchange 2016 rules. This is further explained here under section Coexistence with Exchange 2010.
Run the following command to get all your Exchange Transport Rules. Must be run on Exchange 2016 to see all rules.
1
Get-TransportRule|Select Name,RuleVersion
Compare the rules with RuleVersion of 14.X.X.X to those with 15.1.X.X. If any Exchange 2010 rules don’t exist on Exchange 2016, they must be created. Also review all settings of each Exchange 2010 rule and replicate them to Exchange 2016.
Mailbox Role
Identity and move all Exchange 2010 mailboxes to Exchange 2016
Decommissioning Exchange 2010 cannot be initiated until all mailboxes have been moved to Exchange 2016. As an example, we cannot decommission Exchange 2010 Hub Transport servers completely until all of the mailboxes are moved off the legacy platform, this is due to how Delivery Groups are handled.
We encourage using the newest Exchange platform to process any move requests. If moving to Exchange 2016, move all mailboxes via Exchange 2016. Also, ensure that once all moves are completed, and that all associated Move Requests are removed as well. Any lingering move requests or mailboxes will prevent uninstallation of Exchange 2010.
To move all user mailboxes, run the following command to identify the mailboxes, and then plan to move them to the new platform.
Tip: Ensure that Archives are included with “Get-Mailbox -Archive” if you used Exchange Archives in 2010. Also, do not forget about your Discovery Search mailboxes – these can be found with: Get-Mailbox -Filter { RecipientTypeDetails -eq “DiscoveryMailbox”}. These will need to be moved (if they haven’t yet already), to Exchange 2016 as well.
Identify and Move Arbitration Mailboxes to Exchange 2016
It’s necessary to move the arbitration mailboxes from Exchange 2010 to 2016 for many Exchange Services to work properly, including the Exchange Admin Center (EAC). This is typically executed when Exchange 2016 is first installed, however, if that was missed, we will ensure that is handled now. The process to move is defined at: Move the Exchange 2010 system mailbox to Exchange 2013+. To verify which system mailboxes are located on 2010, use PowerShell on your Exchange 2010 server with the following example:
Note: If any mailboxes are present, move them to an Exchange 2016 database.
OAB Generation
Installing first Exchange Server 2013+ into Exchange 2010 organization creates a new OAB. It also marks the new OAB as default. The Exchange 2010 OAB is not used by Exchange 2013+ servers so moving the OAB is not necessary. Move the OAB to another Exchange 2010 server, if you are removing an Exchange 2010 server that’s currently hosting the OAB, and there are other Exchange 2010 servers in the org. If you are removing the last Exchange 2010 server in the org, remove the OAB.
Exchange Server 2010 public folders are migrated to Exchange Online
Exchange Server 2013/2016 was introduced on-premises
MEPF’s are still used on-premises to send emails to Exchange Online
In that case, you may need to run the SetMailPublicFolderExternalAddress.ps1 script to ensure Exchange 2013+ servers can continue sending emails to Exchange Online MEPFs.
Decommission the Database Availability Group (DAG)
Assuming best practices were followed for the Exchange 2010 environment, we will have a DAG for HA/DR capabilities. Now that all mailboxes have been removed from the 2010 environment, we are ready to tear down this DAG to move forward with decommissioning Exchange 2010.
Remove Database Availability Group (DAG) Copies
First, we start with the copies. For every mailbox database copy in the environment hosted on Exchange 2010, we will need to remove the Mailbox Database Copy. This can be done via the UI, or via PowerShell:
NOTE: Removing the copy will not remove the actual .edb database file from the Server.
Remove All Nodes from Database Availability Group(s) (DAG)
For each Exchange 2010 server in the environment, we will need to remove the individual server from the DAG. This is evicting the server from the cluster. This can be done via the UI, or through PowerShell.
Lastly, once the Database copies are removed, and the servers are evicted from the cluster, the last thing is to finally remove the DAG from the environment. This can be done with the following PowerShell command:
Tip: If you have an even-membered DAG, and leveraged a File Share Witness, don’t forget to decommission the file share witness that was used for the Exchange 2010 DAG.
Unified Messaging Role
Configuration steps are required to move Exchange 2010 UM to Exchange 2016 servers. The following link can be used to guide through removal of UM from Exchange 2010. If moving to a third-party UM solution, remove the UM components to allow un-installation of the UM role.
Edge Role
If you have an Edge server, you will need to install Exchange 2016 Edge and recreate the Edge Subscription on the E2016 server. This is further documented here.
Other
As mentioned in the beginning of the document, due to so many different types of deployments and configurations, it’s difficult to cover all scenarios however it’s recommended to check any other possible scenarios that apply to your environment.
Third Party Applications
Make a list of applications that may be using Exchange 2010 (e.g. EWS, mail transport, database-aware) and make sure to configure these applications to start using Exchange 2016 infrastructure.
Shut-Down Exchange 2010 Servers
Test shutting down the Exchange servers for a few days to a few weeks to see if there are any issues. You are auditing for any applications that are trying to connect to the Exchange 2010 servers or trying to send email through the Exchange 2010 servers. Enabling protocol logging on the Hub Transport roles prior to shutting down the servers is an option. That way if any mail is processing through these servers, upon restart, the logging will begin immediately. If applications or servers are trying to connect you can remediate those or power on the Exchange 2010 servers until remediation can happen.
Tip: Check Active Directory DNS Zone settings to see if DNS Scavenging is enabled. If this is enabled, the DNS record could become stale during the shutdown time frame and cause DNS issues for the Exchange 2010 server.
Preparing for Removal of Server Roles
As you begin the process of removing servers, you should go through the list below and ensure you have everything tested and ready to go.
CAS
Remove CAS Arrays
Remove Any Exchange 2010 Client Access Arrays from Active Directory and DNS. Refer to the following document to remove the Client Access Array object with Shell using the following example:
Be sure to also remove any references in DNS to the CAS Array Name.
Remove Unused 2010 ASAs
If you followed either the Best practices for Migrations blog or the Coexistence with Kerberos blog, we recommend that any old alternate service accounts (ASAs) used for E2010 be removed. If you are using a different namespace than Exchange 2016, please verify old SPNs are also removed.
Remove Exchange 2010 OAB
Use the following command to remove Exchange 2010 OAB:
Now that all mailboxes are migrated from the Exchange 2010 platform, and the DAG is properly removed, we will want to decommission any leftover databases from the Exchange 2010 environment. To remove all Exchange 2010 databases, review the output of the following, and remove individually:
1
Get-MailboxDatabase-Server<ServerToDecommission>
And then remove the database with:
1
Remove-MailboxDatabase-Identity DB1
NOTE: If there are any mailboxes currently residing on the database, we will not let you remove the database, it will fail with the following error:
Remove Legacy Public Folders
If you chose not to migrate public folders, refer to the following document to remove public folders with either EMC or Shell using the following example:
Remove Legacy Public Folder Databases
Refer to the following document to remove the public folder databases with PowerShell using the following example:
1
Remove-PublicFolderDatabase-Identity"PFDB01"
Tip: Remember the .edb files linger after the above is done. Feel free to delete, backup, or do with these as you please.
Uninstall Exchange 2010
It’s recommended to uninstall in the following order: CAS, Hub, UM (if any), then Mailbox.
Starting the Uninstall Process
When you begin the uninstall process, close EMC, EMS, and any additional programs that could delay uninstall process (i.e. programs using .NET assemblies; antivirus and backup agents are examples). You can either run Exchange 2010 Setup.exe or navigate to Control Panel to modify or remove Exchange 2010 (either server roles or the entire installation). Specific steps are discussed in Modify or Remove Exchange 2010.
Tip: Exchange will protect itself! If you properly uninstall via Add/Remove Programs, it will ensure that it is ready to be uninstalled via Readiness Checks! If all the above prep work is completed before hand, it should uninstall just fine.
After Uninstall of Exchange 2010
After uninstalling Exchange there will be some general “housekeeping” tasks. These may vary depending on the steps taken during your upgrade and depending on your organization’s operational requirements.
Examples include:
Removing the legacy Exchange computer accounts from AD (including the DAG’s Cluster Name Object and any Kerberos ASA object).
Removing the legacy Exchange name records from DNS (including the DAG’s Cluster Name Object and any Kerberos ASA object).
Ensure the folder on the DAG file share witness (FSW) servers were successfully removed, possibly removing Exchange’s rights on the server if it isn’t serving double duty for Exchange 2016.
Removing old load balanced IP addresses and routes from your network load balancer.
Remove old firewall rules that open ports to Exchange 2010 environment.
Removing and disposing of the legacy Exchange environment’s physical equipment.
Deleting of the legacy Exchange environment’s virtual machines.
Conclusion
With the uninstall of the last server, hopefully Exchange 2010 treated your organization well. The Exchange product team takes great pride of the success of the platform and hope that you see the same success with Exchange 2016 (or Exchange Online!). Messaging sure has come a long way since it was released way back in 2009.
Today Microsoft is announcing the availability of quarterly servicing cumulative updates for Exchange Server 2016 and 2019. These updates include fixes for customer reported issues as well as all previously released security updates.
Personal Note: I was recently involved in a layoff at Microsoft in the Vendor PFE world. I am currently looking for new engagements.
Calculator Updates
This quarterly Exchange release includes an important update to the Exchange 2019 Sizing Calculator. We’ve made improvements to the logic to detect whether a design is bound by mailbox size (capacity) or throughput (IOPs) which affects the maximum number of mailboxes a database will support. Previous versions of the calculator produced incorrect results in some situations.
The Exchange team highly recommends using calculator version 10.4, included with the March 2020 quarterly CU release, to size Exchange Server 2019 deployments.
MCDB Configuration Issues
Cumulative Update 5 for Exchange Server 2019 also fixes an issue that can happen when you use the Manage-MetaCacheDatabase.ps1 script to enable MetaCacheDatabase (MCDB).
This issue occurred because of a change in behavior in Windows Server 2019 that caused Get-Disk to return all uninitialized discs within the Database Availability Group (DAG) or cluster. The script then incorrectly tried to format an SSD on another DAG member. We documented a workaround for CU4 here, but we’ve fixed it in CU5.
