Exchange – IT Blog

Lance LingerfeltJune 25, 2019

Exchange Server Client Access URL Configuration Script

In my career, I have to be able to be efficient as most of my projects are on a time crunch schedule. Being able to quickly configure Exchange when setting up a server environment is crucial to the success of the project.

While still honing my skills in PowerShell, I was attempting to create my own script to help configure all of the Virtual Directories in one shot rather than go to each setting and configure them manually. It did not go very well, so as I do, I research and find great professionals that do great work in scripting so that I may learn from them.

In doing so, I found Paul Cunningham’s script that performs this. I took the following script and modified it to add the PowerShell Virtual Directory to it as I like to configure that as well.

***YOU CAN REM THE LINES OUT SHOULD YOU NOT WANT TO CONFIGURE THAT DIRECTORY***

Here is my version of the script:

<#
.SYNOPSIS
ConfigureExchangeURLs.ps1

.DESCRIPTION 
PowerShell script to configure the Client Access server URLs
for Microsoft Exchange Server 2013/2016. All Client Access server
URLs will be set to the same namespace.

If you are using separate namespaces for each CAS service this script will
not handle that.

The script sets Outlook Anywhere to use NTLM with SSL required by default.
If you have different auth requirements for Outlook Anywhere  use the optional
parameters to set those.

.PARAMETER Server
The name(s) of the server(s) you are configuring.

.PARAMETER InternalURL
The internal namespace you are using.

.PARAMETER ExternalURL
The external namespace you are using.

.PARAMETER InternalSSL
Specifies the internal SSL requirement for Outlook Anywhere. Defaults to True (SSL required).

.PARAMETER ExternalSSL
Specifies the external SSL requirement for Outlook Anywhere. Defaults to True (SSL required).

.EXAMPLE
.\ConfigureExchangeURLs.ps1 -Server sydex1 -InternalURL mail.exchangeserverpro.net -ExternalURL mail.exchangeserverpro.net

.EXAMPLE
.\ConfigureExchangeURLs.ps1 -Server sydex1,sydex2 -InternalURL mail.exchangeserverpro.net -ExternalURL mail.exchangeserverpro.net

.LINK
http://exchangeserverpro.com/powershell-script-configure-exchange-urls/

.NOTES
Written by: Paul Cunningham

For more Exchange Server tips, tricks and news
check out Exchange Server Pro.

* Website:	http://exchangeserverpro.com
* Twitter:	http://twitter.com/exchservpro

Find me on:

* My Blog:	http://paulcunningham.me
* Twitter:	https://twitter.com/paulcunningham
* LinkedIn:	http://au.linkedin.com/in/cunninghamp/
* Github:	https://github.com/cunninghamp

License:

The MIT License (MIT)

Copyright (c) 2015 Paul Cunningham

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Change Log:
V1.00, 13/11/2014 - Initial version
V1.01, 26/06/2015 - Added MAPI/HTTP URL configuration
V1.02, 27/08/2015 - Improved error handling, can now specify multiple servers to configure at once.
V1.03, 09/09/2015 - ExternalURL can now be $null
V1.04, 17/11/2016 - Removed Outlook Anywhere auth settings, script now sets URLs only
V1.05, 18/11/2016 - Added AutodiscoverSCP option so it can be set to a different URL than other services
V1.06, 25/06/2019 - Added PowerShell Virtual Directory Configuration Requiring SSL and using Basic Authentication

.ADDENDUM
V1.06 Modified by Lance Lingerfelt for similar use. 

* Website:	http://www.ldlnet.net
* IT Blog:	       http://itblog.ldlnet.net

#>

#requires -version 2

[CmdletBinding()]
param(
	[Parameter( Position=0,Mandatory=$true)]
	[string[]]$Server,

	[Parameter( Mandatory=$true)]
	[string]$InternalURL,

	[Parameter( Mandatory=$true)]
    [AllowEmptyString()]
	[string]$ExternalURL,

	[Parameter( Mandatory=$false)]
	[string]$AutodiscoverSCP,

    [Parameter( Mandatory=$false)]
    [Boolean]$InternalSSL=$true,

    [Parameter( Mandatory=$false)]
    [Boolean]$ExternalSSL=$true
	)


#...................................
# Script
#...................................

Begin {

    #Add Exchange snapin if not already loaded in the PowerShell session
    if (Test-Path $env:ExchangeInstallPath\bin\RemoteExchange.ps1)
    {
	    . $env:ExchangeInstallPath\bin\RemoteExchange.ps1
	    Connect-ExchangeServer -auto -AllowClobber
    }
    else
    {
        Write-Warning "Exchange Server management tools are not installed on this computer."
        EXIT
    }
}

Process {

    foreach ($i in $server)
    {
        if ((Get-ExchangeServer $i -ErrorAction SilentlyContinue).IsClientAccessServer)
        {
            Write-Host "----------------------------------------"
            Write-Host " Configuring $i"
            Write-Host "----------------------------------------`r`n"
            Write-Host "Values:"
            Write-Host " - Internal URL: $InternalURL"
            Write-Host " - External URL: $ExternalURL"
            Write-Host " - Outlook Anywhere internal SSL required: $InternalSSL"
            Write-Host " - Outlook Anywhere external SSL required: $ExternalSSL"
            Write-Host "`r`n"

            Write-Host "Configuring Outlook Anywhere URLs"
            $OutlookAnywhere = Get-OutlookAnywhere -Server $i
            $OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname $externalurl -InternalHostname $internalurl `
                                -ExternalClientsRequireSsl $ExternalSSL -InternalClientsRequireSsl $InternalSSL `
                                -ExternalClientAuthenticationMethod $OutlookAnywhere.ExternalClientAuthenticationMethod

            if ($externalurl -eq "")
            {
                Write-Host "Configuring Outlook Web App URLs"
                Get-OwaVirtualDirectory -Server $i | Set-OwaVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/owa

                Write-Host "Configuring Exchange Control Panel URLs"
                Get-EcpVirtualDirectory -Server $i | Set-EcpVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/ecp

                Write-Host "Configuring ActiveSync URLs"
                Get-ActiveSyncVirtualDirectory -Server $i | Set-ActiveSyncVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/Microsoft-Server-ActiveSync

                Write-Host "Configuring Exchange Web Services URLs"
                Get-WebServicesVirtualDirectory -Server $i | Set-WebServicesVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/EWS/Exchange.asmx

                Write-Host "Configuring Offline Address Book URLs"
                Get-OabVirtualDirectory -Server $i | Set-OabVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/OAB

                Write-Host "Configuring MAPI/HTTP URLs"
                Get-MapiVirtualDirectory -Server $i | Set-MapiVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/mapi

                Write-Host "Configuring PowerShell URLs"
                Get-PowerShellVirtualDirectory -Server $i | Set-PowerShellVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/PowerShell -BasicAuthentication $True -RequireSSL $True -Confirm:$False
            }
            else
            {
                Write-Host "Configuring Outlook Web App URLs"
                Get-OwaVirtualDirectory -Server $i | Set-OwaVirtualDirectory -ExternalUrl https://$externalurl/owa -InternalUrl https://$internalurl/owa

                Write-Host "Configuring Exchange Control Panel URLs"
                Get-EcpVirtualDirectory -Server $i | Set-EcpVirtualDirectory -ExternalUrl https://$externalurl/ecp -InternalUrl https://$internalurl/ecp

                Write-Host "Configuring ActiveSync URLs"
                Get-ActiveSyncVirtualDirectory -Server $i | Set-ActiveSyncVirtualDirectory -ExternalUrl https://$externalurl/Microsoft-Server-ActiveSync -InternalUrl https://$internalurl/Microsoft-Server-ActiveSync

                Write-Host "Configuring Exchange Web Services URLs"
                Get-WebServicesVirtualDirectory -Server $i | Set-WebServicesVirtualDirectory -ExternalUrl https://$externalurl/EWS/Exchange.asmx -InternalUrl https://$internalurl/EWS/Exchange.asmx

                Write-Host "Configuring Offline Address Book URLs"
                Get-OabVirtualDirectory -Server $i | Set-OabVirtualDirectory -ExternalUrl https://$externalurl/OAB -InternalUrl https://$internalurl/OAB

                Write-Host "Configuring MAPI/HTTP URLs"
                Get-MapiVirtualDirectory -Server $i | Set-MapiVirtualDirectory -ExternalUrl https://$externalurl/mapi -InternalUrl https://$internalurl/mapi

                Write-Host "Configuring PowerShell URLs"
                Get-PowerShellVirtualDirectory -Server $i | Set-PowerShellVirtualDirectory -ExternalUrl https://$externalurl/PowerShell -InternalUrl https://$internalurl/PowerShell -BasicAuthentication $True -RequireSSL $True -Confirm:$False
            }

            Write-Host "Configuring Autodiscover"
            if ($AutodiscoverSCP) {
                Get-ClientAccessServer $i | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverSCP/Autodiscover/Autodiscover.xml
            }
            else {
                Get-ClientAccessServer $i | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$internalurl/Autodiscover/Autodiscover.xml
            }


            Write-Host "`r`n"
        }
        else
        {
            Write-Host -ForegroundColor Yellow "$i is not a Client Access server."
        }
    }
}

End {

    Write-Host "Finished processing all servers specified. Consider running Get-CASHealthCheck.ps1 to test your Client Access namespace and SSL configuration." -ForegroundColor Yellow
    Write-Host "Refer to http://exchangeserverpro.com/testing-exchange-server-2013-client-access-server-health-with-powershell/ for more details."
    Write-Host "Also check out http://itblog.ldlnet.net for Lance's IT Blog of information!" -ForegroundColor Gray

}

#...................................
# Finished
#...................................

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

.SYNOPSIS

ConfigureExchangeURLs.ps1

.DESCRIPTION

PowerShell script to configure the Client Access server URLs

for Microsoft Exchange Server 2013/2016. All Client Access server

URLs will be set to the same namespace.

If you are using separate namespaces for each CAS service this script will

not handle that.

The script sets Outlook Anywhere to use NTLM with SSL required by default.

If you have different auth requirements for Outlook Anywhere use the optional

parameters to set those.

.PARAMETER Server

The name(s) of the server(s) you are configuring.

.PARAMETER InternalURL

The internal namespace you are using.

.PARAMETER ExternalURL

The external namespace you are using.

.PARAMETER InternalSSL

Specifies the internal SSL requirement for Outlook Anywhere. Defaults to True (SSL required).

.PARAMETER ExternalSSL

Specifies the external SSL requirement for Outlook Anywhere. Defaults to True (SSL required).

.EXAMPLE

.\ConfigureExchangeURLs.ps1 -Server sydex1 -InternalURL mail.exchangeserverpro.net -ExternalURL mail.exchangeserverpro.net

.EXAMPLE

.\ConfigureExchangeURLs.ps1 -Server sydex1,sydex2 -InternalURL mail.exchangeserverpro.net -ExternalURL mail.exchangeserverpro.net

.LINK

http://exchangeserverpro.com/powershell-script-configure-exchange-urls/

.NOTES

Written by: Paul Cunningham

For more Exchange Server tips, tricks and news

check out Exchange Server Pro.

* Website: http://exchangeserverpro.com

* Twitter: http://twitter.com/exchservpro

Find me on:

* My Blog: http://paulcunningham.me

* Twitter: https://twitter.com/paulcunningham

* LinkedIn: http://au.linkedin.com/in/cunninghamp/

* Github: https://github.com/cunninghamp

License:

The MIT License (MIT)

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

in the Software without restriction, including without limitation the rights

to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

copies of the Software, and to permit persons to whom the Software is

furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all

copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

SOFTWARE.

Change Log:

V1.00, 13/11/2014 - Initial version

V1.01, 26/06/2015 - Added MAPI/HTTP URL configuration

V1.02, 27/08/2015 - Improved error handling, can now specify multiple servers to configure at once.

V1.03, 09/09/2015 - ExternalURL can now be $null

V1.04, 17/11/2016 - Removed Outlook Anywhere auth settings, script now sets URLs only

V1.05, 18/11/2016 - Added AutodiscoverSCP option so it can be set to a different URL than other services

V1.06, 25/06/2019 - Added PowerShell Virtual Directory Configuration Requiring SSL and using Basic Authentication

.ADDENDUM

V1.06 Modified by Lance Lingerfelt for similar use.

* Website: http://www.ldlnet.net

* IT Blog: http://itblog.ldlnet.net

#requires -version 2

[CmdletBinding()]

param(

[Parameter( Position=0,Mandatory=$true)]

[string[]]$Server,

[Parameter( Mandatory=$true)]

[string]$InternalURL,

[Parameter( Mandatory=$true)]

[AllowEmptyString()]

[string]$ExternalURL,

[Parameter( Mandatory=$false)]

[string]$AutodiscoverSCP,

[Parameter( Mandatory=$false)]

[Boolean]$InternalSSL=$true,

[Parameter( Mandatory=$false)]

[Boolean]$ExternalSSL=$true

)

#...................................

# Script

#...................................

Begin {

#Add Exchange snapin if not already loaded in the PowerShell session

if (Test-Path $env:ExchangeInstallPath\bin\RemoteExchange.ps1)

{

. $env:ExchangeInstallPath\bin\RemoteExchange.ps1

Connect-ExchangeServer -auto -AllowClobber

}

else

{

Write-Warning "Exchange Server management tools are not installed on this computer."

EXIT

}

Process {

foreach ($i in $server)

{

if ((Get-ExchangeServer $i -ErrorAction SilentlyContinue).IsClientAccessServer)

{

Write-Host "----------------------------------------"

Write-Host " Configuring $i"

Write-Host "----------------------------------------`r`n"

Write-Host "Values:"

Write-Host " - Internal URL: $InternalURL"

Write-Host " - External URL: $ExternalURL"

Write-Host " - Outlook Anywhere internal SSL required: $InternalSSL"

Write-Host " - Outlook Anywhere external SSL required: $ExternalSSL"

Write-Host "`r`n"

Write-Host "Configuring Outlook Anywhere URLs"

$OutlookAnywhere = Get-OutlookAnywhere -Server $i

$OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname $externalurl -InternalHostname $internalurl `

-ExternalClientsRequireSsl $ExternalSSL -InternalClientsRequireSsl $InternalSSL `

-ExternalClientAuthenticationMethod $OutlookAnywhere.ExternalClientAuthenticationMethod

if ($externalurl -eq "")

{

Write-Host "Configuring Outlook Web App URLs"

Get-OwaVirtualDirectory -Server $i | Set-OwaVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/owa

Write-Host "Configuring Exchange Control Panel URLs"

Get-EcpVirtualDirectory -Server $i | Set-EcpVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/ecp

Write-Host "Configuring ActiveSync URLs"

Get-ActiveSyncVirtualDirectory -Server $i | Set-ActiveSyncVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/Microsoft-Server-ActiveSync

Write-Host "Configuring Exchange Web Services URLs"

Get-WebServicesVirtualDirectory -Server $i | Set-WebServicesVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/EWS/Exchange.asmx

Write-Host "Configuring Offline Address Book URLs"

Get-OabVirtualDirectory -Server $i | Set-OabVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/OAB

Write-Host "Configuring MAPI/HTTP URLs"

Get-MapiVirtualDirectory -Server $i | Set-MapiVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/mapi

Write-Host "Configuring PowerShell URLs"

Get-PowerShellVirtualDirectory -Server $i | Set-PowerShellVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/PowerShell -BasicAuthentication $True -RequireSSL $True -Confirm:$False

}

else

{

Write-Host "Configuring Outlook Web App URLs"

Get-OwaVirtualDirectory -Server $i | Set-OwaVirtualDirectory -ExternalUrl https://$externalurl/owa -InternalUrl https://$internalurl/owa

Write-Host "Configuring Exchange Control Panel URLs"

Get-EcpVirtualDirectory -Server $i | Set-EcpVirtualDirectory -ExternalUrl https://$externalurl/ecp -InternalUrl https://$internalurl/ecp

Write-Host "Configuring ActiveSync URLs"

Get-ActiveSyncVirtualDirectory -Server $i | Set-ActiveSyncVirtualDirectory -ExternalUrl https://$externalurl/Microsoft-Server-ActiveSync -InternalUrl https://$internalurl/Microsoft-Server-ActiveSync

Write-Host "Configuring Exchange Web Services URLs"

Get-WebServicesVirtualDirectory -Server $i | Set-WebServicesVirtualDirectory -ExternalUrl https://$externalurl/EWS/Exchange.asmx -InternalUrl https://$internalurl/EWS/Exchange.asmx

Write-Host "Configuring Offline Address Book URLs"

Get-OabVirtualDirectory -Server $i | Set-OabVirtualDirectory -ExternalUrl https://$externalurl/OAB -InternalUrl https://$internalurl/OAB

Write-Host "Configuring MAPI/HTTP URLs"

Get-MapiVirtualDirectory -Server $i | Set-MapiVirtualDirectory -ExternalUrl https://$externalurl/mapi -InternalUrl https://$internalurl/mapi

Write-Host "Configuring PowerShell URLs"

Get-PowerShellVirtualDirectory -Server $i | Set-PowerShellVirtualDirectory -ExternalUrl https://$externalurl/PowerShell -InternalUrl https://$internalurl/PowerShell -BasicAuthentication $True -RequireSSL $True -Confirm:$False

}

Write-Host "Configuring Autodiscover"

if ($AutodiscoverSCP) {

Get-ClientAccessServer $i | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverSCP/Autodiscover/Autodiscover.xml

}

else {

Get-ClientAccessServer $i | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$internalurl/Autodiscover/Autodiscover.xml

}

Write-Host "`r`n"

}

else

{

Write-Host -ForegroundColor Yellow "$i is not a Client Access server."

}

End {

Write-Host "Finished processing all servers specified. Consider running Get-CASHealthCheck.ps1 to test your Client Access namespace and SSL configuration." -ForegroundColor Yellow

Write-Host "Refer to http://exchangeserverpro.com/testing-exchange-server-2013-client-access-server-health-with-powershell/ for more details."

Write-Host "Also check out http://itblog.ldlnet.net for Lance's IT Blog of information!" -ForegroundColor Gray

}

#...................................

# Finished

#...................................

NOTES:

PowerShell script to configure the Client Access server URLs for Microsoft Exchange Server 2013/2016. All Client Access server URLs will be set to the same namespace.
If you are using separate namespaces for each CAS service this script will not handle that.
The script sets Outlook Anywhere to use NTLM with SSL required by default.
If you have different auth requirements for Outlook Anywhere use the optional parameters to set those.
The script sets PowerShell to use Basic with SSL required by default.
If you have different authentication requirements for PowerShell use the optional parameters to set those.
PowerShell was added to the settings. Please be sure to REM those lines of code should you NOT want to configure the PowerShell Virtual Directory.

USAGE:

.\ConfigureExchangeURLs.ps1 -Server EX01 -InternalURL mail.ldlnet.net -ExternalURL mail.ldlnet.net

1	.\ConfigureExchangeURLs.ps1 -Server EX01 -InternalURL mail.ldlnet.net -ExternalURL mail.ldlnet.net

.\ConfigureExchangeURLs.ps1 -Server EX01,EX02,EX03 -InternalURL mail.ldlnet.net -ExternalURL mail.ldlnet.net

1	.\ConfigureExchangeURLs.ps1 -Server EX01,EX02,EX03 -InternalURL mail.ldlnet.net -ExternalURL mail.ldlnet.net

HAPPY SCRIPTING!
POSITIVE ENERGY!
PLEASE COMMENT!

REFERENCES:
Exchange Server Client Access URL Configuration Script
PowerShell Script to Configure Exchange Server Client Access URLs

Lance LingerfeltJune 12, 2019June 12, 2019

Installing an ‘IP-less’ Exchange Server 2019 Database Availability Group

Yesterday, I posted on how Exchange now uses the Resilient File System (ReFS) to optimize and protect Exchange critical files. Another layer of protection is using a database availability group (DAG) for redundancy and is a necessary factor when designing an Exchange Enterprise Environment.
In this example, I will walk you through the installation of an Exchange Server 2019 DAG as I configured in my environment. This DAG will contain two Exchange Servers in the same site with a third Windows Server 2019 server being the File Share Witness (FSW).

For my configuration, I configured two identical Windows Server 2019 VMs (same procs, RAM, vhdx drives, partitions, etc…). I configured the Exchange Data Volume using ReFS and mounted them to the same folder on the C: Drive on each server. This is very important for replication to take place successfully when the databases are added to the DAG.

Get-MailboxDatabase | fl Name,EDBFilePath,LogFolderPath

Name          : EX01-DB01
EdbFilePath   : C:\Exchange\Data-ReFS\DB\EX01-DB01\EX01-DB01.edb
LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-DB01

Name          : EX01-ARCHIVE-DB
EdbFilePath   : C:\Exchange\Data-ReFS\DB\EX01-ARCHIVE-DB\EX01-ARCHIVE-DB.edb
LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-ARCHIVE-DB

Name          : EX02-DB01
EdbFilePath   : C:\Exchange\Data-ReFS\DB\EX02-DB01\EX02-DB01.edb
LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX02-DB01

Get-MailboxDatabase | fl Name,EDBFilePath,LogFolderPath

Name : EX01-DB01

EdbFilePath : C:\Exchange\Data-ReFS\DB\EX01-DB01\EX01-DB01.edb

LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-DB01

Name : EX01-ARCHIVE-DB

EdbFilePath : C:\Exchange\Data-ReFS\DB\EX01-ARCHIVE-DB\EX01-ARCHIVE-DB.edb

LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-ARCHIVE-DB

Name : EX02-DB01

EdbFilePath : C:\Exchange\Data-ReFS\DB\EX02-DB01\EX02-DB01.edb

LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX02-DB01

I next went to the Admin server where the FSW would be hosted and added the Exchange Trusted Subsystem Account to the local Administrators group on that server:

IMPORTANT!
Add the Exchange Trusted Subsystem Account to the Local Administrators Group on the FSW.

NOTE: The reason that this is an ‘IP-less’ DAG is that I’m creating a DAG with no cluster administrative access point (CAAP). The DAG has no IP address of its own, and no computer object in Active Directory. The main implication of this is that backup software that relies on the CAAP or backup operations won’t work. This option of an ‘IP-less’ DAG was first introduced in Exchange Server 2013 SP1/CU4, so by now any decent backup products should support this configuration. But you should always verify this with your backup vendor of choice. Also be aware that this is only supported for DAGs that are running on Windows Server 2012 R2 (or later).

Next, we create the DAG from Exchange PowerShell using the New-DatabaseAvailabilityGroup cmdlet. Now remember that since you are using the ReFS system for your database volumes, you will need to specify the -FileSystem parameter within the cmdlet to assure proper setup and replication of the data files.

New-DatabaseAvailabilityGroup -Name LDLNETDAG01 -WitnessServer admin01.ldlnet.org -FileSystem ReFS
 
Name             Member Servers                                      Operational Servers
----             --------------                                      -------------------
LDLNETDAG01      {}

New-DatabaseAvailabilityGroup -Name LDLNETDAG01 -WitnessServer admin01.ldlnet.org -FileSystem ReFS

Name Member Servers Operational Servers

---- -------------- -------------------

LDLNETDAG01 {}

Next, we add the Exchange Servers that hold the databases that will be replicated within the DAG:

Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX01

1	Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX01

Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX02

1	Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX02

The DAG will now show the two servers as Operational Member Servers:

Get-DatabaseAvailabilityGroup -Status | ft -a -wr

Name        Member Servers         Operational Servers
----        --------------         -------------------
LDLNETDAG01 {EX01, EX02}           {EX01, EX02}

Get-DatabaseAvailabilityGroup -Status | ft -a -wr

Name Member Servers Operational Servers

---- -------------- -------------------

LDLNETDAG01 {EX01, EX02} {EX01, EX02}

The FSW Directory was created on the admin01 server when the DAG was created. We can verify that with the following cmdlet:

Get-DatabaseAvailabilityGroup -Status | fl *Witness*


WitnessServer             : admin01.ldlnet.org
WitnessDirectory          : C:\DAGFileShareWitnesses\LDLNETDAG01.ldlnet.org
AlternateWitnessServer    :
AlternateWitnessDirectory :
WitnessShareInUse         : Primary
DxStoreWitnessServers     :

Get-DatabaseAvailabilityGroup -Status | fl *Witness*

WitnessServer : admin01.ldlnet.org

WitnessDirectory : C:\DAGFileShareWitnesses\LDLNETDAG01.ldlnet.org

AlternateWitnessServer :

AlternateWitnessDirectory :

WitnessShareInUse : Primary

DxStoreWitnessServers :

Next, we add the databases that we want replicated to the DAG as replicated databases. I want all my Databases on EX01 to replicate to EX02 and vice versa for the EX02 Databases. I want the activation preference to remain on the server that the databases were originally created on so I will use the -ActivationPreference parameter to accomplish that. I will go into more detail on Activation Preference in another post.

Add-MailboxDatabaseCopy -Identity EX01-DB01 -MailboxServer EX02 -ActivationPreference 2

1	Add-MailboxDatabaseCopy -Identity EX01-DB01 -MailboxServer EX02 -ActivationPreference 2

Add-MailboxDatabaseCopy -Identity EX01-ARCHIVE-DB -MailboxServer EX02 -ActivationPreference 2

1	Add-MailboxDatabaseCopy -Identity EX01-ARCHIVE-DB -MailboxServer EX02 -ActivationPreference 2

Add-MailboxDatabaseCopy -Identity EX02-DB01 -MailboxServer EX01 -ActivationPreference 2

1	Add-MailboxDatabaseCopy -Identity EX02-DB01 -MailboxServer EX01 -ActivationPreference 2

Now we verify that the Database Copies are healthy on each replication member using the Get-MailboxDatabaseCopyStatus cmdlet. You will see a Healthy Status on the replicated copies:

Get-MailboxDatabaseCopyStatus -Server EX01 | ft -a -wr

Name                        Status  CopyQueueLength ReplayQueueLength LastInspectedLogTime  ContentIndexState
----                        ------  --------------- ----------------- --------------------  -----------------
EX01-DB01\EX01              Mounted 0               0                                       NotApplicable
EX01-ARCHIVE-DB\EX01        Mounted 0               0                                       NotApplicable
EX02-DB01\EX01              Healthy 0               0                 6/12/2019 11:03:03 AM NotApplicable

Get-MailboxDatabaseCopyStatus -Server EX01 | ft -a -wr

Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState

---- ------ --------------- ----------------- -------------------- -----------------

EX01-DB01\EX01 Mounted 0 0 NotApplicable

EX01-ARCHIVE-DB\EX01 Mounted 0 0 NotApplicable

EX02-DB01\EX01 Healthy 0 0 6/12/2019 11:03:03 AM NotApplicable

Get-MailboxDatabaseCopyStatus -Server EX02 | ft -a -wr

Name                        Status  CopyQueueLength ReplayQueueLength LastInspectedLogTime  ContentIndexState
----                        ------  --------------- ----------------- --------------------  -----------------
EX02-DB01\EX02              Mounted 0               0                                       NotApplicable
EX01-ARCHIVE-DB\EX02        Healthy 0               0                 6/12/2019 11:06:44 AM NotApplicable
EX01-DB01\EX02              Healthy 0               0                 6/12/2019 10:46:40 AM NotApplicable

Get-MailboxDatabaseCopyStatus -Server EX02 | ft -a -wr

Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState

---- ------ --------------- ----------------- -------------------- -----------------

EX02-DB01\EX02 Mounted 0 0 NotApplicable

EX01-ARCHIVE-DB\EX02 Healthy 0 0 6/12/2019 11:06:44 AM NotApplicable

EX01-DB01\EX02 Healthy 0 0 6/12/2019 10:46:40 AM NotApplicable

POSITIVE ENERGY!
KILL NARCISSISM!
HAPPY TROUBLESHOOTING!

REFERENCES:
Installing an Exchange Server 2016 Database Availability Group

Lance LingerfeltJune 11, 2019June 12, 2019

Using the Resilient File System for Exchange Server

In my ongoing effort for becoming more knowledgeable on Exchange Server, I found that the preferred new file system for Exchange Databases and Log files is the ReFS.
ReFS is not that new. Microsoft’s Resilient File System (ReFS) was introduced with Windows Server 2012. ReFS is not a direct replacement for NTFS, and is missing some underlying NTFS features, but is designed to be (as the name suggests) a more resilient file system for extremely large amounts of data.

Support for ReFS with Exchange Server

From Exchange Server 2013 and upwards (which includes Exchange Server 2019 today) Microsoft supports the use of ReFS for Exchange servers, and in fact they now recommend it as the preferred file system for Exchange Server 2019, within the following guidelines.

For Exchange Server 2013:

ReFS is supported for volumes containing Exchange database files, log files, and content index files.
ReFS is not supported for volumes containing Exchange binaries (the program files).
ReFS is not supported for volumes containing the system partition.
ReFS data integrity features must be disabled for the database (.edb) files or the entire volume that hosts database files.
Hotfix KB2853418 must be installed.
For Windows 2012, the following hotfixes must be installed:

This means that you should continue to use NTFS for your operating system and Exchange Server 2013 installation volume, but you can consider using ReFS for the volumes hosting Exchange databases, log files, and index files.