Online Mode Search Issues
Cumulative Update 5 for Exchange Server 2019 is also required to fix a known issue with partial word searches when the client is using Outlook in online mode.
Release Details
The KB articles that describe the fixes in each release and product downloads are available as follows:
Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate documentation.
Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.
Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the currently supported cumulative update for the product version in use, e.g.,
2013 Cumulative Update 23 2016 Cumulative Update 16 or 15 2019 Cumulative Update 5 or 4.
I get asked this a lot in my travels, “What’s the difference with Exchange 2019 and why should we go to it other than the fact that it is the latest version released. I wanted to post my findings from articles that I found to help explain some of the improvements and differences with running Exchange 2019.
Exchange Server 2019 brings a new set of technologies, features, and services to Exchange Server, the messaging platform that provides email, scheduling, and tools for custom collaboration and messaging service applications.
What is NOT in Exchange 2019…
There are some things that have been discontinued in Exchange 2019 which make the decision to go to it important for some companies.
Architecture
Feature
Comments and mitigation
Unified Messaging (UM)
Unified Messaging has been removed from Exchange 2019. We recommend that Exchange 2019 organizations transition to Skype for Business Cloud Voice Mail.
This is a big deal for some companies as they rely on Unified Messaging to handle their Voice Messaging. There are some articles available to view to assist in transitioning from UM to the new voicemail features with O365. I will post them as I find them in this blog. Keep tuned in for updates!
Here are some other deprecated features:
Client Access server role
The Client Access server role has been replaced by Client Access services that run on the Mailbox server role. The Mailbox server role now performs all functionality that was previously included with the Client Access server role. For more information about the new Mailbox server role, see Exchange Server architecture.
MAPI/CDO library
The MAPI/CDO library has been replaced by Exchange Web Services (EWS), Exchange ActiveSync (EAS), and Representational State Transfer (REST)* APIs. If an application uses the MAPI/CDO library, it needs to move to EWS, EAS, or the REST APIs to communicate with Exchange 2019.
De-emphasized Features
The following features are being de-emphasized in Exchange 2019 and may not be included in future versions of Exchange.
Third-party replication APIs
RPC over HTTP
Database availability group (DAG) support for failover cluster administrative access points (You can have IPLess DAGs now)
What’s new when upgrading to Exchange 2019?
Security
Windows Server Core support: Running Exchange on a Windows deployment with less surface area means less attack surface area and fewer components to service.
Block external access to Exchange admin center (EAC) and the Exchange Management Shell: You can use Client Access Rules to only allow administration of Exchange from the internal network instead of using complex network and firewall rules.
TLS 1.2 is the only version that’s enabled by default: Exchange Server 2019 includes important changes to improve the security of client and server connections. The default configuration for encryption will enable TLS 1.2 only and disable support for older algorithms (namely, DES, 3DES, RC2, RC4 and MD5). It will also configure elliptic curve key exchange algorithms with priority over non-elliptic curve algorithms. In Exchange Server 2016 and later, all cryptography settings are inherited from the configuration specified in the operating system.
Performance
Improved search infrastructure: The completely rebuilt search infrastructure for cloud scale and reliability in Exchange Online is now available in Exchange 2019. This new search infrastructure allows for indexing of bigger files, simpler management, and better search performance.
Faster, more reliable failovers: The changes to the search architecture result in significantly faster and more reliable failover over between servers.
Metacache database: Improvements at the core of Exchange’s database engine enable better overall performance and take advantage of the latest storage hardware, including larger disks and SSDs.
Modern hardware support: Exchange now supports up to 256 GB of memory and 48 CPU cores.
Dynamic database cache: The information store process employs dynamic memory cache allocation optimizing memory usage to active database usage.
Clients
Calendar – Do Not Forward: This is similar to Information Rights Management (IRM) for calendar items without the IRM deployment requirements. Attendees can’t forward the invitation to other people, and only the organizer can invite additional attendees.
Calendar – Better Out of Office: Additional options when you won’t be in the office. Key options include: add an event to your calendar that shows you as Away/Out of Office, and a quick option to cancel/decline meetings that will happen while you’re away.
Calendar – Remove-CalendarEvents cmdlet: Enables administrators to cancel meetings that were organized by a user that has left the company. Previously, conference rooms or meeting attendees would have these defunct meetings permanently on their calendars.
Assign delegate permission via PowerShell: Updates to the Add-FolderPermissions cmdlet so administrators can assign delegate permissions.
Email address internationalization (EAI): Email addresses that contain non-English characters can now be routed and delivered natively.
Exchange 2019 architecture
Today, CPU horsepower is significantly less expensive and is no longer a constraining factor. With that constraint lifted, the primary design goal for Exchange 2019 is for simplicity of scale, hardware utilization, and failure isolation. With Exchange 2019, we reduced the number of server roles to two: the Mailbox and Edge Transport server roles.
Unified Messaging (UM) has been removed from Exchange 2019. Other than that, the Mailbox server in Exchange 2019 includes all of the server components from the Exchange 2013 Mailbox and Client Access server roles:
Client Access services provide authentication, limited redirection, and proxy services. Client Access services don’t do any data rendering and offer all the usual client access protocols: HTTP, POP and IMAP, and SMTP.
Mailbox services include all the traditional server components found in the Exchange 2013 Mailbox server role except Unified Messaging: the backend client access protocols, Transport service, and Mailbox databases. The Mailbox server handles all activity for the active mailboxes on that server.
The Edge Transport role is typically deployed in your perimeter network, outside your internal Active Directory forest, and is designed to minimize the attack surface of your Exchange deployment. By handling all Internet-facing mail flow, it also adds additional layers of message protection and security against viruses and spam, and can apply mail flow rules (also known as transport rules) to control message flow.
For more information about the Exchange 2019 architecture, see Exchange architecture.
Along with the new Mailbox role, Exchange 2019 now allows you to proxy traffic from Exchange 2013 Client Access servers to Exchange 2019 mailboxes. This new flexibility gives you more control in how you move to Exchange 2019 without having to worry about deploying enough front-end capacity to service new Exchange 2019 servers.
MAPI over HTTP
MAPI over HTTP is now the default protocol that Outlook uses to communicate with Exchange. MAPI over HTTP improves the reliability and stability of the Outlook and Exchange connections by moving the transport layer to the industry-standard HTTP model. This allows a higher level of visibility of transport errors and enhanced recoverability. Additional functionality includes support for an explicit pause-and-resume function, which enables supported clients to change networks or resume from hibernation while maintaining the same server context.
Note: MAPI over HTTP isn’t enabled in organizations where the following conditions are both true:
You’re installing Exchange 2019 in an organization that already has Exchange 2013 servers installed.
MAPI over HTTP wasn’t enabled in Exchange 2013.
While MAPI over HTTP is now the default communication protocol between Outlook and Exchange, clients that don’t support it will fall back to Outlook Anywhere (RPC over HTTP).
Outlook on the Web (formerly known as Outlook Web App)
Outlook Web App is now known as Outlook on the web, which continues to let users access their Exchange mailbox from almost any web browser.
NOTE: Supported Web browsers for Outlook on the web in Exchange 2019 are Microsoft Edge, Internet Explorer 11, and the most recent versions of Mozilla Firefox, Google Chrome, and Apple Safari.
The former Outlook Web App user interface has been updated and optimized for tablets and smart phones, in addition to desktop and laptop computers. New Exchange 2019 features include:
Platform-specific experiences for phones for both iOS and Android.
Premium Android experience using Chrome on devices running Android version 4.2 or later.
Email improvements, including a new single-line view of the Inbox with an optimized reading pane, archiving, emojis, and the ability to undo mailbox actions like deleting a message or moving a message.
Contact linking the ability for users to add contacts from their LinkedIn accounts.
Calendar has an updated look and new features, including email reminders for Calendar events, ability to propose a new time in meeting invitations, improved search, and birthday calendars.
Search suggestions and refiners for an improved search experience that helps users find the information they want, faster. Search suggestions try to anticipate what the user’s looking for and returns results that might be what the user is looking for. Search refiners will help a user more easily find the information they’re looking for by providing contextually-aware filters. Filters might include date ranges, related senders, and so on.
New themes Thirteen new themes with graphic designs.
Options for individual mailboxes have been overhauled.
Link preview which enables users to paste a link into messages, and Outlook on the web automatically generates a rich preview to give recipients a peek into the contents of the destination. This works with video links as well.
Inline video player saves the user time by keeping them in the context of their conversations. An inline preview of a video automatically appears after inserting a video URL.
Pins and Flags which allow users to keep essential emails at the top of their inbox (Pins) and mark others for follow-up (Flags). Pins are now folder specific, great for anyone who uses folders to organize their email. Quickly find and manage flagged items with inbox filters or the new Task module, accessible from the app launcher.
Performance improvements in a number of areas across Outlook on the web, including creating calendar events, composing, loading messages in the reading pane, popouts, search, startup, and switching folders.
New Outlook on the web action pane that allows you to quickly click those actions you most commonly use such as New, Reply all, and Delete. A few new actions have been added as well including Archive, Sweep, and Undo.
Document collaboration (On-Premises and in O365)
Exchange 2019, along with SharePoint Server 2019 and SharePoint Online, enables Outlook on the web users to link to and share documents that are stored in OneDrive for Business in an on-premises SharePoint server instead of attaching files to messages. Users in an on-premises environment can collaborate on files in the same manner that’s used in Office 365.
When an Exchange 2019 user receives a Word, Excel, or PowerPoint file in an email attachment, and the file is stored in OneDrive for Business or on-premises SharePoint, the user will now have the option of viewing and editing that file in Outlook on the web alongside the message. To do this, you’ll need a separate computer in your on-premises organization that’s running Office Online Server.
Exchange 2019 also brings the following improvements to document collaboration:
Saving files to OneDrive for Business.
Uploading a file to OneDrive for Business.
Most Recently Used lists populated with both local and online files.