For Exchange Server 2016:

ReFS is supported for volumes containing Exchange database files, log files, and content index files.
ReFS is not supported for volumes containing Exchange binaries (the program files).
ReFS is not supported for volumes containing the system partition.
ReFS data integrity features are recommended to be disabled.
For Windows 2012, the following hotfixes must be installed:

This means that you should continue to use NTFS for your operating system and Exchange Server 2016 installation volume, and it is recommended ReFS for the volumes hosting Exchange databases, log files, and index files.

For Exchange Server 2019:

ReFS is supported for volumes containing Exchange database files, log files, and content index files.
ReFS is not supported for volumes containing Exchange binaries (the program files).
ReFS is not supported for volumes containing the system partition.
ReFS data integrity features are recommended to be disabled.

This means that you should continue to use NTFS for your operating system and Exchange Server 2019 installation volume, and it is recommended ReFS for the volumes hosting Exchange databases, log files, and index files.

Creating an ReFS Formatted Volume

In Windows Server during the New Volume Wizard when you get to the step for configuring File System Settings change the file system from NTFS to ReFS.

NOTE: Using the New Volume Wizard does not give you the option to disable data integrity at the volume level. To set it at the volume level itself use PowerShell when configuring new volumes. I found this out the hard way and am now re-configuring my volumes to disable the Integrity Streams.

I needed to create the mount point to mount the volume to:

New-Item C:\Exchange\Data-ReFS -Type Directory

1	New-Item C:\Exchange\Data-ReFS -Type Directory

I then got a list of my available disks:

get-disk

get-disk

In my case, disk 2 was the one I needed to format and change. I had to create a new partition and then format it:

Get-Disk -Number 2 | New-Partition -UseMaximumSize

1	Get-Disk -Number 2 \| New-Partition -UseMaximumSize

Get-Partition -DiskNumber 2 -PartitionNumber 2 | Format-Volume -FileSystem ReFS -NewFileSystemLabel "EXCH2019-EDBDATA" -AllocationUnitSize 65536 -SetIntegrityStreams:$False -Confirm:$False

1	Get-Partition -DiskNumber 2 -PartitionNumber 2 \| Format-Volume -FileSystem ReFS -NewFileSystemLabel "EXCH2019-EDBDATA" -AllocationUnitSize 65536 -SetIntegrityStreams:$False -Confirm:$False

Once formatted, I mount the volume to the Directory created earlier:

Add-PartitionAccessPath -DiskNumber 2 -PartitionNumber 2  -AccessPath C:\Exchange\Data-ReFS

1	Add-PartitionAccessPath -DiskNumber 2 -PartitionNumber 2 -AccessPath C:\Exchange\Data-ReFS

NOTE: Partition 1 on a disk is always reserved for system files on the drive volume. So the active partitions will always start at 2.

Lastly, verify that the partition is online and that the Integrity Streams are turned off:

get-partition -DiskNumber 2 -PartitionNumber 2 | fl

1	get-partition -DiskNumber 2 -PartitionNumber 2 \| fl

Get-FileIntegrity C:\Exchange\Data-ReFS

1	Get-FileIntegrity C:\Exchange\Data-ReFS

Additional Considerations

When you are deploying an Exchange 2016 or 2019 DAG and using Autoreseed, the disk reclaimer needs to know which file system to use when formatting spare disks. So when, creating a DAG in Exchange PowerShell, make sure to set the -FileSystem parameter. For Exchange Server 2013 DAGs, manually format the spare volumes with ReFS.

Set-DatabaseAvailabilityGroup NameOfYourDAG -FileSystem ReFS

1	Set-DatabaseAvailabilityGroup NameOfYourDAG -FileSystem ReFS

More coming soon. I will post how I setup the “IP-less” DAG for my environment and got replication functional for my Exchange Databases.

REFERENCES:
Exchange 2013 storage configuration options
Exchange 2016 Preferred Architecture
Exchange Storage for Insiders: It’s ESE (Ignite video)
ReFS Exchange Server Volumes
Preparing ReFS Volumes for Exchange

Lance LingerfeltMay 8, 2019

Importing User Photos to Office 365 in bulk for your company.

In a previous post, I showed how you could update one user’s photo for their Outlook and AD profiles via PowerShell. In this post, we will explore how to do this for your entire organization via PowerShell to Office365.

NOTE: I have not tested the scripts as I do not have enough mailboxes in my O365 tenant along with not using a ‘.’ in my alias. If the scripts are incorrect, please inform me with the correction and I will update accordingly.

Please make sure that your photos are reviewed before posting, and try to keep the file size of the photos to a minimum. In Office 365, there exists a limitation for the user photo not to be more than 10 KB in size, but I will show you how to get around that limitation.

Having a user photo for each of your users is very beneficial as it personalizes each account to a face in the company. The user photos can be viewed in below locations:

Outlook Web Access
Contact Card
Thumbnail in emails
Outlook Client
Yammer
Lync Client
SharePoint (People Search / Newsfeed)

Steps to take:

Remove the 10KB photo size limitation in Exchange Online
Prepare a folder with all users photos
Update the profile photos via a PowerShell cmdlet.

Connect to Exchange Online with the RPS Proxy Method to remove the 10K size limitation

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

NOTE: In the PowerShell cmdlet above, we connected using a different proxy method. This was to overwrite the limitation of uploading the images with size more than 10KB. Using the different proxy method (/?proxyMethod=RPS ) to connect to Office 365 in the above cmdlet accomplishes this.

Prepare a folder locally and place all the photos in that folder

Create a folder named C:/UserPics and make the filename of each photo be the username of that particular user. (i.e. llingerfelt.png)
The below script should be able account for aliases that have a ‘.’ in the id as well. (i.e. lance.lingerfelt)

NOTE: From my research, there is no set photo type that is required for the photo. My suggestion would be to keep the photos .png for size constraints while maintaining picture clarity.

Update the profile pictures via PowerShell

Create the following script and name it Photos-Update.ps1

$path= 'C:\UserPics\'
$Images = Get-ChildItem $path
$Images |Foreach-Object{
$Identity = ($_.Name.Tostring() -replace '.png','')
$PictureData = $path+$_.name
Set-UserPhoto -Identity $Identity -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false }

$path= 'C:\UserPics\'

$Images = Get-ChildItem $path

$Images |Foreach-Object{

$Identity = ($_.Name.Tostring() -replace '.png','')

$PictureData = $path+$_.name

Set-UserPhoto -Identity $Identity -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false }

Run Photos-Update.ps1 and the script should upload the photos to Office 365 and apply each photo to the corresponding user.

NOTE: If you’re still having some issues with the alias having a ‘.’ in the name, you can also configure the Photos-Update.ps1 script in this manner to get that working properly:

$path= 'C:\UserPics\'
$Images = Get-ChildItem $path
$Images |Foreach-Object{
$Identity = ($_.Name.Tostring() -split "\.")
$count = $Identity.count
If($count -gt 2)
{
for($i=0; $i -le $count-2; $i++)
{
$username=$username+$Identity[$i]+"."
}
$Id=$username.TrimEnd(".")
}
Else
{
$Id=$Identity[0]
}
$PictureData = $path+$_.name
Set-UserPhoto -Identity $Id -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false
$username=$null
}

$path= 'C:\UserPics\'

$Images = Get-ChildItem $path

$Images |Foreach-Object{

$Identity = ($_.Name.Tostring() -split "\.")

$count = $Identity.count

If($count -gt 2)

{

for($i=0; $i -le $count-2; $i++)

{

$username=$username+$Identity[$i]+"."

}

$Id=$username.TrimEnd(".")

}

Else

{

$Id=$Identity[0]

}

$PictureData = $path+$_.name

Set-UserPhoto -Identity $Id -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false

$username=$null

}

HAPPY SCRIPTING!
PLEASE COMMENT!

store.ldlnet.net — LDLNET LLC! Your Source for Pofessional IT Services!

www.servermonkey.com — Contact ServerMonkey.com for your IT Hardware Needs!

REFERENCES:
How to import Office365 User photos over 10KB & without CSV in bulk

Lance LingerfeltMay 1, 2019May 7, 2019

New Certification from Microsoft

I took this exam back in February as a beta test. It finally got graded and I passed! I am now Cloud Certified in Messaging.

LDLNET - Banner — LDLNET LLC – Life In Action! Your Source for Professional IT Services!

Lance LingerfeltApril 29, 2019

Set the profile pic for a single Exchange user via PowerShell

I wanted to update my picture within my Outlook profile and AD account really quickly without having to go through OWA to do so. I found this cmdlet that will allow for that picture to be changed very quickly via Exchange PowerShell.

NOTE: This can be done with On-Premises Exchange and Exchange Online PowerShell

First, download the picture you want to use to the computer that you want to run the cmdlet from. Also, make sure the picture is cropped and centered prior to running the cmdlet. I saved the pic to C:\temp for my scenario. The best format to use would be jpg. I named the file User1_Profile.jpg

Next, open Exchange PowerShell on the computer you saved the pic to and run the following cmdlet to change the photo:

Set-UserPhoto "User1" -PictureData ([System.IO.File]::ReadAllBytes("C:\temp\User1_Profile.jpg")) -Confirm:$False

1	Set-UserPhoto "User1" -PictureData ([System.IO.File]::ReadAllBytes("C:\temp\User1_Profile.jpg")) -Confirm:$False

Once completed, the Outlook client should be closed and reopen so that the new picture is visible in the profile.

I will post how to perform this for multiple users for Exchange and Office365 in a later post.

REFERENCES:
Set User Photo with Exchange PowerShell

Lance LingerfeltApril 24, 2019

Purging Soft Deleted mailboxes from Exchange Server

If you’re a seasoned administrator, you have knowledge that in Exchange, the database settings will allow you to set the deleted mailbox retention. The default is 30 days, but sometimes you need to purge all those deleted mailboxes to do some ‘spring cleaning’ as it were. Note that doing these cmdlets does not change the ‘Whitespace’ of the database or the size. In my case, I had to purge everything of a toxic individual that was tainting my network much to my disappointment and did the following to complete that task.

The following cmdlet will seek all Soft Deleted mailboxes within the database you select and manually purge them from Exchange.

Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}

1	Get-MailboxStatistics -Database "DB01" \| where {$_.DisconnectReason -eq "SoftDeleted"} \| foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}

Now, should you only want to remove one mailbox, you will need to get the GUID of that Soft Deleted mailbox first so that you can enter it for the identity parameter.

Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | Sort-Object DisconnectDate -descending | ft -a -wr

Get the Mailbox GUID in the list for the deleted mailbox. 
Then Run:

Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState SoftDeleted | ft -a -wr

Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | Sort-Object DisconnectDate -descending | ft -a -wr

Get the Mailbox GUID in the list for the deleted mailbox.

Then Run:

Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState SoftDeleted | ft -a -wr

You can also preform a similar task for a disabled mailbox:

Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | Sort-Object DisconnectDate -descending | ft -a -wr

Get the Mailbox GUID in the list for the deleted mailbox. 
Then Run:

Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState Disabled | ft -a -wr

Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | Sort-Object DisconnectDate -descending | ft -a -wr

Get the Mailbox GUID in the list for the deleted mailbox.

Then Run:

Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState Disabled | ft -a -wr

You can perform the task on all disabled mailboxes for that database as well:

Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled}

1	Get-MailboxStatistics -Database "DB01" \| where {$_.DisconnectReason -eq "Disabled"} \| foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled}

NOTE: I would be very careful when performing either of these cmdlets as they will completely purge the mailboxes from the schema. If these cmdlets assist you with your ‘spring cleaning’, I will have been happy to assist.

HAPPY PURGING!
PLEASE COMMENT!
IGNORANCE IS NOT BLISS!

References:
Purging Deleted Mailboxes on Exchange 2013

Server Monkey — LDLNET LLC’s Preferred Server Equipment Hardware Vendor

Lance LingerfeltApril 3, 2019

Customize your Outlook Web App Logon Page

As many of you are aware, Microsoft provides a default logon page for OWA, the Outlook Web App. Most companies, like myself want to be able to customize that page so that it suites your organization. Here is what my company OWA page looks like:

I have changed the color on the left to match my scheme, replaced the Outlook Logo with my company logo, and added a disclaimer to notify users. Below is the process to do that effectively for your organization.

NOTE: Every time you install an Exchange Cumulative Update (CU) or new version of Exchange Server these modified files will be replaced. Remember to backup your original and changed files to another folder so that you can replace them when you Update or Upgrade or if something goes wrong with the changes.

Use Notepad to open the file:

%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources\logon.css

In the logon.css file, replace the default blue hexidecimal color value #0072c6 with the HTML RGB value that you want to use. You can use the following LINK to choose the color you wish to use.

When you’re finished, save and close the file.

Here are the different graphics that can be changed on the OWA logon page and their associated files:

Outlook on the Web sign-in page with element call-outs

Image	File name	Location	Dimensions (width x height in pixels)	Bit depth
1	favicon.ico	`%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources`	16 x 16	32
2	olk_logo_white.png	`%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources`	128 x 108	32
3	owa_text_blue.png	`%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources`	300 x 76	32
4	Sign_in_arrow.png (for left-to-right languages) Sign_in_arrow_rtl.png (for right-to-left languages)	`%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources`	22 x 22	32

Just resize your images to the given dimensions in the table, rename them to the file name, and replace the files in the directory.

Change the disclaimer text for your OWA logon page

Next, we want to add a disclaimer to our logon page. To do that, we need to modify the logon.aspx document in the following directory:

%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\logon.aspx

Open the file in Notepad or your favorite HTML editor and search for the text ‘hidden-submit’. When you find the text, you can add your disclaimer text under the div class=”disclaimer” tag as I did in the following example:

<div class="hidden-submit"><input type="submit" tabindex="-1"/></div>
<div class="disclaimer"><p><b>Warning</b>: The website you are about to use is owned by Company Name and is intended to be used for official company business. As such, Company Name reserves the right to monitor all activity on all Company Name provided equipment and services. Use of Company Name provided information systems and networks in violation of company guidelines will result in disciplinary action, up to and including prosecution.</p>
            <p>

            <b>Violators</b>: They Will Be Prosecuted!

            </p> 
	</div>
    </div>

<div class="disclaimer"><p><b>Warning</b>: The website you are about to use is owned by Company Name and is intended to be used for official company business. As such, Company Name reserves the right to monitor all activity on all Company Name provided equipment and services. Use of Company Name provided information systems and networks in violation of company guidelines will result in disciplinary action, up to and including prosecution.</p>

<p>

<b>Violators</b>: They Will Be Prosecuted!

</p>

</div>

Save your logon.aspx file and give your OWA server an IISRESET for good measure. You should be good to logon with the new page from that point on.

HAPPY CONFIGURING!
PLEASE COMMENT!
THANKS FOR YOUR SUPPORT!

References:
Customize the Outlook on the web sign-in, language selection, and error pages in Exchange Server
CUSTOMIZE EXCHANGE 2016 OUTLOOK ON THE WEB SIGN IN PAGE
Customizing Exchange 2016 OWA

Lance LingerfeltMarch 27, 2019March 27, 2019

Installation of Exchange Server 2019 on Windows Server 2019

I have realized recently that I am an Exchange Messaging Professional, but yet, I have not posted the methodology of how I install an Exchange Server Mailbox Role. So here it is!

Install Windows Server 2019

Exchange Server 2019 requires Windows Server 2019 to run. For my environment, I haven’t necessarily need to follow all the enterprise level design aspects of database numbers to mailbox size ratios, number of servers, front/back end configurations, DAG Implementation, etc… If you want or need to delve into that realm, you can go here. I have need for a single server with only a few databases for a small number of mailboxes, so I am approaching it from that standpoint.

So first, in Hyper-V, I configured my VM with the following specifications:

Processors: 2 procs with 2 cores each – 4 Virtual Processors Total
RAM: 32GB with dynamic memory enabled optional
Drives: 2 .vhdx drives of 120GB each (OS / Exchange Data)
CD: Windows 2019 ISO
Default Settings for the rest of the VM Settings

Next I installed Windows Server 2019 Datacenter with the GUI! You can install it on Server Core if you wish. That information can be found in this link.

I ran through the setup of Windows and installed the OS on my first vhdx drive. I booted up, set the local admin password, and logged in. Once in Windows, I went to the Local Server Settings in Server Manager and configured the following settings:

Set the Date, Time, and Time Zone. (Once in the Domain, this would sync through Group Policy)
Set IE ESC to allow Administrators to have full IE access.
Set Remote Desktop Settings to gain RDP access. (This would be locked down with Group Policy as well once on the Domain)
Set the IP Settings to Static Settings. (DNS Servers, Gateway, WINS, etc…)
Join the server to the Active Directory Domain.
Reboot the VM Server.
Logon to your Domain.
Configure Windows Update Settings. (I have WSUS through Group Policy, this was configured automatically upon reboot)
Download and install all Windows Updates for the server. Then Reboot.
Open Disk Management and configure the secondary vhdx drive to be your Exchange Data Drive.
I configured the drive to be a mounted folder ‘C:\Exchange\Data’ rather than another drive letter as that seems to be the more accepted form of installation for the data drive these days. That is based on the multiple configurations that I have seen for Exchange through experience in Enterprise environments. Again, to each is own and depending on you design specifications, you might want to do that differently.

Next, we need to install the prerequisites for the Exchange Mailbox Server. I have always used practical365.com to get the PowerShell script to install the prerequisites, but couldn’t find the article this time. Great site though! Instead, I got the information and ran the following from an elevated PowerShell Session locally on the server:

Install-WindowsFeature Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Mgmt-Service,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-MSMQ-Activation45,NET-WCF-Pipe-Activation45,NET-WCF-TCP-Activation45,Server-Media-Foundation,MSMQ-Services,MSMQ-Server,RSAT-Feature-Tools,RSAT-Clustering,RSAT-Clustering-PowerShell,RSAT-Clustering-CmdInterface,RPC-over-HTTP-Proxy,WAS-Process-Model,WAS-Config-APIs

Install-WindowsFeature Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Mgmt-Service,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-MSMQ-Activation45,NET-WCF-Pipe-Activation45,NET-WCF-TCP-Activation45,Server-Media-Foundation,MSMQ-Services,MSMQ-Server,RSAT-Feature-Tools,RSAT-Clustering,RSAT-Clustering-PowerShell,RSAT-Clustering-CmdInterface,RPC-over-HTTP-Proxy,WAS-Process-Model,WAS-Config-APIs

As part of the prerequisites you will need to install the following packages onto the server as well:

UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013

Once completed, you can begin the install of Exchange. If this is your first Exchange 2019 Server in your Organization, then you will need to run the following to update the Forest, Schema, and Domain so that Exchange will install properly:

setup.exe /p /IacceptexchangeServerLicenseTerms

1	setup.exe /p /IacceptexchangeServerLicenseTerms

setup.exe /ps /IacceptexchangeServerLicenseTerms

1	setup.exe /ps /IacceptexchangeServerLicenseTerms

setup.exe /pad /IacceptexchangeServerLicenseTerms

1	setup.exe /pad /IacceptexchangeServerLicenseTerms

NOTE: If you run into Prerequisite issues with the installation due to a “pending reboot”, check out my blog post for information on remediation of that issue.

Now that the environment is prepared for Exchange, you can actually begin the installation. I wanted to make my default database and logs folder to be on the Exchange Data volume that I created, so I included those settings in the setup command. Please look at the reference to the setup.exe switches for more information on that. Here is the command:

setup.exe /Mode:Install /IacceptexchangeServerLicenseTerms /Role:Mailbox /DBFilePath:"C:\Exchange\Data\MDB\EX2019-DB01.edb" /LogFolderPath:"C:\Exchange\Data\LOGS" /MdbName:"EX2019-DB01"

1	setup.exe /Mode:Install /IacceptexchangeServerLicenseTerms /Role:Mailbox /DBFilePath:"C:\Exchange\Data\MDB\EX2019-DB01.edb" /LogFolderPath:"C:\Exchange\Data\LOGS" /MdbName:"EX2019-DB01"

Setup should go through the installation via the PowerShell window and complete successfully. Reboot the Exchange Server, then you can then logon to the Exchange Admin Center and begin the process of configuration of how you need to integrate the Mailbox Server into your Server Farm. That configuration is for a later post.

PLEASE CHECK BACK FOR UPDATES!
PLEASE COMMENT!

References:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Install Exchange Server 2019 on Windows Server 2019 Core
Exchange Server Design Planning
Use unattended mode in Exchange Setup
Practical365 on Exchange 2019

Lance LingerfeltMarch 23, 2019

Exchange Hybrid Configuration Wizard Link

Wanted to do a quick post as I was working on my Hybrid Exchange Environment. I was unable to get the HCW to download and start from the Exchange Control Panel with the link provided on the page. This has happened to me for a while, so I went online and found a link that would work that could be downloaded and reused to open the HCW:

Hybrid Configuration Wizard Link

HOPE THIS HELPS!
LET ME HAVE KNOWLEDGE SHOULD THE LINK CHANGE!

References:
HYBRID CONFIGURATION WIZARD WON’T START ON WINDOWS 2016

Lance LingerfeltMarch 13, 2019

Exchange Setup Repeatedly Says ‘A Restart from a Previous Installation is Pending’

I have had this issue with EVERY upgrade that I have ever attempted for Exchange Server from 2013 through 2019 CU1. You go to run the setup program and during the prerequisite checks, setup stops. The error listed is:

A restart from a previous installation is pending. Please restart the system and rerun setup.

During the prerequisite checks, Exchange Setup looks in the registry at the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Nine times out of ten, a restart does NOT remediate this error. In order for setup to continue properly, you must do the following:

Open regedit: Start > Run > regedit.exe

Set the HKLM\SOFTWARE\Microsoft\Updates\UpdateExeVolatile key value to 0 or delete it if present. <– This one is usually NOT present.

Delete the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations key.

Re-run Setup.

You should now be able to run setup and upgrade your Exchange Server.

PLEASE COMMENT!
HAPPY TROUBLESHOOTING!

References:
A Restart From Another Installation Is Pending
Exchange Setup Fails – A Restart From Another Installation Is Pending
Microsoft Document – A Restart From Another Installation Is Pending

Lance LingerfeltFebruary 21, 2019February 21, 2019

Reconnecting Shared Mailboxes after an O365 Migration

I get a lot of these incidents in my queue after a user has been migrated to O365. For whatever reason, most likely due to the mailbox being moved itself, whether it is the user’s mailbox, the shared mailbox, or both, the connections to the shared mailboxes stop working in Outlook and the user cannot connect to the shared mailbox.

Here is a quick and easy solution to use to disconnect and reconnect the shared mailbox(es) that you lose connectivity to when migrated. This is usually performed on Outlook 2016 and above as most users upgrade their client software when moved to O365.

First, we remove the existing shared mailbox connection:

Click the File > Account Settings > Account Settings.

Select your company email address in the account list.

Click Change > More Settings > Advanced tab > Select the Shared Mailbox > Remove

Click Apply > OK > Next > Finish.

The shared mailbox will now automatically be removed in your Folder pane in Outlook.

Second, we re-add the shared mailbox connection to Outlook:

Click the File > Account Settings > Account Settings.

Select your company email address in the account list.

Click Change > More Settings > Advanced tab > Add

Type the name of the shared mailbox in the window and click OK.

Click Apply > OK > Next > Finish.

The shared mailbox will now automatically be added to your Folder List pane within Outlook.

Note: The above procedure must be followed in order to properly reconnect the shared mailbox. You cannot remove and re-add the mailbox in the same process as that will not reset the connection properly. You must save the settings when disconnecting.

I hope that this will assist everyone when troubleshooting Outlook connectivity issues to shared mailboxes after a migration.

HAPPY TROUBLESHOOTING!
PLEASE COMMENT!

Lance LingerfeltFebruary 21, 2019

Moving mailboxes to O365 via PowerShell in Hybrid Configuration

As many of you have knowledge, I am studying for my MS-202 Exam. And, part of the knowledge needed is to be able to migrate mailboxes between on premises and Exchange Online through PowerShell. Here are the steps for the scenario to move a mailbox from on premises to O365:

1. Connect to Exchange Online via PowerShell

If you have read my previous post: Connect to All PowerShell Modules in O365 with one script
You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.

2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.

$OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds"

1	$OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds"

3. Move a single mailbox.

In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.
Now we initiate the move with the cmdlet. Similar to what you would do in the GUI, this simple mailbox move cmdlet initiates the move request. It has most of the same parameters as a local move request including BadItemLimit, LargeItemLimit, AcceptLargeDataLoss, etc…

Use the following LINK for documentation on the New-MoveRequest cmdlet.

#Set the identity of the mailbox being moved
$user = Read-Host "Enter the alias or E-Mail Address of the user being migrated: "

#Next Run the cmdlet for the New Mailbox Move Request
New-MoveRequest -Identity $user -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "$user Mailbox Move to O365"

#Get the status of the mailbox move to completion
Get-MoveRequest | ? {$_.alias -eq "$user"} | Get-MoveRequestStatistics | fl

#Set the identity of the mailbox being moved

$user = Read-Host "Enter the alias or E-Mail Address of the user being migrated: "

#Next Run the cmdlet for the New Mailbox Move Request

New-MoveRequest -Identity $user -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "$user Mailbox Move to O365"

#Get the status of the mailbox move to completion

Get-MoveRequest | ? {$_.alias -eq "$user"} | Get-MoveRequestStatistics | fl

Now with all migration projects, we expect to have to move multiple mailboxes in a single batch. The following will show the process for moving mailboxes in bulk from on premises to O365:

2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.

$OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds"

1	$OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds"

3. Move multiple mailboxes in a single batch.

In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.

This time you want to create a CSV file using the alias or emailaddress as your header and then list the appropriate value for all the users in your batch group. Save the file locally as MigrationBatch01.csv or a name of your choice.

Next you initiate the mailbox moves. When specifying the mailbox identity in the cmdlet, use the respective header in your variable declaration (either $user.EMailAddress OR $user.Alias)

Use the following LINK for documentation on the New-MoveRequest cmdlet.

#Import the CSV into the variable state
$mailboxes = Import-CSV C:\Migration\MigrationBatch01.csv

#Next Run the cmdlet for the New Mailbox Move Request to move each mailbox
foreach ($user in $mailboxes) { New-MoveRequest -Identity $user.EMailAddress -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "Migration Batch 01 Moves to O365" }

#Get the status of the mailbox moves in the batch to completion
Get-MoveRequest | ? {$_.batchname -like "Migration Batch 01 Moves to O365"} | Get-MoveRequestStatistics | ft -a -wr

#Import the CSV into the variable state

$mailboxes = Import-CSV C:\Migration\MigrationBatch01.csv

#Next Run the cmdlet for the New Mailbox Move Request to move each mailbox

foreach ($user in $mailboxes) { New-MoveRequest -Identity $user.EMailAddress -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "Migration Batch 01 Moves to O365" }

#Get the status of the mailbox moves in the batch to completion

Get-MoveRequest | ? {$_.batchname -like "Migration Batch 01 Moves to O365"} | Get-MoveRequestStatistics | ft -a -wr

GOOD LUCK WITH YOUR MIGRATIONS!
HAPPY TROUBLESHOOTING!

References:
Moving Individual Mailboxes to O365
Move Mailboxes in Bulk to O365
PowerShell Mailbox Migration to O365
Connect to all PowerShell Modules in O365 with one script
New-MoveRequest Microsoft Document

Lance LingerfeltFebruary 19, 2019February 20, 2019

Exchange DAG Replication Problem: An established connection was aborted by the software in your host machine

I had an issue with a four node DAG where the DR site with two of the DAG members were having replication issues. It was only technically affecting one DAG Member though. The copy queue length was really high and the logs were not committing to the database. A Test-ReplicationHealth cmdlet test told that the copy queue length for the affected database copy was high. No other databases were affected as there were eight databases on this DAG Node. The issue was that the log files were not replicating properly to the one DAG member for that database, causing the log file drives on all the other DAG members to build and become full:

EX04 DAG member has high Copy Queue Length

The purple member (EX04) free space is different from the other three DAG members

Circular Logging was turned on, but since the db was NOT in sync, the logs could NOT truncate properly which rendered CL useless. What was being done to stave the issue was to suspend the database copy of the affected DAG member (EX04), then resume the copy. The logs would replay and commit to the database copy on the DAG member, but over a short period of time, the same issue would arise again, as shown in this graph:

You can see the other DAG members start dropping in free space

There were absolutely no errors in the Event Viewer showing this replication issue. After some research, I ran the following cmdlet showing a particular output parameter that gave me the actual problem:

Get-MailboxDatabaseCopyStatus DAG1DB01 | ft -a -wr Name, Status, IncomingLogCopyingNetwork

Output with the actual error listed for the DR DAG members.