Office 365 hybrid and the HCW
The Hybrid Configuration Wizard (HCW) that was included with Exchange 2013 is moving to become a cloud-based application. When you choose to configure a hybrid deployment in Exchange 2019, you’ll be prompted to download and install the wizard as a small app. The wizard will function the same in previous versions of Exchange, with a few new benefits:
The wizard can be updated quickly to support changes in the Office 365 service.
The wizard can be updated to account for issues detected when customers try to configure a hybrid deployment.
Improved troubleshooting and diagnostics to help you resolve issues that you run into when running the wizard.
The same wizard will be used by everyone configuring a hybrid deployment who’s running Exchange 2013 or later.
In addition to Hybrid Configuration Wizard improvements, multi-forest hybrid deployments are being simplified with Azure Active Directory Connect (AADConnect). AADConnect introduces management agents that will make it significantly easier to synchronize multiple on-premises Active Directory forests with a single Office 365 tenant.
Exchange ActiveSync clients will be seamlessly redirected to Office 365 when a user’s mailbox is moved to Exchange Online. To support this, ActiveSync clients need to support HTTP 451 redirect. When a client is redirected, the profile on the device is updated with the URL of the Exchange Online service. This means the client will no longer attempt to contact the on-premises Exchange server when trying to find the mailbox.
Secure Messaging, Policy, and Compliance
Data loss prevention
To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include credit card numbers, social security numbers, health records, or other personally identifiable information (PII). With a DLP policy and mail flow rules (also known as transport rules) in Exchange 2019, you can now identify, monitor, and protect 80 different types of sensitive information with new conditions and actions:
With the new condition Any attachment has these properties, including any of these words, a mail flow rule can match messages where the specified property of the attached Office document contains specified words. This condition makes it easy to integrate your Exchange mail flow rules and DLP policies with SharePoint, Windows Server 2012 R2 File Classification Infrastructure (FCI), or a third-party classification system.
With the new action Notify the recipient with a message, a mail flow rule can send a notification to the recipient with the text you specify. For example, you can inform the recipient that the message was rejected by a mail flow rule, or that it was marked as spam and will be delivered to their Junk Email folder.
The action Generate incident report and send it to has been updated to enable the notification of multiple recipients by allowing a group address to be configured as the recipient.
In-place Archiving, retention, and eDiscovery
Exchange 2019 includes the following improvements to In-Place Archiving, retention, and eDiscovery to help your organization meet its compliance needs:
Public folder support for In-Place eDiscovery and In-Place Hold: Exchange 2019 integrates public folders into the In-Place eDiscovery and Hold workflow. You can use In-Place eDiscovery to search public folders in your organization, and you can put an In-Place Hold on public folders. And similar to placing a mailbox on hold, you can place a query-based and a time-based hold on public folders. Currently, you can only search and place a hold on all public folders. In later releases, you’ll be able to choose specific public folders to search and place on hold. For more information, see Search and place a hold on public folders using In-Place eDiscovery.
Compliance Search: Compliance Search is a new eDiscovery search tool in Exchange 2019 with new and improved scaling and performance capabilities. You can use it to search very large numbers of mailboxes in a single search. In fact, there’s no limit on the number of mailboxes that can be included in a single search, so you can search all mailboxes in your organization at once. There’s also no limit on the number of searches that can run at the same time. For In-Place eDiscovery in Exchange 2019, the limits are the same as in Exchange 2013: you can search up to 10,000 mailboxes in a single search and your organization can run a maximum of two In-Place eDiscovery searches at the same time.
Indexing and Search Architecture
In Exchange 2019, the search architecture has been redesigned. It is now based on the same engine as the modern search engines are and is directly on the mailbox in Exchange 2019. There is no content index database attached to the mailbox database as in previous versions of Exchange Server. Previously, search was a synchronous operation that was not very fault-tolerant. The new architecture is asynchronous and decentralized. It distributes the work across multiple servers and keeps retrying if any servers are too busy. This means that we can return results more reliability, and faster.
Another advantage of the new architecture is that search scalability is improved. The number of mailboxes you can search at once using the console has increased from 5k to 10k for both mailboxes and archive mailboxes, allowing you to search a total of 20k mailboxes at the same time.
This blog is going to be a dedicated repository linked to pages, posts, documentation, links, and information that I find during my troubleshooting processes within the IT world. Some posts will contain code snippets that you can use with your own work if needed. Feel free to comment and get this thing rolling!
I now have contributors! Please welcome their input as valued colleagues in the IT Industry! Be on the lookout for their blog posts and please comment!
LDLNET LLC – Your source for Professional IT Services
I have been doing some training on PowerShell Scripting this week and am going to be posting a number of articles on what I have been training on. This article deal with formatting your data output from your custom script or function to be viewed the way that you want it. Have you ever run a cmdlet where the column width is not wide enough and your data get’s truncated? Well, here is a method that you can use to make the default output of your function or script display how you want it to.
The best way to do this is by using an existing xml formatting file as a template. Run the following PowerShell commands to access those templates:
Remember: A custom view must always end with “.format.ps1xml”
We will use DotNetTypes.format.ps1xml as a template. Using this file, create a file called “hrmctools.formatps1xml”. That file will contain the following information modified from the template:
Custom XML Formatting FIle
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<?xml version="1.0"encoding="utf-8"?>
<Configuration>
<ViewDefinitions>
<View>
<Name>hrmctoolcustomformat</Name>
# This must match with the “insert” command above so that object is linked to this format
<ViewSelectedBy>
<TypeName>hrmctoolcustomformat</TypeName>
# This must match with the “insert” command above so that object is linked to this format
</ViewSelectedBy>
<TableControl>
<TableHeaders>
<TableColumnHeader>
<Label>columnX</Label>
# This displays a different name rather than defaulting to the property name.
NOTE: In PS, the content of xml files are always CASE SENSITIVE!!!
Once you have created your own custom view you then need to tell PowerShell to apply the formatting by using the cmdlet Update-FormatData:
1
Update-FormatData-PrependPath"Path To Your XML File"
Once you run the above command, this custom format you created should now be loaded into memory. You can verify this by using the Get-FormatData cmdlet:
1
Get-FormatData
If you have not done so in your function or script, you can attach your custom view to your function or script using the “insert” method:
Note*: This code has already been inserted into our function listed in this example. NOTE**:The first parameter “0” is something that you always type in. You can now confirm that the object has successfully been attached to the custom view, by typing in PowerShell:
1
$MyObject|Get-Member
Also if you output your object, you should now notice that its appearance should have now changed to those that you defined in the custom view.
A “Typename” is essentially a name that you give to your object. It tells PowerShell the type of object that it is. Know that it is possible for a number of commands to have outputting objects of the same type (the same typename value). This could affect other cmdlets and functions in your script, so be sure to debug if necessary.
I had a failure on one of my two Exchange 2019 CU4 servers when installing the Security Update for them:
I could not restart the install as it would fail when getting to the services stoppage part of the installation. I saw this error in the ServiceControl.log file in the C:\ExchangeSetupLogs Directory
I downloaded the .msp file to install manually and read the answers on the web-page. It was said that there was an issue with the ServiceControl.ps1 file that is in the Exchange Server BIN directory when running Patch with the Verbose logging enabled:
3. Next, Change all the Stop-SetupService Entries in the script to Stop-Service
4. Next, Change all the Start-SetupService to Start-Service
5. Next, Add the following to StopServices function to bypass the attempt that was trying to stop services, because they have already been stopped ...
Start at line 300
300: Status "Stopping services for '$Roles'..."
301:$services=Get-ServiceToControl$Roles-Active
302:##Change Here
303:if($services-eq$null){
304:return$true
305:}
306:##End Change Here
307:[array]::Reverse($services)
6.Inoticed that these2files ServiceStartupMode.xml andServiceState.xml may have permission issue since the last failure intheC:\ExchangeSetupLogs directory.So,Ialso renamed the files to.old
Once I made those changes. I renamed the original ServiceContol.ps1 to a .old file and saved this modified file to the BIN directory. I was then able to successfully run the Security Update.
BUT WHY DID THIS SERVER FAIL AND NOT THE OTHER?!?
Both are CU4, but the server that failed had been upgraded from CU1 where the one that did NOT fail was a clean installation of CU4. So, I checked the ServiceConrol.ps1 file on both servers:
Older Exchange Install Date of ServiceControl.ps1 is 1/1/2020CU4 Clean Installation Date of ServiceControl.ps1 is 2/3/2020
I have not tested this, but maybe if I had copied the ServiceControl.ps1 file from the CU4 clean installation to the original install, the script might have worked since the creation dates are different and I have no other version information to go on. I will verify this though. For now, the changes to the script allowed me to successfully install the Security Update Successfully.
NOTE: All the Exchange and IIS Services were in a Startup Mode: Disabled state and I had to reset them ALL to Automatic. Once that was completed and the server rebooted, Exchange was returned to normal state. ****Also, just to be safe, I ran a great script that assures the server is out of maintenance mode. You can get the script HERE. You can also get the script to put the server into maintenance mode. You can get the script HERE. These scripts will work on Exchange 2013 and above servers.
UPDATE / 3/12/2020 2:39 AM EST
Something was still wrong with the server. ActiveSync and PAM started breaking. I started having all sorts of authentication problems. I decided to restore the server from backup from Tuesday. I forgot to backup the ServiceControl.ps1 file that modified, but I moved the one from the successful installation to the restored server and am currently running the update. I will see if it works and send the information to you.
UPDATE / 3/12/2020 3:45 AM EST
The restore worked great and placing the ServiceControl.ps1 file in the BIN directory on the prior failed Exchange Server did allow for the installation to complete successfully. I have tested ActiveSync and Authentication which is now functioning properly. Hooray!
SEND ME YOUR IDEAS/ FOR POSTS! HAPPY TROUBLESHOOTING!
In my role as a PFE for Microsoft, I have been going through many deployments of Exchange 2016 from Exchange 2010 due to the end of life deadline for Exchange 2010. I am actually in the middle of three enterprise level deployments this month.
Because of this, I wanted to provide some MUST READ links with consideration to the Exchange 2016 Deployment process. Please click on the links below, and they will take you to the documentation needed when preparing for a Exchange 2016 migration and deployment from Exchange 2010.