The operative error here was: {An error occurred while communicating with server ‘EX01’. Error: Unable to read data from the transport connection: An established connection was aborted by the software in your host machine.}

Now even though only EX04 was actually having problems with its log replication, both DR members EX03 & EX04 were having the same problem. Again, there were NO events in event viewer showing this issue. I next did some connectivity tests to EX01 from EX04 even though the error said there was an established connection that was broken.

Ping EX01 -f -l 1472

Now the -f states do NOT fragment the packet and send it as a whole to the destination.
The -l states the packet/buffer size you want sent. In this case 1472 bits.
By doing this, you are able to assure that a router or switch is NOT segmenting the packets, packet segmentation of replication logs can cause data corruption and replication issues.

That test passed successfully. I also did a trace route to assure there was no packet loss on the route to the replicating server. That test passed successfully.

I next checked the DAG Network to assure that all networks were working for replication. Now, in this scenario, there was only ONE DAG Network, there was NOT a separate Replication Network. I did not design the DAG and limitations most likely came into play during the design. From my experience, you setup a separate replication network for replication only, but if your network has enough bandwidth, and the design calls for simplification, you can use one DAG network in your design.

Get-DatabaseAvailabilityGroupNetwork | fl

RunspaceId : a1600003-8074-4000-9150-c7800000207f
Name : MapiDagNetwork
Description :
Subnets : {{192.168.1.0/24,Up}, {192.168.2.0/24,Up}}
Interfaces : {{EX01,Up,192.168.1.25}, {EX02,Up,192.168.1.26},{EX03,Up,192.168.2.25}, {EX04,Up,192.168.2.26}}
MapiAccessEnabled : True
ReplicationEnabled : True
IgnoreNetwork : False
Identity : DAG1\MapiDagNetwork
IsValid : True
ObjectState : New

All the DAG Network Members were up and not showing errors. I next did a telnet session to EX01 over the default DAG replication port 64327 to see if there would be any connectivity issues to EX01:

telnet EX01 64327

That test was successful and there were no connectivity issues to EX01 from EX04. Again, there was only ONE database out of eight that was having replication problems. After mulling over the problem, it was decided to restart the MSExchangeRepl service on EX03 AND EX04 since the error was present on both DAG members. We would then, suspend the database copy and resume the database copy on the affected servers.

Run on EX03:
Restart-Service MSExchangeRepl
Suspend-MailboxDatabaseCopy DAG1DB01/EX03 -Confirm:$False
Resume-MailboxDatabaseCopy DAG1DB01/EX03 -Confirm:$False

Run on EX04:
Restart-Service MSExchangeRepl
Suspend-MailboxDatabaseCopy DAG1DB01/EX04 -Confirm:$False
Resume-MailboxDatabaseCopy DAG1DB01/EX04 -Confirm:$False

After monitoring the databases and log drives, the issue was resolved and replication started functioning properly.

Log Drive Available Space Returned to Normal for DAG members

PLEASE COMMENT! I WELCOME SUGGESTIONS, TIPS, ALTERNATIVE TROUBLESHOOTING! HAVE A GREAT DAY!

Lance LingerfeltFebruary 12, 2019February 12, 2019

Connect to all PowerShell Modules in O365 with one script

Let’s say you’re an admin that needs to connect to Office365 via PowerShell often. Now, there are many different websites or blogs that will show you how to connect to each session via PowerShell. That can cause a headache since you can end up having five different PowerShell sessions running in five different windows. You end up having to enter a username and password all those times, which can become time consuming.

I want to show you here how to combine all those sessions into one script where, if you’re security is tight enough on your computer, you don’t even have to enter credentials. This way, you can click on one icon and pull up all the O365 PowerShell commands that you’ll need to manage your organization.

First you need to download the following PowerShell Module Installation Files so that your PowerShell Database will have the correct modules installed:

Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell v2
SharePoint Online Management Shell
Skype for Business Online, Windows PowerShell Module

Next, we want to setup the CLI (Command Line Interface) to be too cool for school. I have learned it helps to have knowledge of how to customize the CLI window. You can do all of this in PowerShell ISE or Notepad, which ever you prefer. Here are the commands for the script that I use to setup the CLI:

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-location c:\PowerShell
$a = (Get-Host).UI.RawUI
$a.BackgroundColor = "black"
$a.ForegroundColor = "yellow"
$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser= (Get-ChildItem Env:\USERNAME).Value
function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")&gt;"}
$host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell &gt;&gt; User: $curUser &gt;&gt; Current Directory: $((Get-Location).Path)"

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"

set-location c:\PowerShell

$a = (Get-Host).UI.RawUI

$a.BackgroundColor = "black"

$a.ForegroundColor = "yellow"

$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"

$curUser= (Get-ChildItem Env:\USERNAME).Value

function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}

$host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)"

Next, you want to set your Execution Policy and put in your credentials so that you won’t be prompted to enter the user credentials when you run the script.

NOTE: MAKE SURE YOU KEEP YOUR SCRIPT SAFE AS THE CREDENTIALS ARE VISIBLE WITHIN THE SCRIPT IN PLAIN TEXT!

You can, alternatively, set your script to prompt for credentials every time by using the following:

$LiveCred = Get-Credential

Here is that part of the script:

#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Set-ExecutionPolicy Unrestricted
$user = "tenantadmin@companyname.onmicrosoft.com"
$pass = "adminpassword"
$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force
$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Setup Execution Policy and Credentials using your Tenant Admin Credentials

Set-ExecutionPolicy Unrestricted

$user = "tenantadmin@companyname.onmicrosoft.com"

$pass = "adminpassword"

$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force

$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

Now we get into the importing of the modules for each O365 service:

Get the MSOnline Module:

#Set up the powershell cmdlets for Office365
Write-Host "Getting MSOnline Module" -ForegroundColor Green
Get-Module MSOnline

#Set up the powershell cmdlets for Office365

Write-Host "Getting MSOnline Module" -ForegroundColor Green

Get-Module MSOnline

Connect to the MSOnline Service:

#Connect the MS Online Service
Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green
Connect-MSOLService -Credential $LiveCred

#Connect the MS Online Service

Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green

Connect-MSOLService -Credential $LiveCred

Connect to Azure AD PowerShell:

#Connect to Azure Ad PowerShell
Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green
Connect-AzureAD -Credential $LiveCred

#Connect to Azure Ad PowerShell

Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green

Connect-AzureAD -Credential $LiveCred

Connect to SharePoint Online PowerShell:
NOTE – MAKE SURE YOU CHANGE TO YOUR COMPANY NAME IN THE URL!!

#Connect to SharePoint Online PowerShell
Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to SharePoint Online PowerShell

Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

Connect to Exchange Online PowerShell:

#Connect to Exchange Powershell
Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Connect to Exchange Powershell

Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Connect to Skype For Business Online PowerShell:

#Connect the Skype For Business Online Powershell Module
Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green 
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $LiveCred
Import-PSSession $sfboSession

#Connect the Skype For Business Online Powershell Module

Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $LiveCred

Import-PSSession $sfboSession

Connect to the Security & Compliance PowerShell:
NOTE – This one I still get “Access Denied” when trying to connect. I have looked for an answer to that issue, but have not found one. Please comment with a link if you have an answer so that I can update this script!

#Connect the Security & Compliance Center PowerShell Module
Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -Prefix cc

#Connect the Security & Compliance Center PowerShell Module

Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green

$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection

Import-PSSession $SccSession -Prefix cc

Lastly, put in a note to show that the PS load is completed:

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green
Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green
Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green

Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green

Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

So Here is the final script in its entirety:

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-location c:\PowerShell
$a = (Get-Host).UI.RawUI
$a.BackgroundColor = "black"
$a.ForegroundColor = "yellow"
$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser= (Get-ChildItem Env:\USERNAME).Value
function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")&gt;"}
$host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell &gt;&gt; User: $curUser &gt;&gt; Current Directory: $((Get-Location).Path)"

#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Set-ExecutionPolicy Unrestricted
$user = "tenantadmin@companyname.onmicrosoft.com"
$pass = "adminpassword"
$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force
$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Set up the powershell cmdlets for Office365
Write-Host "Getting MSOnline Module" -ForegroundColor Green
Get-Module MSOnline

#Connect the MS Online Service
Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green
Connect-MSOLService -Credential $LiveCred

#Connect to Azure Ad PowerShell
Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green
Connect-AzureAD -Credential $LiveCred

#Connect to SharePoint Online PowerShell
Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to Exchange Powershell
Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Connect the Skype For Business Online Powershell Module
Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green 
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $LiveCred
Import-PSSession $sfboSession

#Connect the Security &amp; Compliance Center PowerShell Module
Write-Host "Connecting to O365 Security &amp; Compliance Online through PowerShell"-ForegroundColor Green
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -Prefix cc

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green
Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green
Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"

set-location c:\PowerShell

$a = (Get-Host).UI.RawUI

$a.BackgroundColor = "black"

$a.ForegroundColor = "yellow"

$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"

$curUser= (Get-ChildItem Env:\USERNAME).Value

function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}

$host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)"

#Setup Execution Policy and Credentials using your Tenant Admin Credentials

Set-ExecutionPolicy Unrestricted

$user = "tenantadmin@companyname.onmicrosoft.com"

$pass = "adminpassword"

$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force

$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Set up the powershell cmdlets for Office365

Write-Host "Getting MSOnline Module" -ForegroundColor Green

Get-Module MSOnline

#Connect the MS Online Service

Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green

Connect-MSOLService -Credential $LiveCred

#Connect to Azure Ad PowerShell

Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green

Connect-AzureAD -Credential $LiveCred

#Connect to SharePoint Online PowerShell

Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to Exchange Powershell

Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

#Connect the Skype For Business Online Powershell Module

Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $LiveCred

Import-PSSession $sfboSession

#Connect the Security & Compliance Center PowerShell Module

Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green

Import-PSSession $SccSession -Prefix cc

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green

Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green

Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

Now you can create your icon for your desktop so that you can easily access the script. I would save the script to your Scripts directory.

That will usually be C:\Users\’username’\Documents\WindowsPowerShell\Scripts or wherever directory you choose.

To start, right click the desktop and choose New > Shortcut
In the Target Field, enter the following for your PowerShell Shortcut, pointing to the path of your script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy Unrestricted -File “C:\Users\username\Documents\WindowsPowerShell\Scripts\ConnectO365All.ps1”

Click on the Advanced button and check the box: Run As Administrator
Under the General Tab, name your shortcut: (CompanyName) O365 All PowerShell
Click OK to save the shortcut to your desktop.

LAST BUT NOT LEAST, RUN THE FOLLOWING COMMAND BEFORE EXITING OR CLOSING YOUR POWERSHELL WINDOW. THIS WILL REMOVE ALL THE SESSIONS YOU’VE CONNECTED TO:

Get-PSSession | Remove-PSSession

HAPPY SCRIPTING!
LEARN, DO, LIVE!

References:
Connect to all O365 Services in one PowerShell Window
How to connect to all O365 Services through PowerShell
Connecting to Office 365 “Everything” via PowerShell

Lance LingerfeltFebruary 6, 2019

Checking Drive Space Volumes for DAG DB members through PowerShell

I had received a weird alert for a DB volume for a DAG member being below threshold. This was odd to me due to the fact that there were four DAG members and we only received an alert for one. I went into Azure Log Analytics and ran the following query to render a graph for the past 14 days showing the percent free space of the volume for all the DAG members.

Thanks Georges Moua for the query script!

let PerfCutoff = ago(14d);
let inst = "C:\\ExchangeDB\\DAG1DB001\\DB";
search *
| where TimeGenerated > PerfCutoff
| where Name_s == "PercentFreeSpace"
| where InstanceName_s contains inst
| sort by TimeGenerated desc
| project Resource,Company_s,InstanceName_s,PercentFreeSpace=Value_d,TimeGenerated
| render timechart

let PerfCutoff = ago(14d);

let inst = "C:\\ExchangeDB\\DAG1DB001\\DB";

search *

| where TimeGenerated > PerfCutoff

| where Name_s == "PercentFreeSpace"

| where InstanceName_s contains inst

| sort by TimeGenerated desc

| project Resource,Company_s,InstanceName_s,PercentFreeSpace=Value_d,TimeGenerated

| render timechart

Now the reason I can run the query this way is due to the fact that the Design of the DAG was correctly done and the DB folders are identical on all DAG members. The query rendered the following chart:

As you can see the *Green* DAG member is way below the other DAG members.

I next went to an Exchange Server in the DAG and got the volume data for all the members in the DAG:

$Svrs = Get-MailboxDatabaseCopyStatus DAG1DB001 | Select-Object MailboxServer | Sort-Object MailboxServer 

foreach ($Svr in $Svrs) { $Svr.MailboxServer ; Get-WmiObject -ComputerName $Svr.MailboxServer Win32_Volume | ? {$_.Name -like "*DAG1DB001\DB*"} | select Name,FileSystem,FreeSpace,BlockSize,Capacity | % {$_.BlockSize=(($_.FreeSpace)/($_.Capacity))*100;$_.FreeSpace=($_.FreeSpace/1GB);$_.Capacity=($_.Capacity/1GB);$_} | Sort-Object Name | Format-Table Name,@{n='Free,GB';e={'{0:N2}'-f $_.FreeSpace}},@{n='Free,%';e={'{0:N2}'-f $_.BlockSize}},@{n='Capacity,GB';e={'{0:N3}' -f $_.Capacity}},@{n='FS';e={$_.FileSystem}} -AutoSize }

$Svrs = Get-MailboxDatabaseCopyStatus DAG1DB001 | Select-Object MailboxServer | Sort-Object MailboxServer

foreach ($Svr in $Svrs) { $Svr.MailboxServer ; Get-WmiObject -ComputerName $Svr.MailboxServer Win32_Volume | ? {$_.Name -like "*DAG1DB001\DB*"} | select Name,FileSystem,FreeSpace,BlockSize,Capacity | % {$_.BlockSize=(($_.FreeSpace)/($_.Capacity))*100;$_.FreeSpace=($_.FreeSpace/1GB);$_.Capacity=($_.Capacity/1GB);$_} | Sort-Object Name | Format-Table Name,@{n='Free,GB';e={'{0:N2}'-f $_.FreeSpace}},@{n='Free,%';e={'{0:N2}'-f $_.BlockSize}},@{n='Capacity,GB';e={'{0:N3}' -f $_.Capacity}},@{n='FS';e={$_.FileSystem}} -AutoSize }

EX02’s volume free space is far below the other DAG members

I went on EX02 and found that there was a subfolder named “Restore” that was not present on the other servers. I ran the following script to get the size of that folder in GB:

Write-Host ; $Folder = "{0:N2}" -f ( ( Get-ChildItem '\\EX02\DAG1DB001\DB\Restore' -Recurse -Force | Measure-Object -Property Length -Sum ).Sum / 1GB ) ; Write-Host "Folder Size Is: $Folder GB" -ForegroundColor Green

1	Write-Host ; $Folder = "{0:N2}" -f ( ( Get-ChildItem '\\EX02\DAG1DB001\DB\Restore' -Recurse -Force \| Measure-Object -Property Length -Sum ).Sum / 1GB ) ; Write-Host "Folder Size Is: $Folder GB" -ForegroundColor Green

The folder size was 185 GB. Removing that folder, along with all subfolders/files, would balance the free space to the other DAG members. I ran the following cmdlet to remove the folder and all subfolders/files:

Remove-Item '\\EX02\DAG1DB001\DB\Restore' -recurse -force

1	Remove-Item '\\EX02\DAG1DB001\DB\Restore' -recurse -force

This remediated the alert and balanced the drive space across all DAG members.