I will add more articles as they become relevant in my experiences with my customers and feel they could be relevant here as well. If you have a suggestion for a link that should be considered added to this post, feel free to leave a comment!
THANKS AGAIN FOR READING! SUGGEST A LINK! GOOD LUCK ON YOUR DEPLOYMENT!
I’ve been working on installing Windows Server 2019 Core into my network to be able to look at new features for Windows Administration and learning how Server Core works. I was able to install a virtual machine with Server Core and get it activated. I then wanted to place my custom PowerShell script for loading PowerShell into the Server Core Environment.
So, I added the Server Core Server to the Windows Admin Center and copied my custom scripts for PowerShell into the proper directory:
Windows Admin Center
I then logged on remotely to the server and started PowerShell. When I did that, I got this error with the script load:
Error that IE First Run has not been completed
At first, I tried using the -UseBasicParsing as a switch to see if that would repair the issue in the script. It did not because, IE is not installed by default on the default installation of Server Core. That is so there is less of a footprint that can be attacked by a hacker. I needed this installed though so that the Invoke-WebRequest cmdlet would load my script parameters properly.
I started looking for answers to how to install IE onto the Server Core box and found the following article. I had to run the Add-WindowsCapability cmdlet on the server to install the optional components. When I did, I received an error:
Error when adding the Windows Capability
So I found out that there is a block that WSUS does keeping the cmdlet from going to the online source to download the software package and producing this error. After researching, I found this article. I setup a Group Policy to make sure this setting is propagated to my Server Core machine. I also setup in the same policy the ability to turn off the First-Run for IE so that you do not get that message and have to open IE to “set it up”
Group Policy Setting with Path to Templates Specified
I then ran a gpupdate /force on the Server and was able to download the components for IE and App Compatibility.
Successful Installation of Windows Capability
I then rebooted the server and now my PowerShell loads successfully:
Successful PowerShell Load
I learned a few different new things here and was able to get Server Core working more the way that I like it. I will keep posting updates when I run into issues with this type of installation. I would definitely give the Windows Admin Center a try as it has more robust features than Server Manager has, especially for Server 2019 and Server Core.
CONQUER THE UNCOMFORTABLE TO GROW! POSITIVE ATTITUDE ABIDES!
During my time as a PFE for Microsoft, I have encounted many issues with Federation in a Hybrid Exchange Deployment. Recently, the following support announcement came out and I wanted to share as I hope this can help others that may be having issues out there.
One of the more common causes of HCW failures is the Federation Trust step for the Exchange on-premises organizations in Full hybrid configurations (Classic or Modern topologies).
Federation trust is a mandatory step in the on-premises Exchange organizations when configuring Full hybrid deployments, as this allows us to create organization relationships (for features like hybrid free/busy or OWA/EAS redirection) and sharing policies (1:1 hybrid calendar sharing). In Exchange Online multi-tenant organizations, federation trust is already in place.
Below is an illustration of an Exchange hybrid deployment where both the Exchange on-premises organization and the Exchange Online organization have a trust with Azure Authentication System (formerly called Microsoft Federation Gateway):
Example of Hybrid Federation
Before getting to our subject, let’s quickly go over different hybrid configurations and Hybrid Configuration Wizard (HCW) – as this is the supported tool to configure hybrid deployments. There are 2 flavors of hybrid configurations: • Classic hybrid • Modern hybrid
At this time, each of those supports the following hybrid modes:
Full
Minimal (which further breaks down into…)
Express (a one-time sync)
“Actual minimal”
A quick overview of Full / Minimal / Express options, can be found here. More info on HCW is here.
As mentioned earlier, a federation trust is created by HCW only in Full Hybrid.
HCW logs are located at %appdata%\Microsoft\Exchange Hybrid Configuration on the machine from where HCW was ran. The easiest way to get to them is to press F12 in the HCW window to open the Diagnostic tools and from there you can Open Folder Logging or Open Log File directly.
When you have issues with federation trust, the log will usually show errors when one of the following cmdlets are executed:
Set-FederationOrganizationIdentifier or Add-FederatedDomain (but can be other cmdlets as well).
Once you identified the exact cmdlet failing and where (Session=OnPremises – means Exchange Management Shell and Session=Tenant means Exchange Online PowerShell), you should copy-paste the failing command and try to execute it manually and see if that is failing as well (most likely it will). You can also open the shells from F12 Diagnostic tools windows in HCW.
In order to get more details on the error and to rule out this is not an issue with HCW itself, you will need to separately run the same command that threw exception in HCW log and add Verbose switch to get verbose details of the error and the serialized remote exception.
For example, if the Exchange server version is Exchange 2010, you will run the failing command with Verbose switch in Exchange Management Shell (EMS), see if that fails and then get the serialized remote exception.
Once you’ve gathered the verbose error / serialized exception, try to understand where it is failing (or provide it to Microsoft Support together with the HCW log).
Common Errors with Remediation Steps
Federation trust fails with “Object reference not set to an instance of an object”
This is a known old issue on Exchange 2016 CU7 servers, make sure your Exchange servers are updated to the latest CU.
Full error in the HCW log:
Log Entries Extended
1
2
3
2017.10.0601:45:56.562*ERROR*10277[Client=UX,Activity=Domain Ownership,Session=OnPremises,Cmdlet=Set-FederatedOrganizationIdentifier,Thread=21]FINISH Time=398.4msResults=PowerShell failed toinvoke'Set-FederatedOrganizationIdentifier':Objectreference notset toan instance of an object.An unexpected error has occurred andaWatson dump isbeing generated:Objectreference notset toan instance of an object.
2017.10.0601:45:56.563*ERROR*10224[Client=UX,Page=DomainProof,Thread=21]Microsoft.Online.CSE.Hybrid.PowerShell.PowerShellInvokeException:PowerShell failed toinvoke'Set-FederatedOrganizationIdentifier':Objectreference notset toan instance of an object.An unexpected error has occurred andaWatson dump isbeing generated:Objectreference notset toan instance of an object.--->System.Management.Automation.RemoteException:Objectreference notset toan instance of an object.
2019.07.0617:53:15.37510177[Client=UX,Activity=Domain Ownership,Provider=OnPremises,Thread=19]PowerShell Error Record:{CategoryInfo={Activity=Add-FederatedDomain,Category=InvalidResult,Reason=DomainProofOwnershipException,TargetName=,TargetType=},ErrorDetails=,Exception=Proof of domain ownership has failed.Make sure that the TXT record forthe specified domain isavailable inDNS.The format of the TXT record should be"example.com IN TXT hash-value"where"example.com"isthe domain you want toconfigure forFederation and"hash-value"isthe proof value generated with"Get-FederatedDomainProof -DomainName example.com".,FullyQualifiedErrorId=367408EF,Microsoft.Exchange.Management.SystemConfigurationTasks.AddFederatedDomain}
Resolution:
• Check the TXT record for your domain(s) in HCW log or in Exchange Management Shell with command Get-FederatedDomainProof -DomainName • See if it matches your published TXT record with either nslookup utility or by checking internet websites like https://www.whatsmydns.net/ put your domain in hostnames, type=txt, Nameservers – Authoritative
You would look for errors, missing records or unusual formatting (characters, spaces, quotes, TXT record split in half).
Federation fails with “An unexpected error occurred on a receive” or “An unexpected error occurred on a send.”
Full error in the HCW log:
Log Entries Extended
1
2018.10.1017:03:31.277*ERROR*[Activity=Domain Ownership,Session=OnPremises,Cmdlet=Set-FederatedOrganizationIdentifier]FINISH Time=64.3sResults=PowerShell failed toinvoke'Set-FederatedOrganizationIdentifier':An error occurred whileattempting toprovision Exchange tothe Partner STS.Detailed Information"An error occurred accessing Windows Live. Detailed information: "The underlying connection was closed:An unexpected error occurred onareceive.".".
Resolution:
Check outbound access from all your Exchange Servers to Microsoft Federation Gateway by browsing using Internet Explorer with PSEXEC tool (with -s and -i switches) from the Exchange Server (this will use Internet Explorer under System Account / Exchange Server Account).
From on-premises Exchange to Office 365, the Exchange 2010 MBX & CAS or 2013 MBX (backend) or 2016 / 2019 would need outbound Internet access to the Microsoft Federation Gateway in addition to https://outlook.office365.com/ews/exchange.asmx
Verify the machine/system account can access these Microsoft Federation Gateway URLs:
Note: If the Exchange requires a proxy server to access the Internet, specify the proxy server using “Set-ExchangeServer myExchange01 -InternetWebProxy http://myproxy:80”. Notice such proxy can’t require any user authentication for outbound Internet access, and the proxy must start with HTTP: and not HTTPS: (secure SSL).
You can also set the proxy using netsh as well.
set proxy proxy-server=”http=myproxy;https=sproxy:88″ bypass-list=”*.contoso.com”
In rare instances, you can use the machine/system account to access the URLs from the browser, but Exchange cmdlets still failed with “Could not establish trust relationship for the SSL/TLS secure channel.” If that happens, make sure the certificate authorities for the urls are installed at the Third-Party Root Certification Authorities of the machine local certificate location.
Federated delegation features require that the Mailbox and Client Access servers in your organization have outbound access to the Internet by using HTTPS. You must allow outbound HTTPS access (port 443 for TCP) from all Exchange 2010 Mailbox and Client Access servers in the organization.
There is no specific error / exception, in HCW log you would see it stops without any specific error.
in HCW log if you see something with “DEL“: “contoso.com/Configuration/Deleted Objects/Microsoft Federation Gateway/DEL: <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx>”.
Solution is to remove the orphaned federation trust and re-run HCW.
NOTE: as a first step, you can try to run the commandremove-federateddomain with the switch -Force. Also, you don’t need to recreate federation trust manually, just re-run HCW (this will recreate federation trust for us)
Federation Trust fails with “InternalError InternalError: Internal error.”.”.””