POST YOUR COMMENTS OR QUESTIONS!
HAPPY TROUBLESHOOTING!

Lance LingerfeltFebruary 5, 2019

Event 11022 with MSExchangeTransport – Easy Validation Test

In a hybrid environment, you’re always connecting between the cloud and on premises to establish transport through the connectors to transport mail. By default, this is done over a TLS (Transport Layer Security) connection. It’s similar to a VPN or SSL connection using certificates on the Transport Layer of the network stack to encrypt the data between the two Organizations in a Hybrid configuration.

Because you are using certificates, the certificate must be validated properly and checked to see if it has expired or been revoked by the issuing company. A revocation list is created and updated regularly for this purpose. If the connecting organization cannot validate the revocation of the certificate, it will not establish a TLS connection with the connecting organization. You will then get the following event:

Event 11022
MSExchangeTransport
Error:
Failed to confirm domain capabilities ‘mail.protection.outlook.com:AcceptOorgProtocol’ on connector ‘Inbound from Office 365’ because validation of the Transport Layer Security (TLS) certificate failed with status ‘RevocationOffline’. Contact the administrator of ‘mail.protection.outlook.com’ to resolve the problem, or remove the domain from the TlsDomainCapabilities list of the Receive connector.

Most likely, there is a network issue with the On Premises Organization being able to retrieve the Revocation File with the Certificate Information. Since it cannot retrieve that file, it stops the transport connection and throws the error.

A simple validation to validate the connector and assure transport from Office365 is to run the following cmdlet from the server on premises that performs the connection:

write-host;hostname;date;write-host;Test-SmtpConnectivity | ft -a -wr | Out-String -Stream

1	write-host;hostname;date;write-host;Test-SmtpConnectivity \| ft -a -wr \| Out-String -Stream

Again, I like to put the other cmdlets of
write-host, hostname, and date
in order to make it easy to document when working an incident.

From the highlighted text, we can see the test was successful.

The test runs a connection for each connector and tests the validity of each connector. If a success is returned, then we have knowledge that the certificate was validated and the connection was established through the connector from Office365.

If you get a failure though, you will need to run tests to see if you can pull the revocation list for the certificate as well as a simple test to connect to Office365:

Connect to Exchange Online via Powershell

IMPORTANT NOTE

I wanted to put some information on how to pull the CRL Distribution Point for the Office365 so that you could run an Invoke-WebRequest to pull the CRL file from the Distribution Point, but I have NOT found a single way through Powershell to pull that information. I have searched multiple posts and articles showing all these advanced methods of using certutil and PowerShell to get a bunch of other information, but NOTHING on how to pull the URL for the CRL file from the certificate. Doing a Get-ChildItem for the certificate using the Thumbprint does NOT pull that property from the certificate. Now, if you have a cmdlet that WILL do that, PLEASE POST!

So, in essence, to troubleshoot if you can get to the CRL file, you get the URL for the CRL Distribution Point from the GUI Properties of the certificate. Then you run the following cmdlet in PowerShell:

Let's say the CRL file is at the following URL: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl 

Run the following:
Invoke-WebRequest http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl -UseDefaultCredentials | Select * -ExpandProperty Headers | ft -a -wr

If you get a valid response from the output, then you're good!

Let's say the CRL file is at the following URL: http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl

Run the following:

Invoke-WebRequest http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl -UseDefaultCredentials | Select * -ExpandProperty Headers | ft -a -wr

If you get a valid response from the output, then you're good!

POST COMMENTS!
HAPPY TROUBLESHOOTING!

Lance LingerfeltFebruary 1, 2019February 17, 2019

What the Hybrid Configuration Wizard Performs in the background and configuring Hybrid Co-Existence with Exchange Online

I’m working on getting certified in Exchange Hybrid Scenarios and Exchange Online configuration as part of my skill set for Exchange. In doing so, I had successfully implemented a complete Full Hybrid Exchange Environment between my Exchange Online Tenant and my On Premises Exchange 2019 Environment last evening.

I wanted to give an update that was posted to my LinkedIn Posting on this. Thank you Brian Day for the vote of confidence and caution that running these cmdlets manually is not supported by Microsoft and that the HCW, like all the Online Microsoft Products, is constantly changing and being updated.

As preparation, I bought some Exchange Online Plan 1 licenses which give me a 50 GB mailbox limit and basic mailbox functionality. It does not include the more advanced features such as ATP, or DLP. I am running most of those features through my On Premises Environment. I mainly wanted to be able to place mailboxes in the cloud and have a hybrid setup. My plan was to have mail flow continue through my On Premises environment so that my Exchange Server features would be used and I would not have to change any MX or SPF records. I also had my certificates in place for SSL and OWA so I would want keep mail flow routed that way, through on premises. I do want to be able to have Free/Busy lookups cross-premise so federation would have to be enabled as well. I would also have to enable the MRS proxy on my Exchange Server so that mailbox migration could be implemented cross-premise. I also have previously configured Azure AD Sync along with ADFS for Single Sign On. In my case, another server was not needed as I didn’t have enough mailboxes or real need to split my frontend and backend deployment. Running the Hybrid Configuration Wizard would not open any new ports or change any existing port traffic that was already configured on my firewall. These are just a few of the considerations that need to be looked at when considering a hybrid integration.

Here is a great article to read for the prerequisites
Exchange Hybrid Deployment Pre-requisites

So, once I had all those considerations handled in my design, I ran the Hybrid Configuration Wizard. What I want to do in this blog post is to go through the steps that the wizard does in the background to setup the Hybrid Environment as you go through the Wizard.

I mainly used the following blog post as a reference, but have approached it differently by diving into the cmdlets that are run during the process:

Exchange/Office 365 Hybrid Configuration Wizard – step by step guide

1. The HCW validates the On-premises and Online Exchange Connection.

The Hybrid Configuration Wizard checks if it is possible to connect to both servers with PowerShell. It runs the Get-ExchangeServer cmdlet on premises after resolving the server in DNS. It then connects to Exchange Online, authorizing the connection:

Authority=https://login.windows.net/common Resource=https://outlook.office365.com ClientId=abcdefgh-a123-4566-9abc-2bdflancelin

2. The HCW collects data about Exchange configuration from the on-premises Active Directory

The Wizard gathers information about the local domain. In order to do that, the HCW executes a series of cmdlets.

These include, in order:

Get-MailboxDatabase -IncludePreExchange2013: $true

Get-OrganizationConfig

Get-HybridConfiguration

Get-AcceptedDomain

Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo: $false

Get-FederationTrust

Get-WebServicesVirtualDirectory -ADPropertiesOnly: $true

Get-RemoteDomain

Get-MailboxDatabase -IncludePreExchange2013: $true

Get-OrganizationConfig

Get-HybridConfiguration

Get-AcceptedDomain

Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo: $false

Get-FederationTrust

Get-WebServicesVirtualDirectory -ADPropertiesOnly: $true

Get-RemoteDomain

3. The HCW collects information on the Exchange online (Office 365) configuration

This task repeats what has been done in the previous step, only for the Exchange online, instead of the on-premises one.

The cmdlets include, in order:

Get-OrganizationConfig

Get-OnPremisesOrganization

Get-AcceptedDomain

Get-MigrationEndpoint

Get-OrganizationConfig

Get-OnPremisesOrganization

Get-AcceptedDomain

Get-MigrationEndpoint

4. Federation Trust is determined. If not present, a new Federation Trust and the required certificate will be created on the local Exchange Server

You will be prompted in the Wizard to create a Federation Trust if not present. The following articles explain Federation and its requirements:

Understanding Federation – Link Here
Understanding Federated Delegation – Link Here
Create a Federation Trust – Link Here

If the activity is finished successfully, a new certificate should appear on the on-premises Exchange Certificates list. The new certificate includes “Federation” in its Subject field. To make sure the certificate is there, you can run a cmdlet: Get-ExchangeCertificate | ft -a -wr

5. The HCW creates a new Hybrid Configuration Object in the local Active Directory

The HCW will run cmdlets based on the information you provide in the HCW for the certificate, the on premises Exchange Server, the domain(s), and what features you want turned on:

New-HybridConfiguration -Name 'Hybrid Configuration'

Set-HybridConfiguration -ClientAccessServers $null -ExternalIPAddresses $null -Domains 'ldlnet.net' -OnPremisesSmartHost 'mail.ldlnet.net' -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=mail.ldlnet.net, OU=Domain Control Validated' -SendingTransportServers EX01 -ReceivingTransportServers EX01 -EdgeTransportServers $null -Features FreeBusy,MoveMailbox,Mailtips,MessageTracking,OwaRedirection,OnlineArchive,SecureMail,CentralizedTransport,Photos

New-HybridConfiguration -Name 'Hybrid Configuration'

Set-HybridConfiguration -ClientAccessServers $null -ExternalIPAddresses $null -Domains 'ldlnet.net' -OnPremisesSmartHost 'mail.ldlnet.net' -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=mail.ldlnet.net, OU=Domain Control Validated' -SendingTransportServers EX01 -ReceivingTransportServers EX01 -EdgeTransportServers $null -Features FreeBusy,MoveMailbox,Mailtips,MessageTracking,OwaRedirection,OnlineArchive,SecureMail,CentralizedTransport,Photos

It then checks the settings through the following cmdlets:

Get-OrganizationConfig

Get-AcceptedDomain

Get-RemoteDomain

Get-OrganizationConfig

Get-AcceptedDomain

Get-RemoteDomain

It then enables Organization Customization for both environments through this cmdlet:

Enable-OrganizationCustomization

1	Enable-OrganizationCustomization

6. Configuration is then completed to modify the settings on the on premises Exchange environment

EmailAddressPolicy – HCW adds address @tenant.mail.onmicrosoft.com
The HCW configures remote domains – adds tenant.mail.onmicrosoft.com and tenant.onmicrosoft.com
The HCW adds a new accepted domain – adds tenant.mail.onmicrosoft.com

Some of the cmdlets run:

Set-EmailAddressPolicy -Identity 'ldlnet.net' -ForceUpgrade: $true -EnabledEmailAddressTemplates 'smtp:%1g%s@ldlnet.net','SMTP:%g.%s@ldlnet.net','smtp:%m@LDLNET.mail.onmicrosoft.com'

Update-EmailAddressPolicy -Identity 'ldlnet.net' -UpdateSecondaryAddressesOnly: $true

New-RemoteDomain -Name 'Hybrid Domain - LDLNET.mail.onmicrosoft.com' -DomainName 'LDLNET.mail.onmicrosoft.com'

Set-RemoteDomain -TargetDeliveryDomain: $true -Identity 'Hybrid Domain - LDLNET.mail.onmicrosoft.com'

New-RemoteDomain -Name 'Hybrid Domain - LDLNET.onmicrosoft.com' -DomainName 
'LDLNET.onmicrosoft.com'

Set-RemoteDomain -TrustedMailInboundEnabled: $true -Identity 'Hybrid Domain - LDLNET.onmicrosoft.com'

New-AcceptedDomain -DomainName 'LDLNET.mail.onmicrosoft.com' -Name 'LDLNET.mail.onmicrosoft.com'

Set-EmailAddressPolicy -Identity 'ldlnet.net' -ForceUpgrade: $true -EnabledEmailAddressTemplates 'smtp:%1g%s@ldlnet.net','SMTP:%g.%s@ldlnet.net','smtp:%m@LDLNET.mail.onmicrosoft.com'

Update-EmailAddressPolicy -Identity 'ldlnet.net' -UpdateSecondaryAddressesOnly: $true

New-RemoteDomain -Name 'Hybrid Domain - LDLNET.mail.onmicrosoft.com' -DomainName 'LDLNET.mail.onmicrosoft.com'

Set-RemoteDomain -TargetDeliveryDomain: $true -Identity 'Hybrid Domain - LDLNET.mail.onmicrosoft.com'

New-RemoteDomain -Name 'Hybrid Domain - LDLNET.onmicrosoft.com' -DomainName

'LDLNET.onmicrosoft.com'

Set-RemoteDomain -TrustedMailInboundEnabled: $true -Identity 'Hybrid Domain - LDLNET.onmicrosoft.com'

New-AcceptedDomain -DomainName 'LDLNET.mail.onmicrosoft.com' -Name 'LDLNET.mail.onmicrosoft.com'

7. The HCW Configures the Organization Relationship between the local server and the cloud.

This configuration is not necessary in minimal hybrid deployment. Since I have a full hybrid deployment configured, the cmdlets were run as needed to configure it. Thanks to the correct configuration, it is possible to synchronize free/busy status of mailboxes and their elements between the on-premises Exchange Environment and Exchange online.