2019.08.2307:45:23.239*ERROR*10277[Client=UX,Activity=Domain Ownership,Session=OnPremises,Cmdlet=Set-FederatedOrganizationIdentifier,Thread=20]FINISH Time=325.0msResults=PowerShell failed toinvoke'Set-FederatedOrganizationIdentifier':An error occurred whileattempting toprovision Exchange tothe Partner STS.Detailed Information"An unexpected result was received from Windows Live. Detailed information: "InternalError InternalError:Internal error.".".{CategoryInfo={Activity=[System.String]Set-FederatedOrganizationIdentifier,Category=[System.Management.Automation.ErrorCategory]InvalidResult,Reason=[System.String]
Resolution:
Open request with Microsoft Support or check if any Service Incident is published. Please see this for more information.
Federation trust fails with “1007 Access Denied”
Full error in the HCW log:
Log Entries Extended
1
Set-FederatedOrganizationIdentifier,Category=[System.Management.Automation.ErrorCategory]InvalidResult,Reason=[System.String]ProvisioningFederatedExchangeException,TargetName=[System.String],TargetType=[System.String]},ErrorDetails=,Exception=[System.Management.Automation.RemoteException]An error occurred whileattempting toprovision Exchange tothe Partner STS.Detailed Information"An unexpected result was received from Windows Live. Detailed information: "1007AccessDenied:Access Denied."."
Resolution:
“1007 Access Denied” error is usually when we have issues with:
Outdated federation trust (for example, federation trust certificate expired) and in this case you would remove federation trust by following these steps.
If the federation trust certificate is not found on any of the servers, then proceed with resolution from the next error.
As an example, from one HCW log, there seems to be this federation trust certificate expired on 05/13/2019:
Federation trust fails with “Federation Certificate cannot be found”
Full error in the HCW log:
Log Entries Extended
1
2019.11.2214:40:32.569*ERROR*10277[Client=UX,Activity=Domain Ownership,Session=OnPremises,Cmdlet=Get-FederatedDomainProof,Thread=6]FINISH Time=125.1msResults=PowerShell failed toinvoke Get-FederatedDomainProof:Federation certificate with the thumbprint‘03650FFAF05E83E3B007DF3473CB5753F5C4459’cannot be found.
Resolution:
Follow the procedure here to manually cleanup the federation trust from AD. Once this is done, re-run the HCW to re-create it automatically.
KEEP TROUBLESHOOTING! REMAIN VIGILANT USING FOCUSED INTENT, NEVER EMOTIONALIZING (FINE)!
I had recently had this error in WSUS where my Windows Server 2016 servers would NOT report into the WSUS Server. I would get an error stating 0x8024401c when manually performing a report now to the WSUS Server using:
WSUS Fix for 2016 Servers Not Reporting
1
wuauclt.exe/reportnow
Error from Windows Update on affected server
Solution:
Go to IIS Manager on the WSUS Server
Goto Advanced Settings of WsusPool.
Make sure following settings are present/configured on the Pool, if not change it to below:
WSUS AppPool Settings
1
2
3
4
Queue Length:25000
Limit Interval(minutes):15
"Service Unavailable"Response:TcpLevel
PrivateMemory Limit(KB):0
Make sure, the WSUS Entry in the Registry is having fully qualified domain name of WSUS Server.
NOTE: If you have Group Policy managing the WSUS Settings, then make sure you change the settings in the WSUS Policy to use the FQDN of the WSUS Server and run a gpupdate /force on the clients.
Should be set to FQDN of your WSUS Server i.e. “http://wsus.domain.com:8530”
Stop IIS on the WSUS Server
Edit the web.config located at following location on WSUS Server:
When you
deploy or upgrade to Microsoft Exchange 2019 Cumulative Update 4 (CU4) on
Microsoft Windows Server 2019 or Windows 10 (Management Tools only) builds
1909 or 1903, the system prerequisites check fails, and you receive the
following error message:
By default, Windows builds 1909 and 1903 already have .NET Framework 4.8 installed. When you try to reinstall the software, the installation fails.
Cause
This
problem is caused by a prerequisite check that was introduced in Cumulative
Update 4. This process checks incorrectly for .NET Framework 4.8. Because the
prerequisite check doesn’t recognize that .NET Framework 4.8 is already
installed.
Status
Microsoft is researching this problem and will post more
information in this article when it becomes available.
Workaround
Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
Right-click the subkey, and select Permissions from the shortcut menu.
Select Advanced.
In the Advanced Security Settings window, locate the Owner attribute at the top of the window.
Select Change next to the listed owner.
In the Enter the object name to select field, enter the name of the local administrator group. For example, enter <computername>\Administrator. Then, select OK.
In the Advanced Security Settings window, select the local administrator group that you changed ownership to, and then select Edit.
Change the basic permissions to Full Control.
Select OK three times to save the changes and return to the main Registry Editor window.
Locate the following key in the path:
Name: Release Type: REG_DWORD Data: 528040 (decimal) Change the Data value to 528049 (decimal)
Rerun the Exchange system prerequisites check, and deploy or update Exchange Server 2019.
Start Registry Editor, locate the subkey that’s mentioned in step 2, repeat the necessary steps to locate the Release key, and then revert the Data value to 528040 (decimal).
This should allow everything to run correctly after the installation.
POSITIVE DAY TO YOU! FINE = Focused Intent Not Emotionalizing
I have run into this issue at a number of my customers that utilize an Exchange Edge Server in their Hybrid Deployment. They’ll need to modify their send connectors for their forced TLS communication with their partners or own mailboxes in Office365. Whenever they want to modify the send connector and save the changes, they get the following error messages:
Symptoms
“PowerShell failed to invoke ‘Set-SendConnector’: Error 0x5 (Access is denied) from cli_GetCertificate”
or
“Error 0x6ba (the RPC server is unavailable) from cli_GetCertificate”
This issue occurs because the TLS certificate check (in case the TlsCertificateName attribute is populated on the send connector) doesn’t work against the Edge servers as the RPC communication is blocked against the Edge servers.
Workaround
Now the current workaround for this has been to delete the Edge Send Connector and recreate the connector from scratch via PowerShell with all the settings and changes entered. This is not a viable solution especially if your communications with your partners change constantly and changes are made to the secure communications channel between you and them.
Resolution
To fix this issue, install one of the following updates:
Support Announcement: Released: December 2019 Quarterly Exchange Updates Release Date: December 17, 2019
Summary Today Microsoft is announcing the availability of quarterly servicing cumulative updates for Exchange Server 2016 and 2019. These updates include fixes for customer reported issues as well as all previously released security updates.
Setup Now Requires .NET Framework 4.8 As previously announced .NET 4.8 is now required and enforced by setup with the updates released today.
Calculator Updates Cumulative Update 4 includes a significant update to the Exchange 2019 sizing calculator. After the initial re-work and optimization for Exchange 2019 previously delivered, we’ve updated some formulas based upon new Big Funnel performance data gathered from the O365 service and real-world customer experiences. Version 10.3 of the calculator includes improvements to calculations and default settings which allow for better and smoother utilization of disk resources. We’ve received feedback from customers that they’d like more information on constraints which impact system design, specifically disk resources. Included in this update, is an indication on the Input worksheet will provide information as to whether the design is constrained by IOPs throughput or disk capacity.
We’ve added additional explanatory messages when the calculator detects a setting conflict, made additional improvements in input performance and improved support for using manual/override configurations. The Volume Design sheet had a complete re-work to improve the presentation and accuracy of the information being displayed to support these changes. All-in-all, this version of the calculator provides the best possible experience to plan your Exchange 2019 deployment and replaces all previous releases.
Address Book Policy Changes When organizations deploy Address Book Policies to users they can sometimes hit an issue when a locally logged in user without a mailbox tries to open a mailbox linked to another user account using Outlook. This conflict results in ABP’s being inconsistently applied. The updates released today contain a change detailed in KB4532747 which resolves this issue and ensures the ABP’s assigned to the mailbox being opened are always used.
Release Details The KB articles that describe the fixes in each release and product downloads are available as follows:
Additional Information Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate documentation. Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings. Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the currently supported cumulative update for the product version in use, e.g., 2013 Cumulative Update 23; 2016 Cumulative Update 15 or 14; 2019 Cumulative Update 4 or 3.
My continuation of the “Installation from HELL” proceeded onward today with our team attempting to install Exchange on another server in the test environment and having it fail when getting to the Mailbox Role portion of the installation.
The error kept saying that the installation was failing due to a “Database is mandatory on UserMailbox”. We had been having many issues with the Schema and RBAC roles which were resolved in my other post by adding the Role Assignments to the schema. I did mention that the environment started settling down and the system mailboxes (Arbitration) along with the Health Mailboxes started functioning. This was actually not the case for the Arbitration mailboxes. I glanced at the following article to see how to manually recreate the Arbitration mailboxes again.
I performed a “Get-Mailbox -Arbitration | fl Name” in Exchange Powershell (similar to the screenshot below) to see if the mailboxes were in fact created. They in fact were not and were giving the error “Database is mandatory for the UserMailbox.”
Verification of Arbitration System Mailboxes existing
So, I tried to do what the original article said to do and enable the mailboxes one by one. I kept getting errors when trying to create the mailboxes. So I began to search the internet for another way to possibly remediate this without having to get too deep into the system.
I found the following article explaining the exact error I was getting during the installation of Exchange. In the article, it said to look at the attributes of the account associated with the Arbitration mailbox to see if the homeMDB attribute had no value:
homeMDB attribute NOT set on Arbitration Mailbox Account
Now, since I was NOT having good luck with either the Exchange Setup nor PowerShell, I had to figure out a way to place the attribute value so that the mailbox would be visible. What I did was this:
I opened a User in ADUC with a working mailbox on the needed database.
I went to the Attributes Tab and looked up the homeMDB attribute for that user then chose Edit.
I copied the entire value from the screen and closed it.
I then went to the Arbitration mailbox in question and opened it’s homeMDB attribute.
I pasted the value into the Value box and saved it.
Paste the active database value in the homeMDB attribute for the Arbitration Mailbox account
Once completed with remediating the attribute for all the Arbitration mailbox accounts missing the value, I re-ran the cmdlet to verify that the error was not present for any arbitration maibox:
I then uninstalled and re-installed Exchange using setup on the failing server and the installation completed successfully.