Some of the cmdlets run in the process:

Get-FederationTrust

Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo: $false

Get-FederationInformation -DomainName 'LDLNET.mail.onmicrosoft.com' -BypassAdditionalDomainValidation: $true

Get-OrganizationConfig

Get-OrganizationRelationship

Set-FederatedOrganizationIdentifier -DefaultDomain 'LDLNET.mail.onmicrosoft.com' -Enabled: $true

New-OrganizationRelationship -Name 'On-premises to O365 - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -TargetApplicationUri 'outlook.com' -TargetAutodiscoverEpr 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames 'LDLNET.mail.onmicrosoft.com'

New-OrganizationRelationship -Name 'O365 to On-premises - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -TargetApplicationUri 'FYDIBOHF25SPDLT.ldlnet.net' -TargetAutodiscoverEpr 'https://autodiscover.ldlnet.net/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames 'ldlnet.net'

Set-OrganizationRelationship -MailboxMoveEnabled: $true -FreeBusyAccessEnabled: $true -FreeBusyAccessLevel LimitedDetails -ArchiveAccessEnabled: $true -MailTipsAccessEnabled: $true -MailTipsAccessLevel All -DeliveryReportEnabled: $true -PhotosEnabled: $true -TargetOwaURL 'http://outlook.com/owa/LDLNET.onmicrosoft.com' -Identity 'On-premises to O365 - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'

Set-OrganizationRelationship -FreeBusyAccessEnabled: $true -FreeBusyAccessLevel LimitedDetails -MailTipsAccessEnabled: $true -MailTipsAccessLevel All -DeliveryReportEnabled: $true -PhotosEnabled: $true -TargetOwaURL 'https://mail.ldlnet.net/owa' -Identity 'O365 to On-premises - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'

Add-AvailabilityAddressSpace -ForestName 'LDLNET.mail.onmicrosoft.com' -AccessMethod InternalProxy -UseServiceAccount: $true -ProxyUrl 'https://mail.ldlnet.net/EWS/Exchange.asmx'

Get-FederationTrust

Get-FederatedOrganizationIdentifier -IncludeExtendedDomainInfo: $false

Get-FederationInformation -DomainName 'LDLNET.mail.onmicrosoft.com' -BypassAdditionalDomainValidation: $true

Get-OrganizationConfig

Get-OrganizationRelationship

Set-FederatedOrganizationIdentifier -DefaultDomain 'LDLNET.mail.onmicrosoft.com' -Enabled: $true

New-OrganizationRelationship -Name 'On-premises to O365 - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -TargetApplicationUri 'outlook.com' -TargetAutodiscoverEpr 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames 'LDLNET.mail.onmicrosoft.com'

New-OrganizationRelationship -Name 'O365 to On-premises - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -TargetApplicationUri 'FYDIBOHF25SPDLT.ldlnet.net' -TargetAutodiscoverEpr 'https://autodiscover.ldlnet.net/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames 'ldlnet.net'

Set-OrganizationRelationship -MailboxMoveEnabled: $true -FreeBusyAccessEnabled: $true -FreeBusyAccessLevel LimitedDetails -ArchiveAccessEnabled: $true -MailTipsAccessEnabled: $true -MailTipsAccessLevel All -DeliveryReportEnabled: $true -PhotosEnabled: $true -TargetOwaURL 'http://outlook.com/owa/LDLNET.onmicrosoft.com' -Identity 'On-premises to O365 - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'

Set-OrganizationRelationship -FreeBusyAccessEnabled: $true -FreeBusyAccessLevel LimitedDetails -MailTipsAccessEnabled: $true -MailTipsAccessLevel All -DeliveryReportEnabled: $true -PhotosEnabled: $true -TargetOwaURL 'https://mail.ldlnet.net/owa' -Identity 'O365 to On-premises - 48e7bec9-404c-4d24-b59e-4b46b64d7e03'

Add-AvailabilityAddressSpace -ForestName 'LDLNET.mail.onmicrosoft.com' -AccessMethod InternalProxy -UseServiceAccount: $true -ProxyUrl 'https://mail.ldlnet.net/EWS/Exchange.asmx'

8. The HCW and setting connectors on both Exchange servers

The HCW checks to see if the connectors are there, if not, it sets them up. During this workflow, four connectors are set – one receive and one send connector for each server. Those connectors guarantee the mail flow between the on-premises and Exchange Online.

Some of the cmdlets run in the process:

Set-HybridConfiguration -ClientAccessServers $null -ExternalIPAddresses $null

New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces 'smtp:LDLNET.mail.onmicrosoft.com;1' -DNSRoutingEnabled: $true -ErrorPolicies Default -Fqdn 'mail.ldlnet.net' -RequireTLS: $true -IgnoreSTARTTLS: $false -SourceTransportServers EX2019 -SmartHosts $null -TLSAuthLevel DomainValidation -DomainSecureEnabled: $false -TLSDomain 'mail.protection.outlook.com' -CloudServicesMailEnabled: $true -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=mail.ldlnet.net, OU=Domain Control Validated'

Set-ReceiveConnector -AuthMechanism 'Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer' -Bindings '[::]:25','0.0.0.0:25' -Fqdn 'EX2019.ldlnet.local' -PermissionGroups 'AnonymousUsers, ExchangeServers, ExchangeLegacyServers' -RemoteIPRanges '::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff','0.0.0.0-255.255.255.255' -RequireTLS: $false -TLSDomainCapabilities 'mail.protection.outlook.com:AcceptCloudServicesMail' -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=mail.ldlnet.net, OU=Domain Control Validated' -TransportRole FrontendTransport -Identity 'EX2019\Default Frontend EX2019'

New-InboundConnector -Name 'Inbound from 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -CloudServicesMailEnabled: $true -ConnectorSource HybridWizard -ConnectorType OnPremises -RequireTLS: $true -SenderDomains '' -SenderIPAddresses $null -RestrictDomainsToIPAddresses: $false -TLSSenderCertificateName '.ldlnet.net' -AssociatedAcceptedDomains $null

New-OutboundConnector -Name 'Outbound to 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -RecipientDomains '*' -SmartHosts 'mail.ldlnet.net' -ConnectorSource HybridWizard -ConnectorType OnPremises -TLSSettings DomainValidation -TLSDomain 'mail.ldlnet.net' -CloudServicesMailEnabled: $true -RouteAllMessagesViaOnPremises: $true -UseMxRecord: $false -IsTransportRuleScoped: $false

Set-HybridConfiguration -ClientAccessServers $null -ExternalIPAddresses $null

New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces 'smtp:LDLNET.mail.onmicrosoft.com;1' -DNSRoutingEnabled: $true -ErrorPolicies Default -Fqdn 'mail.ldlnet.net' -RequireTLS: $true -IgnoreSTARTTLS: $false -SourceTransportServers EX2019 -SmartHosts $null -TLSAuthLevel DomainValidation -DomainSecureEnabled: $false -TLSDomain 'mail.protection.outlook.com' -CloudServicesMailEnabled: $true -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=mail.ldlnet.net, OU=Domain Control Validated'

Set-ReceiveConnector -AuthMechanism 'Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer' -Bindings '[::]:25','0.0.0.0:25' -Fqdn 'EX2019.ldlnet.local' -PermissionGroups 'AnonymousUsers, ExchangeServers, ExchangeLegacyServers' -RemoteIPRanges '::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff','0.0.0.0-255.255.255.255' -RequireTLS: $false -TLSDomainCapabilities 'mail.protection.outlook.com:AcceptCloudServicesMail' -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=mail.ldlnet.net, OU=Domain Control Validated' -TransportRole FrontendTransport -Identity 'EX2019\Default Frontend EX2019'

New-InboundConnector -Name 'Inbound from 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -CloudServicesMailEnabled: $true -ConnectorSource HybridWizard -ConnectorType OnPremises -RequireTLS: $true -SenderDomains '' -SenderIPAddresses $null -RestrictDomainsToIPAddresses: $false -TLSSenderCertificateName '.ldlnet.net' -AssociatedAcceptedDomains $null

New-OutboundConnector -Name 'Outbound to 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -RecipientDomains '*' -SmartHosts 'mail.ldlnet.net' -ConnectorSource HybridWizard -ConnectorType OnPremises -TLSSettings DomainValidation -TLSDomain 'mail.ldlnet.net' -CloudServicesMailEnabled: $true -RouteAllMessagesViaOnPremises: $true -UseMxRecord: $false -IsTransportRuleScoped: $false

The Intra-Organization is set as well:

Get-IntraOrganizationConfiguration -OrganizationGuid '48e7bec9-404c-4d24-b59e-4b46b64d7e03'

New-IntraOrganizationConnector -Name 'HybridIOC - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -DiscoveryEndpoint 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc' -TargetAddressDomains 'LDLNET.mail.onmicrosoft.com' -Enabled: $true

New-IntraOrganizationConnector -Name 'HybridIOC - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -DiscoveryEndpoint 'https://mail.ldlnet.net/autodiscover/autodiscover.svc' -TargetAddressDomains 'ldlnet.net' -Enabled: $true

Get-IntraOrganizationConfiguration -OrganizationGuid '48e7bec9-404c-4d24-b59e-4b46b64d7e03'

New-IntraOrganizationConnector -Name 'HybridIOC - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -DiscoveryEndpoint 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc' -TargetAddressDomains 'LDLNET.mail.onmicrosoft.com' -Enabled: $true

New-IntraOrganizationConnector -Name 'HybridIOC - 48e7bec9-404c-4d24-b59e-4b46b64d7e03' -DiscoveryEndpoint 'https://mail.ldlnet.net/autodiscover/autodiscover.svc' -TargetAddressDomains 'ldlnet.net' -Enabled: $true

9. The HCW configures OAuth Authentication across the Hybrid

This LINK explains how OAuth is configured between Exchange On Premises and Exchange Online. It’s a very good article to read as it shows how to get the Modern Authentication style working. Now the HCW does this for you and at the end of the article, you can run cmdlets to test the validity of the configuration.

If you want to go into a deep dive about how the Hybrid Authentication works, see the following:
Deep Dive Into Hybrid Authentication – from the MS Exchange Team Blog

Here are some of cmdlets run during this process workflow:

Get-AuthConfig

Get-ExchangeCertificate -Thumbprint F6C56C57EA7C86C3963FXXXXXXXXXXXXXXXXXXX

Get-ActiveSyncVirtualDirectory -ADPropertiesOnly: $true

Get-PartnerApplication -Identity 'Exchange Online'

Set-PartnerApplication -Identity 'Exchange Online' -Enabled: $true

New-AuthServer -Name ACS -AuthMetadataUrl 'https://accounts.accesscontrol.windows.net/663cad0b-70f7-42a5-b411-9d63337f0130/metadata/json/1'

Get-AuthServer

New-AuthServer -Name EvoSts -AuthMetadataUrl 'https://login.windows.net/LDLNET.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml' -Type AzureAD

Get-AuthConfig

Get-ExchangeCertificate -Thumbprint F6C56C57EA7C86C3963FXXXXXXXXXXXXXXXXXXX

Get-ActiveSyncVirtualDirectory -ADPropertiesOnly: $true

Get-PartnerApplication -Identity 'Exchange Online'

Set-PartnerApplication -Identity 'Exchange Online' -Enabled: $true

New-AuthServer -Name ACS -AuthMetadataUrl 'https://accounts.accesscontrol.windows.net/663cad0b-70f7-42a5-b411-9d63337f0130/metadata/json/1'

Get-AuthServer

New-AuthServer -Name EvoSts -AuthMetadataUrl 'https://login.windows.net/LDLNET.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml' -Type AzureAD

Again, look at both of those links to get a little more detail as to what each cmdlet does and how it sets up OAuth. Here are the two cmdlets used to test OAuth:

Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox onprem@ldlnet.net -Verbose | fl

1	Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox onprem@ldlnet.net -Verbose \| fl

Test-OAuthConnectivity -Service EWS -TargetUri https://mail.ldlnet.net/metadata/json/1 -Mailbox ExOnlineMbx@ldlnet.net -Verbose | fl

1	Test-OAuthConnectivity -Service EWS -TargetUri https://mail.ldlnet.net/metadata/json/1 -Mailbox ExOnlineMbx@ldlnet.net -Verbose \| fl

10. Enable MRS Proxy for Migration

In order to be able to move mailboxes between Exchange On Premises and Exchange Online, you have to enable the Exchange Web Services Virtual Directory to use the MRSProxy (Microsoft Replication Service proxy). You also have to set your EWS Virtual Directory to use Basic Authentication. You’ll want to do this before running the HCW or else you will receive the following error when the HCW validates the Migration setup and configuration:

Microsoft.Exchange.Migration.MigrationServerConnectionFailedException: The connection to the server ‘mail.ldlnet.net’ could not be completed. —> Microsoft.Exchange.MailboxReplicationService.RemoteTransientException: The call to ‘https://mail.ldlnet.net/EWS/mrsproxy.svc’ failed. Error details: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. –> The remote server returned an error: (403) Forbidden.. —> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The HTTP request was forbidden with client authentication scheme ‘Negotiate’. —> Microsoft.Exchange.MailboxReplicationService.RemotePermanentException: The remote server returned an error: (403) Forbidden.

Some of the cmdlets run to test Migration and MRS Proxy Settings are as follows:

Test-MigrationServerAvailability -ExchangeRemoteMove: $true -RemoteServer 'mail.ldlnet.net' -Credentials (Get-Credential -UserName DOMAIN\MigrationAdminAccount)

 Get-MigrationEndpoint 

New-MigrationEndpoint -Name 'Hybrid Migration Endpoint - EWS (Default Web Site)' -ExchangeRemoteMove: $true -RemoteServer 'mail.ldlnet.net' -Credentials (Get-Credential -UserName  
DOMAIN\MigrationAdminAccount)

Get-WebServicesVirtualDirectory -ADPropertiesOnly: $true

Test-MigrationServerAvailability -ExchangeRemoteMove: $true -RemoteServer 'mail.ldlnet.net' -Credentials (Get-Credential -UserName DOMAIN\MigrationAdminAccount)

Get-MigrationEndpoint

New-MigrationEndpoint -Name 'Hybrid Migration Endpoint - EWS (Default Web Site)' -ExchangeRemoteMove: $true -RemoteServer 'mail.ldlnet.net' -Credentials (Get-Credential -UserName

DOMAIN\MigrationAdminAccount)

Get-WebServicesVirtualDirectory -ADPropertiesOnly: $true

11. Final HCW Configuration and cleanup.

The HCW runs from final cmdlets to finish up the installation of the Hybrid environment. Here are the cmdlets run:

Get-OnPremisesOrganization

Set-OnPremisesOrganization -Identity '48e7bec9-404c-4d24-b59e-4b46b64d7e03' -Comment 'Bunch of letters and numbers'

Get-OnPremisesOrganization

Set-OnPremisesOrganization -Identity '48e7bec9-404c-4d24-b59e-4b46b64d7e03' -Comment 'Bunch of letters and numbers'

All this information was found in the setup logs that are in the following directory
C:\Users\%username%\AppData\Roaming\Microsoft\Exchange Hybrid Configuration

REFERENCES
Understanding Federation
Understanding Federated Delegation
Create a Federation Trust
Hybrid deployment prerequisites
Exchange Specific OAuth 2.0 Protocol Specification
Understanding WS-Security
JSON Web Tokens
Using OAuth2 to access Calendar, Contact and Mail API in Office 365 Exchange Online
Configurable token lifetimes in Azure Active Directory (Public Preview)
OAuth Troubleshooting
Principles of Token Validation
Troubleshooting free/busy issues in Exchange hybrid environment
How to configure Exchange Server on-premises to use Hybrid Modern Authentication
Microsoft 365 Messaging Administrator Certification Transition (beta)
Microsoft 365 certification exams
Exchange Server build numbers and release dates

PLEASE LEAVE QUESTIONS, COMMENTS, UPDATES! I WOULD LOVE TO HEAR FROM YOU!