This has been an excellent week in training on the value of the setup process for Exchange and also the value of the system accounts and values in relation to Exchange and it working properly.
A POSITIVE OUTLOOK WILL YIELD POSITIVE RESULTS ULTIMATELY!
I had a very interesting installation issue recently when installing Exchange 2019 into a new environment. We ran through all the Exchange Preparation for the root and child domains in the forest as described HERE. The results of those installation procedures showed SUCCESS, but when we started installing Exchange, we ran into issues with the System Mailboxes not being available to complete the Mailbox Role part of the installation. Most of the articles that I found said to re-run the Domain Prep (/preparealldomains) and the AD Prep (/pad). So we did, and managed to get the first server installed somehow.
The reason I said somehow is because when we tried to logon to the EAC, we would get a 400 Bad Request Error and could not logon to the console. Next, we tried PowerShell and was able to load PowerShell, but I noticed that only ~100 cmdlets loaded. I thought that maybe we had to re-create the account mailbox to get it working properly. Problem was, one of the cmdlets that would not load was Disable-Mailbox along with others like Enable-Mailbox and New-Mailbox. It was as if the admin account we were using had no rights to administer Exchange in any way.
Next, we opened the mailbox in OWA. The mailbox came up okay, so I told the admin to change the URL to /ecp to try and get into the admin center. What happened was that the normal user control panel opened instead, showing again that the account did not have permissions.
We checked replication to the child domain and made sure there were not any apparent AD issues present. There were none. I next started reviewing how Exchange uses RBAC (Role Based Access Control) Groups and Role Assignments to grant users access to Exchange Admin Functionality. I read the following article located HERE.
Something told me to go and check the Schema again, so I went to ADSIEdit > Configuration Container > Services > Microsoft Exchange > (Organization Name) > RBAC > Role Assignments
I looked at the list of role assignments in the window as follows:
RBAC Role Assignments Missing Objects
From the picture, you can see that the list is small, which in my experience is not correct. I verified this by going into my own 2019 environment and comparing the number of objects in that folder:
RBAC Assignments Object list with CORRECT Objects Listed
If you notice the list is MUCH longer and has many more objects listed in the container. So, how did Exchange Setup miss this during preparation? That I will find out later, but first I have to remediate this problem.
CAUSE:
If the RBAC roles assignments are not installed to allow an account to have administrative privileges in Exchange, then you cannot administrate Exchange to even make the necessary changes! Especially so if you’ve only installed ONE server in the environment!
REMEDIATION:
Manually repair the installation by running the script that creates these Objects in the Schema during setup.
******DISCLAIMER: Running the following commands in these instructions, running ADSIEdit, and/or making changes to your Schema and Exchange Installation outside the normal setup process is NOT recommended! Microsoft, LDLNET LLC, nor I (Lance Lingerfelt) are responsible for any issues or errors that may arise from using these instructions, period!******
That said, preform the following to regenerate the objects in the Schema:
1) Open Windows PowerShell (not the Exchange Management Shell) on the server that you installed Exchange Server on with the same account you used to install Exchange.
a. If you have UAC enabled, right click Windows PowerShell and click Run as administrator.
2) Run Start-Transcript c:\RBAC.txt and press Enter
a. This will start logging all commands and output you type to a text file.
3) Run Add-PSSnapin *setup and press Enter
a. This adds the setup snap-in which contains the setup cmdlets used by Exchange during install. You may see errors about loading a format data file. You can ignore those errors. NOTE: DO NOT run any other cmdlets in this snap-in. Doing so could irreparably damage your Exchange installation.
4) Run Install-CannedRbacRoleAssignments -InvocationMode Install -Verbose and press Enter.
a. This cmdlet should create the required role assignments between the role groups and roles that should have been created during setup.
b. Be sure you run with the Verbose switch so we can capture what the cmdlet does.
5) Run Remove-PSSnapin *setup and press Enter
6) Run $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://servername/PowerShell/ -Authentication Kerberos and press Enter
a. Be sure to replace SERVERNAME with the FQDN of your server.
7) Run Import-PSSession $Session and press Enter
a. You should notice that the normal number of cmdlets load (~700)
8) Run Get-ManagementRoleAssignment and press Enter. If you are able to run the cmdlet, then the remedation worked.
9) Run Stop-Transcript and press Enter
The final check is to return to ADSIEdit and check the container and see if all the objects are there. We also were now able to get into EAC as well as saw that the Arbitration mailboxes were populating along with the Health Mailboxes as needed per the installation. It was very neat to see how running the Add-PSSnapIn cmdlet opened all the scripts from the Exchange Setup and allowed me to manually fix the installation problem by running the cmdlet script that need to perform that task that setup missed or refused to run.
POST MORTEM REVIEW
I am going to look over the installation logs and see where the installation failed and try to find out why it did not run on the subsequent re-installations of the AD Prep and Domain Prep. I will post those finding in this article when I have that available. Thanks again to my Microsoft and Trimax teammates for your assistance with this. It has helped the customer in more ways than one!
I had a VM that I had restore in my environment that failed. I had to rebuild the VM and started backing up again. But since then, I have had issues with the checkpoints and kept getting these errors in my backup logs:
Catastrophic Failure to delete the checkpoint.
So. I go into Hyper-V Manager and try to manually delete the checkpoint. I got the same error:
Virtual machine failed to generate VHD tree: ‘Catastrophic failure'(‘0x8000FFFF’)
So, I go and find a blog post explaining how to manually export the checkpoint files to a new VHD and recover the VM in its current state properly so that my backups can start again. Here are the steps:
NOTE: This process will merge changes so previous checkpoints will no longer be available for rollback.
Export the last checkpoint of the VM:
Locate the most recent snapshot and select it. Click Export from the actions menu. Export the VM to a new location. Shutdown the original VM. Once the export completes you will have a new merged vhdx!
Replace the Offending VM with the Exported VM:
Click Import Virtual Machine. The VM will have the name of the snapshot. Power the imported VM on and validate it’s working as desired. Power Off the VM. Once satisfied with the new VM, delete the offending VM and it’s disks. Rename the newly imported VM. Place the virtual disks in their original spots and reconfigure the new VM to go to those locations. Now you’re VM is updated and fixed!
I luckily had enough disk space on my drive to export the VM since it is my WSUS server. I probably could have just deleted the WSUS repository disk, but I did not want to chance it since the other was working. Things are back to their normal, POSITIVE state!
POSITIVE THOUGHTS AND ACTIONS STAY! HAPPY TROUBLESHOOTING!
For most companies today, we want to make access to OWA easy for the users. Most folks will just type in mail.domain.com/owa or something of the like to get to the OWA page. If you don’t use HTTPS by default though, you will not be able to access OWA and will get an error on the page. We need to be able to redirect the HTTP query to go to SSL or HTTPS so that you get the proper logon page and have the access secured by SSL PKI as per the security standard. Now, most bigger companies will install a load balancer that will program the redirection to HTTPS when the request is made before it hits the Exchange Server. But, for small companies, like mine, that cannot afford a load balancer, we need a native way in Windows and Exchange to be able to perform the same task and have it redirect to HTTPS so that your users are not confused when typing in the address.
The following shows how to configure IIS so that it natively redirects all HTTP requests for OWA to HTTPS.
By default in Exchange Server, the URL https://<ServerName> redirects users to https://<ServerName>/owa. But, if anyone tries to access Outlook on the web (formerly known as Outlook Web App) by using http://<ServerName> or http://<ServerName>/owa, they’ll get an error.
You can configure http redirection for Outlook on the web so that requests for http://<ServerName> or http://<ServerName>/owa are automatically redirected to https://<ServerName>/owa. This requires the following configuration steps in Internet Information Services (IIS):
Remove the Require SSL setting from the default website.
Restore the Require SSL setting on other virtual directories in the default website that had it enabled by default (except for /owa).
Configure the default website to redirect http requests to the /owa virtual directory.
Remove http redirection from all virtual directories in the default website (including /owa).
Reset IIS for the changes to take effect.
Step 1: Use IIS Manager to remove the Require SSL setting from the default website
Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager in the results.
Expand the server, and expand Sites.
Select Default Web Site. and verify Features View is selected at the bottom of the page.
In the IIS section, double-click SSL Settings.
On the SSL Settings page, clear the Require SSL check box, and in the Actions pane, click Apply.
Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange server (a Command Prompt window you open by selecting Run as administrator) and run the following command:
1
%windir%\system32\inetsrv\appcmd.exe set config"Default Web Site"-section:access-sslFlags:None-commit:APPHOST
Step 2: Use IIS Manager to restore the Require SSL setting on other virtual directories in the default website
When you change the Require SSL setting on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we’re only interested in configuring Outlook on the web, you need to restore the Require SSL setting for other virtual directories that had it enabled by default.
In IIS Manager, expand the server, expand Sites, and expand Default Web Site.
Select the virtual directory, and verify Features View is selected at the bottom of the page.
In the IIS section, double-click SSL Settings.
On the SSL Settings page, select the Require SSL check box, and in the Actions pane, click Apply.
Repeat the previous steps on each virtual directory in the default website that had Require SSL enabled by default ***(except for /owa)***. The only virtual directories that don’t have Require SSL enabled by default are /PowerShell and /Rpc.
NOTE: PLEASE REMEMBER TO NOT CHECK THE “Require SSL” FOR THE /OWA DIRECTORY. THIS WILL CAUSE A 403 Access Denied ERROR WHEN TRYING TO REDIRECT.
Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual directory, and run the following command in an elevated command prompt:
1
%windir%\system32\inetsrv\appcmd.exe set config"Default Web Site/<VirtualDirectory>"-section:Access-sslFlags:Ssl,Ssl128-commit:APPHOST
Step 3: Use IIS Manager to configure the default website to redirect to the /owa virtual directory.
In IIS Manager, expand the server, and expand Sites.
Select Default Web Site. and verify Features View is selected at the bottom of the page.
In the IIS section, double-click HTTP Redirect.
On the HTTP Redirect page, configure the following settings:
Select the Redirect requests to this destination check box, and enter the value /owa.
In the Redirect Behavior section, select the Only redirect requests to content in this directory (not subdirectories) check box.
In the Status code list, verify Found (302) is selected.When you’re finished, click Apply in the Actions pane.
Note: To perform this procedure on the command line, open an elevated command prompt and run the following command:
1
%windir%\system32\inetsrv\appcmd.exe set config"Default Web Site"-section:httpredirect-enabled:true-destination:"/owa"-childOnly:true
Step 4: Use IIS Manager to remove http redirection from all virtual directories in the default website
When you enable redirection on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we’re only interested in configuring redirection for the default website, you need to remove the redirect setting from all virtual directories. By default, no directories or virtual directories in the default website are enabled for redirection. For more information, see the Default Require SSL and HTTP Redirect settings in the default website on an Exchange server section.
Use the following procedure to remove the redirect setting from all virtual directories in the default website (including /owa):
In IIS Manager, expand the server, expand Sites, and expand Default Web Site.
Select the virtual directory, and verify Features View is selected at the bottom of the page.
In the IIS section, double-click HTTP Redirect.
On the HTTP Redirect page, change the following settings:
Clear the Only redirect requests to content in this directory (not subdirectories) check box.
Clear the Redirect requests to this destination check box.
In the Actions pane, click Apply.
Repeat the previous steps on each virtual directory in the default website.
Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual directory, and run the following command in an elevated command prompt:
1
%windir%\system32\inetsrv\appcmd.exe set config"Default Web Site/<VirtualDirectory>"-section:httpredirect-enabled:false-destination:""-childOnly:false
Step 5: Use IIS Manager to restart IIS
In IIS Manager, select the server.
In the Actions pane, click Restart.
Note: You can also perform an IISRESET from and Elevated PowerShell Prompt.
My biggest take away from this was NOT setting the SSL Requirement Properly in the /owa directory when configuring this. By default, the setting is to Require SSL, but to redirect properly, you have to have that Virtual Directory in IIS set to NOT Require SSL. Having the 403 error was driving me crazy. I had to get someone else to look at it, but they didn’t catch it either! That is why I made a point to write this article with the /owa catch in mind. I hope this helps!
HAPPY CONFIGURATION! POSITIVE LIFE WILL BRING SUCCESS!
I wanted to pass this announcement along to everyone so that they are aware of the support ending for Exchange 2010. I personally have noticed a large number of Exchange 2010 environments starting to show age as the newer Outlook clients are having performance issues with Exchange 2010. If your team has not planned an upgrade to Exchange 2016 (you cannot upgrade directly from Exchange 2010 to 2019), I would advise that your team do so very soon. Exchange 2010 has been a great product for many years, but it is finally time for it to retire and allow the next generation of Messaging Services take the stage.
Formal Announcement:
Exchange 2010 End of Support extended to October 2020
Announced today, and in alignment with Office 2010 and SharePoint 2010, and after investigating and analyzing the deployment state of an extensive number of Exchange customers, Microsoft has decided to move Extended Support date for Exchange Server 2010 from January 14th 2020 to October 13th 2020. After October 13th 2020, Microsoft will no longer provide technical support for problems that may occur with Exchange 2010 including:
– bug fixes for issues that are discovered and that may impact the stability and usability of the server – security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches – and time zone updates
Customer installations of Exchange 2010 will, of course, continue to run after this date; however, due to the changes and potential end of support risks, Microsoft strongly recommends customers migrate from Exchange 2010 as soon as possible.
FAQ’s
Can customers upgrade directly to Exchange 2019? Customers cannot upgrade directly from Exchange 2010 on-premises to Exchange Server 2019. They may upgrade to Exchange 2013 or 2016 directly from Exchange 2010 and we of course recommend Exchange 2016.
Since Exchange 2010 runs on Server 2008 and 2008R2, are those operating systems still supported? On January 14, 2020, support for Windows Server 2008 and 2008 R2 will end. That means the end of regular security updates for these Windows customers. Since Exchange Server 2010 runs on top of Windows Server 2008 and Windows Server 2008 R2, it’s important for customers to consider how they will obtain security updates for the underlying operating system. Extended Security Updates for Server 2008 and 2008 R2 are now available for purchase and can be ordered from Microsoft or a Microsoft licensing partner. The delivery of Extended Security Updates (ESU) will begin after the End of Support dates, if and when available.
Does Microsoft support Exchange 2010 on any other Server versions? Exchange Server 2010 SP3, with Update Rollup 26 or higher, installed on Windows Server 2012 R2 is supported until October 13, 2020.
That didn’t quite answer my question. If a customer calls between January 14 and October 13 2020, and is running Exchange 2010 on Server 2008 or 2008 R2, and does not have an ESU for Windows, can they still be assisted? Yes. Per the Lifecycle FAQ. If I am running a Microsoft product that is currently supported under the Lifecycle Policy, but my operating system is no longer supported, can I still receive support? If the problem is specific to the Microsoft product and it is within the Lifecycle Policy, Microsoft will provide support. If the problem is a result of the combination of the operating system and the Microsoft product, the problem will not be supported. More simply:: Exchange 2010 on Server 2008 or 2008 R2: Starting January 14, 2020, provide support until a proven issue is found with the OS. This ends in October 2020. Exchange 2010 SP3 RU26+ on Server 2012 R2: We support regardless, but Exchange support still ends in October 2020.
Will Microsoft be offering Extended Support Updates (ESU’s) for purchase for Exchange 2010 customers? No.
What resources are available for customers? – An upcoming Exchange Team blog post, titled “Exchange On-Premises Best Practices for Migrations from 2010 to 2016,” will provide great technical guidance for customers and support agents with their on-premises migrations. – If migrating to Office 365 and Exchange Online, customers may be eligible to use the free Microsoft FastTrack service. FastTrack provides best practices, tools, and resources to make migration to Office 365 and Exchange Online as seamless as possible. – For customers that run into any problems during their migration to Office 365 and are not eligible for FastTrack, or if migrating to a newer version of Exchange Server, customers can of course utilize Support or the Exchange Technical Community. – Customers may also choose to engage a partner to help. Microsoft has a great number of partners with deep skills in Exchange, and you can browse a list of Exchange partners at https://www.microsoft.com/en-us/solution-providers/home.
HAPPY UPGRADING! CONTACT ME FOR QUESTIONS CONCERNING UPGRADING YOUR EXCHANGE ENVIRONMENT!
I’ve been currently assisting with onboarding at my new Full Time Contractor position at Microsoft. All of the new FTCs received laptops and needed to have the newest build of Windows 10 installed. The issue was that all of our laptops came with Windows 10 Professional and we needed to upgrade them to Enterprise edition.
After finding a working key for Enterprise Edition, we were still having issues joining the MS Azure domain so that we could get all of the needed software properly to being onboarding with Microsoft.
So, after going through a couple of re-images of my laptop with some failures attached to that, I finally was able to get the process down so that time would not be waisted for the oncoming new hires once they received their laptop. The issue was getting the correct build of Windows 10 and getting the proper apps installed in an efficient manner. Since the onboarding process was quickly moving, I needed to find a way to help streamline the process so the others would not have to go through all the mess I went through to get everything setup.
So, I began looking for a way to create a customized ISO for the build that would already have apps, settings, and customizations installed. I found this great article that details the process. I wanted to re-post this article here showing the steps I took to create the customized image by creating a VM in Hyper-V and then converting that completed image to an ISO that could be downloaded and utilized for the installation.
Creating a customized ISO image with pre-installed software and no user accounts
A generalized ISO image without any pre-set user accounts, with pre-installed software, desktop, File Explorer and Start customizations will be created.
All customizations and personalization will automatically be applied to all new user accounts
Clean install will perform a normal OOBE, asking for regional settings, initial user and so on
This ISO will be generalized meaning it is hardware independent and can be used to install Windows on any computer capable of running Windows 10, regardless if the machine is a legacy BIOS machine with MBR partitioning, or a UEFI machine with GPT partitioning
The ISO image will be bootable on both BIOS / MBR and UEFI / GPT systems
NOTE: This post will show how to use a virtual machine to create the ISO. All virtual machine references and instructions in this tutorial apply to Hyper-V, available in Windows 10 PRO, Education and Enterprise editions. Oracle VirtualBox and VMware users might need to consult their preferred virtualization platform’s documentation if instructions can’t be used as is. Everything in this instruction can be made in each edition of Windows 10 (in Home and Single Language editions using a third party virtualization platform) with native Windows tools and programs, apart from Windows Deployment and Imaging Tools, part of Windows 10 Assessment and Deployment Kit (ADK) needed later in the post. The ADK is a free native Microsoft tool, downloadable directly from Microsoft. If you will do this on a Hyper-V virtual machine (which is the recommended method), make sure to set the new virtual machine to use Standard Checkpoints instead of default Production Checkpoints. You can do this in virtual machine’s settings:
Use Standard Checkpoints Virtual machine generation is irrelevant, you can use Generation 1 or 2 as you wish
This method will produce an ISO image which can be compared to any original Windows 10 ISO you download from Microsoft, apart from the fact that it already contains pre-installed software according to your choice. It will also contain a customized and personalized default user profile, the base Windows uses whenever a new user profile will be created.
A customized default user profile means that whenever a new user account is created, all customizations (Start tiles, File Explorer & desktop icon and view settings, colors, wallpaper, theme, screensaver and so on will be applied to new user profile instead of Windows defaults.
Installation using this ISO will take somewhat longer than using a standard ISO because it not only contains full Windows setup, but also the pre-installed software. Notice that depending on how much space pre-installed software takes, you might not be able to burn this ISO to a standard 4.7 GB DVD disk but have to use a dual layer disk or a USB flash drive instead. My customized image came out to be about 8.5 GB in size.
The ISO created will include no user profile folders, personal user data and files.
This ISO image can be used on any hardware setup capable of running Windows and can be shared, subject to people you share the ISO with have valid licenses and / or activation keys for both Windows 10 and pre-installed software.