Lance LingerfeltJanuary 25, 2019April 19, 2019

Update Edge Server Certificate in a Hybrid Exchange Environment

LDLNET LLC Banner — LDLNET LLC – Life In Action! Your Source for Professional IT Services!

At work, our group was updating the Exchange Edge Server certificates and having mail flow problems causing messages to be in the Poison Queue and not transfer to Office365 properly. We finally got the procedure down to where it started working. I wanted to post that procedure here since I had never really worked with Edge Servers in the past. If this post can help you in the future, then “I done good!”

Now, everywhere I had read said that you have to remove and then re-create the Edge Subscription between your Transport Servers and the Edge Servers when changing the certificate.

Here is why:
When we subscribe the edge server, an AD LDS account called the EdgeSync Bootstrap Replication Account (ESBRA) is created. This is created using the default certificate private key of the certificate assigned to SMTP service as default, hence as long as we have that certificate the transport servers will be able to authenticate to the Edge server and replicate the required information to ADAM database.

Now when we install a third party certificate we assign SMTP service to it and overwrite the current certificate, basically we change the default SMTP certificate. So, by doing this, the current Edge Subscription will fail as the Edge server will not be able to decrypt the ESRA account passed on when communicating with the transport servers using the new certificate private key.

So, once you have your new 3rd party certificate, you install it to your edge servers:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\Certs\EDGE-NEW.cer -Encoding byte -ReadCount 0))

1	Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path C:\Certs\EDGE-NEW.cer -Encoding byte -ReadCount 0))

Then, you enable the Exchange Certificate to be used for SMTP:

Enable-ExchangeCertificate -Thumbprint "The Certificate Thumbprint" -Services SMTP

1	Enable-ExchangeCertificate -Thumbprint "The Certificate Thumbprint" -Services SMTP

Mail flow will be broken at this point. Since messages were going to the poison queue due to the ESBRA account encryption failing when authenticating with the internal Transport Servers, I had to completely stop transport by disabling the Send Connectors between the internal Transport Servers and the Edge servers from the Transport Server.

Get-SendConnector -identity "Edge To Internet" | Set-SendConnector -Enabled:$False
Get-SendConnector -identity "Inbound - Edge To Internal Site" | Set-SendConnector -Enabled:$False

1 2	Get-SendConnector -identity "Edge To Internet" \| Set-SendConnector -Enabled:$False Get-SendConnector -identity "Inbound - Edge To Internal Site" \| Set-SendConnector -Enabled:$False

The configuration of the Edge Servers were that there were two servers in the Edge Farm. Since one of the servers had not had a proper sync in a while, I decided to remove the recipient database that had been replicated to the failing server when removing the Edge Subscription. The other server, I left the recipient database in place so that we could get one server up and running quickly since transport was stopped at this point.

Here is the command that was run to remove the Edge Subscriptions. This needed to be completed on both the Edge Servers and the corresponding Transport Server:

Get-EdgeSubscription | Remove-EdgeSubscription

1	Get-EdgeSubscription \| Remove-EdgeSubscription

I then had to create a new Edge Subscription file on each Edge Server to copy to the Transport Server. I already had connectors set so I did not need to recreate those connectors.

New-EdgeSubscription -FileName "c:\EdgeSubscriptionFiles\Edge01Subscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false -Site "YourADSite"

1	New-EdgeSubscription -FileName "c:\EdgeSubscriptionFiles\Edge01Subscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false -Site "YourADSite"

New-EdgeSubscription -FileName "c:\EdgeSubscriptionFiles\Edge02Subscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false -Site "YourADSite"

1	New-EdgeSubscription -FileName "c:\EdgeSubscriptionFiles\Edge02Subscription.xml" -CreateInboundSendConnector $false -CreateInternetSendConnector $false -Site "YourADSite"

I copied the xml files of each Edge Server to the Transport Server and ran the following cmdlet to create the Edge Subscription to the Edge Servers. I then had the Edge Servers Rebooted for good measure before redoing a Full Manual Edge Sync.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\XMLImport\Edge01Subscription.xml" -Encoding Byte -ReadCount 0)) -Site "YourADSite" -CreateInboundSendConnector $false -CreateInternetSendConnector $false

1	New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\XMLImport\Edge01Subscription.xml" -Encoding Byte -ReadCount 0)) -Site "YourADSite" -CreateInboundSendConnector $false -CreateInternetSendConnector $false

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\XMLImport\Edge02Subscription.xml" -Encoding Byte -ReadCount 0)) -Site "YourADSite" -CreateInboundSendConnector $false -CreateInternetSendConnector $false

1	New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\XMLImport\Edge02Subscription.xml" -Encoding Byte -ReadCount 0)) -Site "YourADSite" -CreateInboundSendConnector $false -CreateInternetSendConnector $false

I next had to preform a full manual EdgeSync from the transport server to the Edge Servers to assure that the recipient database on the AD LDS instance was up to date and that the send connectors were replicated properly.

Start-EdgeSynchronization -TargetServer Edge01 -ForceFullSync | fl

1	Start-EdgeSynchronization -TargetServer Edge01 -ForceFullSync \| fl

Start-EdgeSynchronization -TargetServer Edge02 -ForceFullSync | fl

1	Start-EdgeSynchronization -TargetServer Edge02 -ForceFullSync \| fl

I next had to re-run the Hybrid Configuration Wizard so that I could configure the Edge Servers as the transport for Hybrid cloud-bound Messages. Once the Edge Servers were chosen to transport Hybrid cloud-bound messages, I selected the new Edge Certificate so that transport would work properly when re-enabled and O365 would recognize the new certificate for Hybrid messages bound for the cloud.

I next re-enabled the Edge Send Connectors so that mail flow would begin working once the Full Edge Synchronization was completed. You have to let that complete before you can begin mail flow again so that messages won’t be delivered to the Poison Queue.

Get-SendConnector -identity "Edge To Internet" | Set-SendConnector -Enabled:$True
Get-SendConnector -identity "Inbound - Edge To Internal Site" | Set-SendConnector -Enabled:$True

1 2	Get-SendConnector -identity "Edge To Internet" \| Set-SendConnector -Enabled:$True Get-SendConnector -identity "Inbound - Edge To Internal Site" \| Set-SendConnector -Enabled:$True

Mail flow began working. It took about 90 minutes for all the queues to clear properly that had queued messages waiting to transport. Any Poison Queued messages were removed with NDRs sent to the senders.

It was a doozy to say the least. Happy Troubleshooting!
Leave Comments or Questions you may have!

References:
Exchange 2010 Edge Transport Server: Configuring EdgeSync
Mail flow breaks after renewing SSL Certificate on Edge server with Edge Subscription
Start-EdgeSynchronization

Lance LingerfeltJanuary 15, 2019

Exchange Back Pressure and Transport Issues

Sometimes you’ll get a situation where your email will stop flowing on one of your Exchange servers. Most of the time, we’re worried about our database and log file drives becoming full, but we don’t necessarily look at the configuration of our Transport servers to see if the resources in those directories become full or taxed to the point where it causes, “Back Pressure”. Exchange has events setup to monitor when that threshold is crossed and transport functionality is hindered:

Event ID 15004: Increase in the utilization level for any resource (eg from Normal to Medium)
Event ID 15005: Decrease in the utilization level for any resource (eg from High to Medium)
Event ID 15006: High utilization for disk space (ie critically low free disk space)
Event ID 15007: High utilization for memory (ie critically low available memory)

If you think that your server is experiencing a back pressure event, you can look quickly through event viewer for these events with the following script:

Get-Winevent -ComputerName NYCULEXB05 -FilterHashTable @{LogName="Application";StartTime=[datetime]::today;id='15004','15005','15006','15007'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n"  + $_.ProviderName + "`n" + $_.message + "`n"}

1	Get-Winevent -ComputerName NYCULEXB05 -FilterHashTable @{LogName="Application";StartTime=[datetime]::today;id='15004','15005','15006','15007'} -ErrorAction Stop \| foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"}

In most cases, you get the 15006 event:

Event 15006, MSExchangeTransport
Microsoft Exchange Transport is rejecting message submissions because the available disk space has dropped below the configured threshold. The following resources are under pressure:
Used disk space (“C:\Microsoft\Exchange Server\V15\TransportRoles\data\Queue”)
Used disk space (“C:\Microsoft\Exchange Server\V15\TransportRoles\data”)

Overall Resources
The following components are disabled due to back pressure:
Mail resubmission from the Message Resubmission component.
Mail submission from Pickup directory
Mail submission from Replay directory
Mail resubmission from the Shadow Redundancy Component
Inbound mail submission from the Internet

Exchange uses the following formula to calculate the threshold at which these events fire:

100 * (hard disk size – fixed constant) / hard drive size

So, in order to get transport running again, get your C: Drive cleared so that back pressure is lifted off of the server and transport can run again. You should then get a 15005 Event:

Log Name: Application
Source: MSExchangeTransport
Date: 10/19/2017 2:21:52 PM
Event ID: 15005
Task Category: ResourceManager
Level: Information
Keywords: Classic
User: N/A
Computer: EX01.ldlnet.org
Description:
The resource pressure decreased from Medium to Low.No components disabled due to back pressure.
The following resources are in normal state:
Private bytes
System memory
Version buckets[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que]
Jet Sessions[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que]
Checkpoint Depth[C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que]
Queue database and disk space (“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue\mail.que”)
Used disk space (“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data\Queue”)
Used disk space (“C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\data”)
Overall Resources

Now that you’ve completed this, how to do setup your Exchange Environment to keep this from happening again? Well, I would pick a drive volume that you’d never have to worry about filling up, or give the transport its own drive volume. This can be accomplished with a .ps1 script that is installed in the default Scripts directory on your Exchange Server installation:

‘C:\Program Files\Microsoft\Exchange Server\Vxx\scripts’

The name of that file is Move-TransportDatabase.ps1 and it
changes the location of the transport directories, moves the Queue Database and restarts the Transport service automatically. Here is an example of how the script is executed when running Exchange PowerShell with elevated privileges and wanting to move all the services to the E: Drive:

Set-Location $exscripts
.\Move-TransportDatabase.ps1 -queueDatabasePath ‘E:\TransportRoles\data\Queue’ -queueDatabaseLoggingPath ‘E:\TransportRoles\data\Queue’ -iPFilterDatabasePath ‘E:\TransportRoles\data\IpFilter’ -iPFilterDatabaseLoggingPath ‘E:\TransportRoles\data\IpFilter’ -temporaryStoragePath ‘E:\TransportRoles\data\Temp’

Set-Location $exscripts

.\Move-TransportDatabase.ps1 -queueDatabasePath ‘E:\TransportRoles\data\Queue’ -queueDatabaseLoggingPath ‘E:\TransportRoles\data\Queue’ -iPFilterDatabasePath ‘E:\TransportRoles\data\IpFilter’ -iPFilterDatabaseLoggingPath ‘E:\TransportRoles\data\IpFilter’ -temporaryStoragePath ‘E:\TransportRoles\data\Temp’

So, that’s how you get your transport directories configured to relieve “back pressure”. In my experience, somebody was doing a PST export of a mailbox to the local C: Drive instead of a specific drive volume that wouldn’t affect the OS, Exchange, and Transport. That’s for another time though! Happy Troubleshooting!

Reference: Exchange 2016 – Back Pressure
Reference: A Guide To Back Pressure.
Reference: Change Exchange Server 2013/2016 Mail Queue Database Location

NOTES:

USAGE:

HAPPY SCRIPTING!POSITIVE ENERGY!PLEASE COMMENT!

POSITIVE ENERGY!KILL NARCISSISM!HAPPY TROUBLESHOOTING!

Support for ReFS with Exchange Server

Creating an ReFS Formatted Volume

Additional Considerations

Connect to Exchange Online with the RPS Proxy Method to remove the 10K size limitation

Prepare a folder locally and place all the photos in that folder

Update the profile pictures via PowerShell

HAPPY SCRIPTING!PLEASE COMMENT!

HAPPY PURGING!PLEASE COMMENT!IGNORANCE IS NOT BLISS!

Customize the color of the Outlook on the web sign-in page

Change the disclaimer text for your OWA logon page

HAPPY CONFIGURING!PLEASE COMMENT!THANKS FOR YOUR SUPPORT!

Install Windows Server 2019

PLEASE CHECK BACK FOR UPDATES!PLEASE COMMENT!

HOPE THIS HELPS!LET ME HAVE KNOWLEDGE SHOULD THE LINK CHANGE!

PLEASE COMMENT!HAPPY TROUBLESHOOTING!

HAPPY TROUBLESHOOTING!PLEASE COMMENT!

GOOD LUCK WITH YOUR MIGRATIONS!HAPPY TROUBLESHOOTING!

PLEASE COMMENT! I WELCOME SUGGESTIONS, TIPS, ALTERNATIVE TROUBLESHOOTING! HAVE A GREAT DAY!

HAPPY SCRIPTING!LEARN, DO, LIVE!

IMPORTANT NOTE

POST COMMENTS! HAPPY TROUBLESHOOTING!

Cookies Notice for itblog.ldlnet.net

HAPPY SCRIPTING!
POSITIVE ENERGY!
PLEASE COMMENT!

POSITIVE ENERGY!
KILL NARCISSISM!
HAPPY TROUBLESHOOTING!

HAPPY SCRIPTING!
PLEASE COMMENT!

HAPPY PURGING!
PLEASE COMMENT!
IGNORANCE IS NOT BLISS!

HAPPY CONFIGURING!
PLEASE COMMENT!
THANKS FOR YOUR SUPPORT!

PLEASE CHECK BACK FOR UPDATES!
PLEASE COMMENT!

HOPE THIS HELPS!
LET ME HAVE KNOWLEDGE SHOULD THE LINK CHANGE!

PLEASE COMMENT!
HAPPY TROUBLESHOOTING!

HAPPY TROUBLESHOOTING!
PLEASE COMMENT!

GOOD LUCK WITH YOUR MIGRATIONS!
HAPPY TROUBLESHOOTING!

HAPPY SCRIPTING!
LEARN, DO, LIVE!

POST COMMENTS!
HAPPY TROUBLESHOOTING!