System Preparation Procedure
Download the Windows ISO Installation tool from Microsoft
Use this TOOL to download the ISO and create the installation media
Install Windows 10 on your VM using the downloaded ISO
NOTE: The normal Windows Download from the link above will download Windows 10 Professional. You will need a key for the installation to upgrade to Enterprise Edition and you will need to be able to activate the copy of Windows to be able to save the customizations you create for your ISO.
Boot into Windows 10 and do the following:
Activate the Windows Edition your are installing with your key. You will require internet connectivity. I needed Enterprise Edition so I changed the Product Key In Settings to upgrade it from Professional.
Install your preferred software, customize and personalize Windows, remove / add Start tiles as you wish, and set your preferred group policies (group policies not available in Home and Single Language editions). Do not run any program you install!
Update all software and run Windows Update to get all the latest updates for the image.
Notice that software installed now will be included in ISO install media, and will be pre-installed for all users on each computer you install Windows to using this custom ISO.
NOTE: If Windows on your reference machine is not activated, you cannot personalize it. In this case you need to modify Windows theme (wallpaper, screensaver, colors, sounds) as you wish on another, activated Windows 10 machine, save the theme as a theme file, copy it to inactivated reference machine and apply (double click). Also notice that Edge as well as other UWP apps do not work when signed in to built-in admin account. If you need a browser to download software you have to use a third party browser or Internet Explorer. IE can be started from Run dialog by typing iexplore and clicking OK.
Open an elevated command prompt and enter the following:
Windows will now restart in Audit Mode using built-in administrator account. You will see a Sysprep prompt in the middle of display:
Sysprep Program Window Leave it open for now
Open Notepad, paste the following code to it, make the necessary changes to customize the installation, and save it as File name: unattend.xml (exactly this name!) Save as type: All files (important!) Save in folder:C:\Windows\System32\Sysprep
When Sysprepping with the Generalize switch, which we will soon do, the component CopyProfile being set to be TRUE in answer file has a small issue or rather a small inconvenience: it leaves the last used user folders and recent files of built-in admin to end user’s Quick Access in File Explorer.
To fix this, we need to reset Quick Access to default whenever a new user signs in first time. It requires the need to run a small batch file at first logon of new user, and then remove the batch file itself from user’s %appdata% so Quick Access will not be reset on any subsequent logon.
To do this, open an elevated (Run as administrator) Notepad (Notepad must be elevated to save in system folders), paste the following code to it, save it as: File name: RunOnce.bat (or any name you prefer, with extension .bat) Save as type: All files (important!) Save File in folder:%appdata%\Microsoft\Windows\Start Menu\Programs\Startup
Delete all existing user accounts and their user profile data (Option One in this tutorial)
You are currently signed in using Windows built-in administrator account. In File Explorer, open C:\Users\Administrator folder and check that all user folders are empty deleting all possibly found content
Run Disk Clean-up, selecting and removing everything possible (tutorial)
When the disk has been cleaned, create a checkpoint of the VM from Hyper-V Manager. Right Click VM > Click Checkpoint
Manual Checkpoint from Hyper-V Manager
In Sysprep dialog still open on your desktop, select System Cleanup Action: Enter System Out-of-Box Experience (OOBE), select Shutdown Options: Shutdown, select (tick the box) Generalize, click OK:
Sysprep Selected Options Before Shutdown
Sysprep will now prepare Windows, shutting down machine when done. LEAVE THE VM OFF AND DO NOT RESTART IT! Now, we continue to the Image Creation section.
Sysprep Preparing the Machine
Image Creation Procedure
On your Hyper-V Host machine, open Disk Management
Select Attach VHD from Action menu:
Browse to and select your reference virtual machine’s VHD / VHDX file. If you have any checkpoints (AVHD / AVHDX files) created on this vm, select the one with most recent time stamp. Note that you have to select show all files to be able to see checkpoint AVHD / AVHDX files:
Select the most recent time stamped file
Select the check box labeled Read-only (this is very important!), then click OK:
BE SURE TO SELECT READ-ONLY
IMPORTANT: Forgetting to select Read-only will especially when mounting a checkpoint AVHD / AVHDX file make it unusable for Hyper-V! You will NOT be able to boot your VM and could corrupt it should you have write access on the mounted VHDX file. Windows mounts the virtual hard disk, and all of its partitions, as separate disk. In case of an MBR disk it even mounts the system reserved partition.
NOTE: In the above picture the Windows system partition for the reference VM is drive K:
Open the Windows system partition VHD to be sure that’s the one where Windows is installed, note the drive letter your host assigned to it.
Open an elevated Command Prompt, enter the following command to create a new install.wim file:
NOTE: D:\install.wim path in this case is the drive and directory where you want to save the image file. K:\ path is the capture path with subfolders of the drive you want to image FROM
dism command
NOTE: The name given in /name switch in above command is irrelevant as we will name the ISO later on, but is needed for the command to run. Use any name you want to for the switch parameter. The image process will take time, go get something to eat as I did. On my high end Hyper-V server this takes over 20 minutes, the first half of it without showing any progress indicator whatsoever. DISM works somewhat faster if you don’t use optional switches /checkintegrity and /verify but it is not recommended that you to create install.wim without checking its integrity and verifying it.
When completed capturing the image, detach the VHD / VHDX or AVHD / AVHDX file from host by right clicking it in Disk Management and selecting Detach VHD:
Detach the VHDX
ISO Image Creation Procedure
Mount the original Windows 10 ISO you downloaded in the first step to a Virtuial Drive on your Hyper-V Server Host.
Copy its contents (everything) to a folder you create on one of your Hyper-V host’s hard disks:
I named the folder ISO_Files and placed it on the D: drive where I had created the image from the previous section. Alternatively, you can copy the contents of a created Windows 10 install USB or DVD to the ISO_Files folder.
Browse to your custom install.wim created earlier in previous section. Copy it to Sources folder under the ISO_Files folder, replacing the original install.wim in that directory:
IMPORTANT: If the ISO you used when copying the files to the ISO_Files folder has been made with Windows Media Creation Tool, the ISO_Files\Sources folder contains an install.esd file instead of install.wim. In this case you will naturally not get “File exists” prompt. Simply delete the install.esd file and paste your custom install.wim to replace it.This will help reduce the overall size of the ISO and not confuse the installation process when ran.
Now, we download the latest Windows Assessment and Deployment Kit(ADK)for Windows 10: Windows ADK downloads – Windows Hardware Dev Center The full download for the ADK is about 7.5 GB but luckily we only need the Deployment Tools portion. So, unselect everything else except Deployment Tools and click Install:
Select Only Deployment Tools for the Installation
Once completed, you should have a folder within your start menu for the ADK Tools Installation under the folder Windows Kits. Start the Deployment and Imaging Tools interface program by Running the Program as an Administrator:
Right Click the Application and “Run As Administrator”
At the command prompt, type cd\ to bring your prompt to the root of the folder path you are on.
Type the following command to initiate creation of the ISO image file:
Replace three instances of d:\iso_files with the path to the ISO_Files folder where you copied Windows installation files. Notice that this is not a typo: first two of these instances are typed as argument for switch -b without a space in between the switch and argument. This is to tell the oscdimg command where to find boot files to be added to ISO.
Replace d:\14986PROx64.iso with the path where you want to store the ISO image. This is where you also name the ISO file what you want the file name to be.
Although the command seems a bit complicated, everything in it is needed. For more information about the oscdimg command line options, see: Oscdimg Command-Line Options
Screenshot of the OSCDIMG command ran
You now have a completed ISO image ready for distribution to your machines. The overall process took me about 4 hours to complete with all the customizations that I did. Thanks again to Ten Forums for the article. I have provided references below for your convenience as well.
The sheer craziness of it all! I noticed that my clocks were off on my servers by FOUR minutes. I had originally set in group policy for the PDC emulator for my domain, a VM on one of my Hyper-V hosts, to get the time from the Public NTP hosts. I then configured a group policy to have all the other machines get their time from the PDC Emulator.
This was working great for me until I realized that my Hyper-V hosts were actually controlling the time of the VMs. They were also configured to get the time from the PDC Emulator, but essentially, due to how Hyper-V is configured, the PDC Emulator VM was getting the time from the Host. So, once the time got thrown off, everything went wacky on me!
I’d read through a couple of articles and found the configuration flaw of Hyper-V and the need for those servers to get their time from the external NTP hosts as well as be configured as NTP servers themselves. This totally went against my Group Policy configuration which caused the issue!
Luckily, I had a stand alone server that is a tertiary DC in the domain not running Hyper-V. I was able to get my time synced again properly after performing the following configuration.
I had to move the FSMO roles to the tertiary DC with the following cmdlet:
The one problem Hyper-V host that was syncing with the DC VM would not change settings via Group Policy nor through the w32tm cmdlet. I even went into the registry and tried to modify the following keys to make the changes stick:
The values would just not change, most likely due to the time not being synchronized. I had to reboot the server and then run through the process again in order for the changes to stick.
I did look at another article that said to do the following on the DC VM in order for time NOT to sync with the Hyper-V Host:
Go into Hyper-V console on the host machine, right-click on the client VM AD server, and select Settings. Once in here, on the left look under:
Management –> Integration Services Untick Time Synchronization Click Apply/OK
Virtual Machine Settings within Hyper-V
Things are running smoothly now. Please view the references at the bottom of the post. There are a couple of great articles about the Time Synchronization process with Hyper-V and why it needs to be setup the way I have it now. I wished I had read it before I originally set this up. I will post the article about getting group policy to handle the time sync process. Just remember, if your PDC Emulator is a VM, don’t sync it to a public NTP server. Sync it to your Hyper-V Host and have the Host sync publicly. In the long run, I think it is a good design solution to have your Hyper-V hosts time synced to the Public NTP servers than having to remember to configure each VM DC you create to NOT time sync with the host. To each is own though, and one thing I learned from working Microsoft, there are multiple ways to get to the same goal that are technically sound methods.
![[image%5B2%5D]](https://lh3.googleusercontent.com/-2gcO6GuKVbc/WS_8yZvOIXI/AAAAAAAAH7o/d5HKAURniMUlyNHZj5fRhh7o72NcMoz4QCHM/s1600/image%255B2%255D)
